Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
GfxDriverUpdater.exe

Overview

General Information

Sample name:GfxDriverUpdater.exe
Analysis ID:1581428
MD5:d23183c5a659b5f5ce29168fa2cf9455
SHA1:43e625dae54df9d8adbf687885beda89aa312357
SHA256:2ef2d5e126c0508e5a8d9d4d9fa08d60d4987b4ca401a8d2d62c89a8ef4bcc0f
Tags:ALLstoreSoftware-EntwicklungsGmbHDanabotexeGfxDriverUpdatersigneduser-NDA0E
Infos:

Detection

DanaBot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected DanaBot stealer dll
AI detected suspicious sample
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
May use the Tor software to hide its network traffic
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • GfxDriverUpdater.exe (PID: 6268 cmdline: "C:\Users\user\Desktop\GfxDriverUpdater.exe" MD5: D23183C5A659B5F5CE29168FA2CF9455)
    • pipanel.exe (PID: 2056 cmdline: "C:\Users\user\Desktop\GfxDriverUpdater.exe" MD5: 3C98CEE428375B531A5C98F101B1E063)
    • pipanel.exe (PID: 1004 cmdline: "C:\Users\user\Desktop\GfxDriverUpdater.exe" MD5: 3C98CEE428375B531A5C98F101B1E063)
    • pipanel.exe (PID: 6640 cmdline: "C:\Users\user\Desktop\GfxDriverUpdater.exe" MD5: 3C98CEE428375B531A5C98F101B1E063)
      • cmd.exe (PID: 6768 cmdline: cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 6220 cmdline: wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value MD5: E2DE6500DE1148C7F6027AD50AC8B891)
    • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
      • bumbguard.exe (PID: 3748 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exe" MD5: D23183C5A659B5F5CE29168FA2CF9455)
        • pipanel.exe (PID: 3696 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exe" MD5: 3C98CEE428375B531A5C98F101B1E063)
          • cmd.exe (PID: 412 cmdline: cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 2848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • WMIC.exe (PID: 2176 cmdline: wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value MD5: E2DE6500DE1148C7F6027AD50AC8B891)
      • bumbguard.exe (PID: 3964 cmdline: C:\Windows\Explorer.EXE MD5: D23183C5A659B5F5CE29168FA2CF9455)
        • pipanel.exe (PID: 5640 cmdline: C:\Windows\Explorer.EXE MD5: 3C98CEE428375B531A5C98F101B1E063)
        • pipanel.exe (PID: 1368 cmdline: C:\Windows\Explorer.EXE MD5: 3C98CEE428375B531A5C98F101B1E063)
          • cmd.exe (PID: 5644 cmdline: cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 3020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • WMIC.exe (PID: 1740 cmdline: wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value MD5: E2DE6500DE1148C7F6027AD50AC8B891)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DanaBotProofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on quality over quantity in email-based threats. DanaBots modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.
  • SCULLY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000003.2638647255.000000007E6D0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
    0000000E.00000003.2792024513.000000007E860000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
      0000000E.00000003.2791732483.000000007E3B0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
            Click to see the 14 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: GfxDriverUpdater.exeReversingLabs: Detection: 15%
            Yara detected DanaBot stealer dll
            Source: Yara matchFile source: 00000008.00000003.2638647255.000000007E6D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000003.2792024513.000000007E860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2638810493.000000007E8E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2801166151.0000000005659000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2918581460.000000007DC90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2804111019.000000007DE20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000003.2792100374.000000007EA70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: pipanel.exe PID: 6640, type: MEMORYSTR
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 8_2_007B5354 LoadLibraryW,CryptAcquireContextA,LoadLibraryW,CryptCreateHash,LoadLibraryW,CryptHashData,LoadLibraryW,CryptDeriveKey,LoadLibraryW,CryptDecrypt,LoadLibraryW,CryptDestroyKey,LoadLibraryW,CryptDestroyHash,LoadLibraryW,CryptReleaseContext,8_2_007B5354
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 14_2_007B5354 LoadLibraryW,CryptAcquireContextA,LoadLibraryW,CryptCreateHash,LoadLibraryW,CryptHashData,LoadLibraryW,CryptDeriveKey,LoadLibraryW,CryptDecrypt,LoadLibraryW,CryptDestroyKey,LoadLibraryW,CryptDestroyHash,LoadLibraryW,CryptReleaseContext,14_2_007B5354
            Source: GfxDriverUpdater.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: Binary string: C:\Users\Ashley\Documents\Visual Studio 2008\Projects\GfxDriverUpdater\Release\GfxDriverUpdater.pdb( source: GfxDriverUpdater.exe, 00000000.00000002.2630105912.00000000008AE000.00000002.00000001.01000000.00000003.sdmp, GfxDriverUpdater.exe, 00000000.00000000.1664013928.00000000008AE000.00000002.00000001.01000000.00000003.sdmp, bumbguard.exe, 0000000D.00000000.2658842636.00000000008AE000.00000002.00000001.01000000.00000006.sdmp, bumbguard.exe, 0000000D.00000002.2733136253.00000000008AE000.00000002.00000001.01000000.00000006.sdmp
            Source: Binary string: wntdll.pdbUGP source: GfxDriverUpdater.exe, 00000000.00000002.2631058634.0000000002840000.00000040.00001000.00020000.00000000.sdmp, bumbguard.exe, 0000000D.00000002.2733877832.0000000002690000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: GfxDriverUpdater.exe, 00000000.00000002.2631058634.0000000002840000.00000040.00001000.00020000.00000000.sdmp, bumbguard.exe, 0000000D.00000002.2733877832.0000000002690000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: C:\Users\Ashley\Documents\Visual Studio 2008\Projects\GfxDriverUpdater\Release\GfxDriverUpdater.pdb source: GfxDriverUpdater.exe, 00000000.00000002.2630105912.00000000008AE000.00000002.00000001.01000000.00000003.sdmp, GfxDriverUpdater.exe, 00000000.00000000.1664013928.00000000008AE000.00000002.00000001.01000000.00000003.sdmp, bumbguard.exe, 0000000D.00000000.2658842636.00000000008AE000.00000002.00000001.01000000.00000006.sdmp, bumbguard.exe, 0000000D.00000002.2733136253.00000000008AE000.00000002.00000001.01000000.00000006.sdmp
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 8_2_0040D174 FindFirstFileW,FindClose,8_2_0040D174
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 8_2_0040CBA8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,8_2_0040CBA8
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 8_2_0569E190 FindFirstFileW,FindClose,8_2_0569E190
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 8_2_0569DBC4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,8_2_0569DBC4
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 14_2_0040D174 FindFirstFileW,FindClose,14_2_0040D174
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 14_2_0040CBA8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,14_2_0040CBA8
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 14_2_0564E190 FindFirstFileW,FindClose,14_2_0564E190
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 14_2_0564DBC4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,14_2_0564DBC4
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: unknownTCP traffic detected without corresponding DNS query: 94.131.15.11
            Source: unknownTCP traffic detected without corresponding DNS query: 94.131.15.11
            Source: unknownTCP traffic detected without corresponding DNS query: 94.131.15.11
            Source: unknownTCP traffic detected without corresponding DNS query: 94.131.15.11
            Source: unknownTCP traffic detected without corresponding DNS query: 91.242.163.235
            Source: unknownTCP traffic detected without corresponding DNS query: 91.242.163.235
            Source: unknownTCP traffic detected without corresponding DNS query: 91.242.163.235
            Source: unknownTCP traffic detected without corresponding DNS query: 91.242.163.235
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.237.249
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.237.249
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.237.249
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.237.249
            Source: unknownTCP traffic detected without corresponding DNS query: 52.47.90.144
            Source: unknownTCP traffic detected without corresponding DNS query: 52.47.90.144
            Source: unknownTCP traffic detected without corresponding DNS query: 52.47.90.144
            Source: unknownTCP traffic detected without corresponding DNS query: 52.47.90.144
            Source: pipanel.exe, 00000008.00000003.2638647255.000000007E6D0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2638810493.000000007E8E0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.2918581460.000000007DC90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
            Source: pipanel.exe, pipanel.exe, 00000008.00000003.2638647255.000000007E6D0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2638810493.000000007E8E0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.2918581460.000000007DC90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
            Source: explorer.exe, 00000009.00000000.2603694386.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2606241424.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2920075641.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
            Source: explorer.exe, 00000009.00000000.2603694386.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2606241424.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2920075641.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
            Source: explorer.exe, 00000009.00000000.2603694386.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2606241424.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2920075641.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
            Source: pipanel.exe, pipanel.exe, 00000008.00000003.2638647255.000000007E6D0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2638810493.000000007E8E0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.2918581460.000000007DC90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
            Source: explorer.exe, 00000009.00000000.2603694386.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2606241424.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2920075641.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: explorer.exe, 00000009.00000002.2914544681.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2603694386.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
            Source: explorer.exe, 00000009.00000000.2609924987.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2925332432.000000000C964000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
            Source: explorer.exe, 00000009.00000000.2609924987.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2925332432.000000000C964000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.micr
            Source: explorer.exe, 00000009.00000000.2605607944.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2607406476.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.2918300826.0000000007F40000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
            Source: pipanel.exe, 00000008.00000002.2917539718.0000000063469000.00000040.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.2918330461.000000006E66F000.00000040.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2642670419.000000007E470000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2641943702.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2641608701.000000007E710000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2644398063.000000007E910000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2645447377.000000007F860000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2647661380.000000007E770000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2646211711.000000007F920000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2643313414.000000007E830000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 0000000E.00000003.2795654411.000000007EAA0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 0000000E.00000003.2795518146.000000007E9C0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 0000000E.00000003.2794317336.000000007EC70000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 0000000E.00000003.2794012316.000000007E8A0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 0000000E.00000002.2803620386.0000000063469000.00000040.00001000.00020000.00000000.sdmp, pipanel.exe, 0000000E.00000003.2797028117.000000007E900000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/V
            Source: pipanel.exe, 00000008.00000003.2642670419.000000007E470000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2641123463.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2641943702.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2641608701.000000007E710000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.2917539718.0000000063281000.00000040.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2646211711.000000007F920000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 0000000E.00000003.2794317336.000000007EC70000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 0000000E.00000003.2793654303.000000007EBF0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 0000000E.00000003.2794012316.000000007E8A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
            Source: pipanel.exe, 00000008.00000003.2642670419.000000007E470000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2641123463.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2641943702.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2641608701.000000007E710000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.2917539718.0000000063281000.00000040.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2646211711.000000007F920000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 0000000E.00000003.2794317336.000000007EC70000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 0000000E.00000003.2793654303.000000007EBF0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 0000000E.00000003.2794012316.000000007E8A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.htmlRAND
            Source: explorer.exe, 00000009.00000002.2925332432.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
            Source: explorer.exe, 00000009.00000000.2603694386.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
            Source: explorer.exe, 00000009.00000000.2603694386.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
            Source: explorer.exe, 00000009.00000002.2925332432.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2609924987.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
            Source: explorer.exe, 00000009.00000000.2606241424.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2920075641.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
            Source: explorer.exe, 00000009.00000000.2606241424.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2920075641.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
            Source: explorer.exe, 00000009.00000000.2602367609.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2908766689.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2601526084.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2911818424.0000000003700000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
            Source: explorer.exe, 00000009.00000002.2920075641.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2606241424.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2606241424.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2920075641.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
            Source: explorer.exe, 00000009.00000002.2920075641.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2606241424.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
            Source: explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
            Source: explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
            Source: explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
            Source: explorer.exe, 00000009.00000002.2914544681.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2603694386.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
            Source: explorer.exe, 00000009.00000002.2914544681.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2603694386.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
            Source: explorer.exe, 00000009.00000002.2925332432.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2609924987.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
            Source: explorer.exe, 00000009.00000002.2914544681.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2603694386.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
            Source: explorer.exe, 00000009.00000002.2925332432.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2609924987.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
            Source: explorer.exe, 00000009.00000002.2925332432.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2609924987.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
            Source: explorer.exe, 00000009.00000000.2609924987.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2925332432.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
            Source: explorer.exe, 00000009.00000002.2925332432.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2609924987.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
            Source: explorer.exe, 00000009.00000002.2914544681.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2603694386.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
            Source: explorer.exe, 00000009.00000000.2603694386.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
            Source: explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
            Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822

            E-Banking Fraud

            barindex
            Yara detected DanaBot stealer dll
            Source: Yara matchFile source: 00000008.00000003.2638647255.000000007E6D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000003.2792024513.000000007E860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2638810493.000000007E8E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2801166151.0000000005659000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2918581460.000000007DC90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2804111019.000000007DE20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000003.2792100374.000000007EA70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: pipanel.exe PID: 6640, type: MEMORYSTR

            System Summary

            barindex
            PE file has nameless sections
            Source: GfxDriverUpdater.exeStatic PE information: section name:
            Source: GfxDriverUpdater.exeStatic PE information: section name:
            Source: GfxDriverUpdater.exeStatic PE information: section name:
            Source: GfxDriverUpdater.exeStatic PE information: section name:
            Source: GfxDriverUpdater.exeStatic PE information: section name:
            Source: GfxDriverUpdater.exeStatic PE information: section name:
            Source: GfxDriverUpdater.exeStatic PE information: section name:
            Source: GfxDriverUpdater.exeStatic PE information: section name:
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B53A6E NtWriteVirtualMemory,NtWriteVirtualMemory,0_2_00B53A6E
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B53A53 NtWriteVirtualMemory,NtWriteVirtualMemory,0_2_00B53A53
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 8_2_007B4F2C LoadLibraryA,GetProcAddress,NtQueryVirtualMemory,NtQueryVirtualMemory,NtQueryVirtualMemory,8_2_007B4F2C
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 8_2_007B4FD4 NtQueryVirtualMemory,8_2_007B4FD4
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 8_2_05B54A54 LoadLibraryA,GetProcAddress,NtQueryVirtualMemory,NtQueryVirtualMemory,8_2_05B54A54
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeCode function: 13_2_024B3A53 NtWriteVirtualMemory,NtWriteVirtualMemory,13_2_024B3A53
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeCode function: 13_2_024B3A6E NtWriteVirtualMemory,NtWriteVirtualMemory,13_2_024B3A6E
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 14_2_007B4F2C LoadLibraryA,GetProcAddress,NtQueryVirtualMemory,NtQueryVirtualMemory,NtQueryVirtualMemory,14_2_007B4F2C
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 14_2_007B4FD4 NtQueryVirtualMemory,14_2_007B4FD4
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 14_2_05B04A54 LoadLibraryA,GetProcAddress,NtQueryVirtualMemory,NtQueryVirtualMemory,14_2_05B04A54
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B604000_2_00B60400
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B578E00_2_00B578E0
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B6D1900_2_00B6D190
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B5F1500_2_00B5F150
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B60C300_2_00B60C30
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B615300_2_00B61530
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 8_2_007E650C8_2_007E650C
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 8_2_007E29C08_2_007E29C0
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 8_2_007E6B548_2_007E6B54
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeCode function: 13_2_024C040013_2_024C0400
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeCode function: 13_2_024B78E013_2_024B78E0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeCode function: 13_2_024BF15013_2_024BF150
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeCode function: 13_2_024CD19013_2_024CD190
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeCode function: 13_2_024C0C3013_2_024C0C30
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeCode function: 13_2_024C153013_2_024C1530
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 14_2_007E650C14_2_007E650C
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 14_2_007E29C014_2_007E29C0
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 14_2_007E6B5414_2_007E6B54
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: String function: 00411CC0 appears 32 times
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: String function: 0040A2DC appears 46 times
            Source: GfxDriverUpdater.exeStatic PE information: invalid certificate
            Source: GfxDriverUpdater.exeBinary or memory string: OriginalFilename vs GfxDriverUpdater.exe
            Source: GfxDriverUpdater.exe, 00000000.00000002.2631058634.000000000296D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs GfxDriverUpdater.exe
            Source: GfxDriverUpdater.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: GfxDriverUpdater.exeStatic PE information: Section: ZLIB complexity 1.021484375
            Source: GfxDriverUpdater.exeStatic PE information: Section: ZLIB complexity 1.021484375
            Source: GfxDriverUpdater.exeStatic PE information: Section: ZLIB complexity 1.021484375
            Source: classification engineClassification label: mal100.troj.evad.winEXE@32/0@0/5
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 8_2_007E93D8 CoInitialize,CoCreateInstance,CoUninitialize,8_2_007E93D8
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeFile created: C:\Users\user\AppData\Local\Gbumps IncJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeMutant created: \Sessions\1\BaseNamedObjects\dRvzfOqBs
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeMutant created: \Sessions\1\BaseNamedObjects\gBInqBIvL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2848:120:WilError_03
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeMutant created: \Sessions\1\BaseNamedObjects\sIDAAIcyL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5052:120:WilError_03
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
            Source: pipanel.exe, pipanel.exe, 00000008.00000003.2638647255.000000007E6D0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2638810493.000000007E8E0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.2918581460.000000007DC90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: pipanel.exe, pipanel.exe, 00000008.00000003.2638647255.000000007E6D0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2638810493.000000007E8E0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.2918581460.000000007DC90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: pipanel.exe, pipanel.exe, 00000008.00000003.2638647255.000000007E6D0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2638810493.000000007E8E0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.2918581460.000000007DC90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: pipanel.exe, 00000008.00000003.2638647255.000000007E6D0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2638810493.000000007E8E0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.2918581460.000000007DC90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: GfxDriverUpdater.exeReversingLabs: Detection: 15%
            Source: pipanel.exeString found in binary or memory: t xml:space=.gif" border="0"</body> </html> overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script> /favicon.ico" />operating system" style="width:1target="_blank">State Universitytext-align:left; document.write(, including the around t
            Source: unknownProcess created: C:\Users\user\Desktop\GfxDriverUpdater.exe "C:\Users\user\Desktop\GfxDriverUpdater.exe"
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe "C:\Users\user\Desktop\GfxDriverUpdater.exe"
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe "C:\Users\user\Desktop\GfxDriverUpdater.exe"
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe "C:\Users\user\Desktop\GfxDriverUpdater.exe"
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exe"
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exe"
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exe C:\Windows\Explorer.EXE
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe C:\Windows\Explorer.EXE
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe C:\Windows\Explorer.EXE
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe "C:\Users\user\Desktop\GfxDriverUpdater.exe"Jump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe "C:\Users\user\Desktop\GfxDriverUpdater.exe"Jump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe "C:\Users\user\Desktop\GfxDriverUpdater.exe"Jump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /valueJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exe" Jump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exe C:\Windows\Explorer.EXEJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /valueJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exe" Jump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /valueJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /valueJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe C:\Windows\Explorer.EXEJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe C:\Windows\Explorer.EXEJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: winmmbase.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: mmdevapi.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: ksuser.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: avrt.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: audioses.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: msacm32.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: midimap.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: avifil32.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: cryptui.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: pstorec.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: winsta.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: smartscreenps.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: winmmbase.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: mmdevapi.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: ksuser.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: avrt.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: audioses.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: msacm32.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: midimap.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: avifil32.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: cryptui.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: pstorec.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: winmmbase.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: mmdevapi.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: ksuser.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: avrt.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: audioses.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: msacm32.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: midimap.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: framedynos.dll
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: msxml6.dll
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: urlmon.dll
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iertutil.dll
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: srvcli.dll
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: netutils.dll
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vcruntime140.dll
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: amsi.dll
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: profapi.dll
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3ad05575-8857-4850-9277-11b85bdb8e09}\InProcServer32Jump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: GfxDriverUpdater.exeStatic file information: File size 5409368 > 1048576
            Source: GfxDriverUpdater.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x4ad000
            Source: GfxDriverUpdater.exeStatic PE information: More than 200 imports for USER32.dll
            Source: GfxDriverUpdater.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: C:\Users\Ashley\Documents\Visual Studio 2008\Projects\GfxDriverUpdater\Release\GfxDriverUpdater.pdb( source: GfxDriverUpdater.exe, 00000000.00000002.2630105912.00000000008AE000.00000002.00000001.01000000.00000003.sdmp, GfxDriverUpdater.exe, 00000000.00000000.1664013928.00000000008AE000.00000002.00000001.01000000.00000003.sdmp, bumbguard.exe, 0000000D.00000000.2658842636.00000000008AE000.00000002.00000001.01000000.00000006.sdmp, bumbguard.exe, 0000000D.00000002.2733136253.00000000008AE000.00000002.00000001.01000000.00000006.sdmp
            Source: Binary string: wntdll.pdbUGP source: GfxDriverUpdater.exe, 00000000.00000002.2631058634.0000000002840000.00000040.00001000.00020000.00000000.sdmp, bumbguard.exe, 0000000D.00000002.2733877832.0000000002690000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: GfxDriverUpdater.exe, 00000000.00000002.2631058634.0000000002840000.00000040.00001000.00020000.00000000.sdmp, bumbguard.exe, 0000000D.00000002.2733877832.0000000002690000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: C:\Users\Ashley\Documents\Visual Studio 2008\Projects\GfxDriverUpdater\Release\GfxDriverUpdater.pdb source: GfxDriverUpdater.exe, 00000000.00000002.2630105912.00000000008AE000.00000002.00000001.01000000.00000003.sdmp, GfxDriverUpdater.exe, 00000000.00000000.1664013928.00000000008AE000.00000002.00000001.01000000.00000003.sdmp, bumbguard.exe, 0000000D.00000000.2658842636.00000000008AE000.00000002.00000001.01000000.00000006.sdmp, bumbguard.exe, 0000000D.00000002.2733136253.00000000008AE000.00000002.00000001.01000000.00000006.sdmp
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 8_2_007B4A04 GetModuleHandleW,IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleW,8_2_007B4A04
            Source: GfxDriverUpdater.exeStatic PE information: section name:
            Source: GfxDriverUpdater.exeStatic PE information: section name:
            Source: GfxDriverUpdater.exeStatic PE information: section name:
            Source: GfxDriverUpdater.exeStatic PE information: section name:
            Source: GfxDriverUpdater.exeStatic PE information: section name:
            Source: GfxDriverUpdater.exeStatic PE information: section name:
            Source: GfxDriverUpdater.exeStatic PE information: section name:
            Source: GfxDriverUpdater.exeStatic PE information: section name:
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B81CB5 push ax; mov dword ptr [esp], esi0_2_00B81CB8
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B85AA9 push dword ptr [esp+0Ch]; retn 0010h0_2_00B85AC0
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B826AD push dword ptr [esp+08h]; retn 000Ch0_2_00B828DA
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B85C9C push dword ptr [esp+1Ch]; retn 0020h0_2_00B85CA6
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B85A96 push dword ptr [esp+0Ch]; retn 0010h0_2_00B85AC0
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00BA1888 push ss; ret 0_2_00BA1935
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B8288B push dword ptr [esp+08h]; retn 000Ch0_2_00B828DA
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B800FD push eax; ret 0_2_00B80240
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B826FF push dword ptr [esp+10h]; retn 0014h0_2_00B8271B
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B85AF5 push dword ptr [esp+0Ch]; retn 0010h0_2_00B85AC0
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B816F6 push dword ptr [esp+28h]; retn 002Ch0_2_00B816D5
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B818E8 push dword ptr [esp+04h]; retn 0008h0_2_00B81907
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B826E9 push dword ptr [esp+10h]; retn 0014h0_2_00B8271B
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B828C2 push dword ptr [esp+08h]; retn 000Ch0_2_00B828DA
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B85AC3 push dword ptr [esp+0Ch]; retn 0010h0_2_00B85AC0
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B826C4 push dword ptr [esp+08h]; retn 000Ch0_2_00B828DA
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B80429 push dword ptr [esp+04h]; retn 0008h0_2_00B8042F
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B80013 push eax; retf 0_2_00B80023
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B80204 push dword ptr [esp+08h]; retn 000Ch0_2_00B80192
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B84E04 push dword ptr [esp+14h]; retn 0018h0_2_00B84E08
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B8147B push dword ptr [esp+24h]; retn 0028h0_2_00B81473
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B8147E push dword ptr [esp+24h]; retn 0028h0_2_00B81473
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B81873 push dword ptr [esp+08h]; retn 000Ch0_2_00B81879
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B8186C push dword ptr [esp+08h]; retn 000Ch0_2_00B81879
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B81464 push dword ptr [esp+24h]; retn 0028h0_2_00B81473
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B8025A push dword ptr [esp+08h]; retn 000Ch0_2_00B80192
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B8025B push dword ptr [esp+08h]; retn 000Ch0_2_00B80192
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B801A5 push dword ptr [esp+08h]; retn 000Ch0_2_00B80192
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B80182 push dword ptr [esp+08h]; retn 000Ch0_2_00B80192
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B80586 push ebx; ret 0_2_00B80589
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B85B2D push dword ptr [esp+0Ch]; retn 0010h0_2_00B85AC0

            Hooking and other Techniques for Hiding and Protection

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeFile opened: C:\Users\user\AppData\Local\Gbumps Inc\bumbguard.exe:Zone.Identifier read attributes | deleteJump to behavior
            May use the Tor software to hide its network traffic
            Source: pipanel.exe, 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2638810493.000000007E8E0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.2918581460.000000007DC90000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2638520667.000000007E5E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: torConnect
            Overwrites code with unconditional jumps - possibly settings hooks in foreign process
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeMemory written: PID: 6640 base: 76F02EC0 value: E9 3B D1 F8 89 Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: PID: 3696 base: 76F02EC0 value: E9 3B D1 0E 8C Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: PID: 1368 base: 76F02EC0 value: E9 3B D1 0A 8C Jump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_DiskDrive WHERE DeviceID=\&apos;c:\&apos;
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_DiskDrive WHERE DeviceID=\&apos;c:\&apos;
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_DiskDrive WHERE DeviceID=\&apos;c:\&apos;
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_DiskDrive WHERE DeviceID=\&apos;c:\&apos;
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeAPI/Special instruction interceptor: Address: 7FFE2220D304
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeAPI/Special instruction interceptor: Address: 7FFE2220D6E4
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeAPI/Special instruction interceptor: Address: 7FFE2220DA04
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeAPI/Special instruction interceptor: Address: 7FFE2220D6C4
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeAPI/Special instruction interceptor: Address: 7FFE2220D424
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeAPI/Special instruction interceptor: Address: 7FFE2220E654
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeAPI/Special instruction interceptor: Address: 7FFE2220D244
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeAPI/Special instruction interceptor: Address: 7FFE2220D2E4
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeAPI/Special instruction interceptor: Address: 7FFE2220D744
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeAPI/Special instruction interceptor: Address: 7FFE2220D784
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeAPI/Special instruction interceptor: Address: 7FFE2220E814
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeAPI/Special instruction interceptor: Address: 7FFE2220D304
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeAPI/Special instruction interceptor: Address: 7FFE2220D6E4
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeAPI/Special instruction interceptor: Address: 7FFE2220DA04
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeAPI/Special instruction interceptor: Address: 7FFE2220D244
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeAPI/Special instruction interceptor: Address: 7FFE2220D2E4
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeAPI/Special instruction interceptor: Address: 7FFE2220D6C4
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeAPI/Special instruction interceptor: Address: 7FFE2220D424
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeAPI/Special instruction interceptor: Address: 7FFE2220E654
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeAPI/Special instruction interceptor: Address: 7FFE2220D744
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeAPI/Special instruction interceptor: Address: 7FFE2220D784
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeAPI/Special instruction interceptor: Address: 7FFE2220E814
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeRDTSC instruction interceptor: First address: B81FB5 second address: B81FB7 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeRDTSC instruction interceptor: First address: 24E1FB5 second address: 24E1FB7 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeRDTSC instruction interceptor: First address: C31FB5 second address: C31FB7 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B81873 rdtsc 0_2_00B81873
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeWindow / User API: threadDelayed 9991Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 636Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 618Jump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeWindow / User API: threadDelayed 8896Jump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeWindow / User API: threadDelayed 1104Jump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeWindow / User API: threadDelayed 9998
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exe TID: 6272Thread sleep count: 39 > 30Jump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe TID: 6092Thread sleep count: 8896 > 30Jump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe TID: 6092Thread sleep count: 1104 > 30Jump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe TID: 3864Thread sleep count: 9998 > 30
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 8_2_0040D174 FindFirstFileW,FindClose,8_2_0040D174
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 8_2_0040CBA8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,8_2_0040CBA8
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 8_2_0569E190 FindFirstFileW,FindClose,8_2_0569E190
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 8_2_0569DBC4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,8_2_0569DBC4
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 14_2_0040D174 FindFirstFileW,FindClose,14_2_0040D174
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 14_2_0040CBA8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,14_2_0040CBA8
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 14_2_0564E190 FindFirstFileW,FindClose,14_2_0564E190
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 14_2_0564DBC4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,14_2_0564DBC4
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 8_2_007E99F0 GetSystemInfo,GetLogicalProcessorInformation,GetLastError,GetLogicalProcessorInformation,8_2_007E99F0
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: explorer.exe, 00000009.00000000.2607167304.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
            Source: explorer.exe, 00000009.00000002.2920075641.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
            Source: explorer.exe, 00000009.00000002.2914544681.00000000078A0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
            Source: explorer.exe, 00000009.00000000.2607167304.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
            Source: explorer.exe, 00000009.00000000.2601526084.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
            Source: pipanel.exe, 0000000E.00000003.2797738632.00000000032DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000009.00000000.2607167304.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
            Source: explorer.exe, 00000009.00000000.2603694386.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
            Source: explorer.exe, 00000009.00000002.2920075641.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
            Source: pipanel.exe, 00000008.00000003.2663552361.00000000033AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: explorer.exe, 00000009.00000000.2606241424.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2606241424.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2920075641.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2920075641.000000000982D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: explorer.exe, 00000009.00000000.2607167304.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
            Source: explorer.exe, 00000009.00000002.2914544681.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2603694386.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
            Source: explorer.exe, 00000009.00000002.2920075641.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
            Source: explorer.exe, 00000009.00000000.2601526084.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
            Source: pipanel.exe, 00000008.00000002.2909953795.0000000003358000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 0000000E.00000002.2799643694.0000000003288000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: explorer.exe, 00000009.00000000.2601526084.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeAPI call chain: ExitProcess graph end nodegraph_8-8798
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeAPI call chain: ExitProcess graph end nodegraph_8-8712
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeAPI call chain: ExitProcess graph end nodegraph_14-9141
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeAPI call chain: ExitProcess graph end nodegraph_14-8758
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B81873 rdtsc 0_2_00B81873
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 8_2_007B4A04 GetModuleHandleW,IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleW,8_2_007B4A04
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B60810 mov eax, dword ptr fs:[00000030h]0_2_00B60810
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B5384E mov eax, dword ptr fs:[00000030h]0_2_00B5384E
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B5613A mov edx, dword ptr fs:[00000030h]0_2_00B5613A
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B52A75 mov edx, dword ptr fs:[00000030h]0_2_00B52A75
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B51257 mov edx, dword ptr fs:[00000030h]0_2_00B51257
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B526BB mov ebx, dword ptr fs:[00000030h]0_2_00B526BB
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeCode function: 13_2_024B1257 mov edx, dword ptr fs:[00000030h]13_2_024B1257
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeCode function: 13_2_024B2A75 mov edx, dword ptr fs:[00000030h]13_2_024B2A75
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeCode function: 13_2_024B384E mov eax, dword ptr fs:[00000030h]13_2_024B384E
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeCode function: 13_2_024C0810 mov eax, dword ptr fs:[00000030h]13_2_024C0810
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeCode function: 13_2_024B613A mov edx, dword ptr fs:[00000030h]13_2_024B613A
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeCode function: 13_2_024B26BB mov ebx, dword ptr fs:[00000030h]13_2_024B26BB
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 8_2_007B5008 VirtualAlloc,VirtualAlloc,GetModuleHandleW,GetModuleHandleW,GetProcessHeap,RtlAllocateHeap,GetModuleHandleW,GetModuleHandleW,GetNativeSystemInfo,VirtualAlloc,8_2_007B5008

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Allocates memory in foreign processes
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeMemory allocated: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 400000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeMemory allocated: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: E90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeMemory allocated: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 2EB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeMemory allocated: C:\Windows\explorer.exe base: 11B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory allocated: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 400000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory allocated: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 2FF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory allocated: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 3200000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory allocated: C:\Windows\explorer.exe base: 13A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory allocated: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 400000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory allocated: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 2FB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory allocated: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 2FC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory allocated: C:\Windows\explorer.exe base: 13B0000 protect: page execute and read and writeJump to behavior
            Creates a thread in another existing process (thread injection)
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeThread created: C:\Windows\explorer.exe EIP: 11B0292Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeThread created: unknown EIP: 13A0292Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeThread created: unknown EIP: 13B0292Jump to behavior
            Hijacks the control flow in another process
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeMemory written: PID: 6640 base: 76F02EC0 value: E9Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: PID: 3696 base: 76F02EC0 value: E9Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: PID: 1368 base: 76F02EC0 value: E9Jump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 400000 value starts with: 4D5AJump to behavior
            Injects code into the Windows Explorer (explorer.exe)
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeMemory written: PID: 2580 base: 11B0000 value: 43Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: PID: 2580 base: 13A0000 value: 43Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: PID: 2580 base: 13B0000 value: 43Jump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 7EE000Jump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 7EF000Jump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 7F7000Jump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 7FD000Jump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 7FF000Jump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 800000Jump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 801000Jump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 802000Jump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 803000Jump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 81D000Jump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 31E5008Jump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: E90000Jump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 76F02EC0Jump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 2EB0000Jump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 76FB5DB4Jump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 76FB5DB0Jump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeMemory written: C:\Windows\explorer.exe base: 11B0000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 400000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 401000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 7EE000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 7EF000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 7F7000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 7FD000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 7FF000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 800000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 801000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 802000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 803000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 81D000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 30A2008Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 2FF0000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 76F02EC0Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 3200000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 76FB5DB4Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 76FB5DB0Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Windows\explorer.exe base: 13A0000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 400000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 401000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 7EE000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 7EF000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 7F7000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 7FD000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 7FF000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 800000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 801000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 802000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 803000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 81D000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 3185008Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 2FB0000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 76F02EC0Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 2FC0000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 76FB5DB4Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 76FB5DB0Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeMemory written: C:\Windows\explorer.exe base: 13B0000Jump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe "C:\Users\user\Desktop\GfxDriverUpdater.exe"Jump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe "C:\Users\user\Desktop\GfxDriverUpdater.exe"Jump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe "C:\Users\user\Desktop\GfxDriverUpdater.exe"Jump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /valueJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /valueJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exe" Jump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /valueJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /valueJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe C:\Windows\Explorer.EXEJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe C:\Windows\Explorer.EXEJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
            Source: pipanel.exe, explorer.exe, 00000009.00000002.2910430384.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2603402823.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2606241424.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000009.00000002.2910430384.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2601912643.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: pipanel.exe, 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2638810493.000000007E8E0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.2918581460.000000007DC90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndTrayNotifyWndSysPagerToolbarWindow32U
            Source: pipanel.exe, 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2638810493.000000007E8E0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.2918581460.000000007DC90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: explorer.exeShell_TrayWnd
            Source: explorer.exe, 00000009.00000002.2908766689.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2601526084.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
            Source: explorer.exe, 00000009.00000002.2910430384.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2601912643.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 00000009.00000002.2910430384.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2601912643.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_00B51F9C cpuid 0_2_00B51F9C
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,8_2_0040D2AC
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_0040C74C
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,8_2_0569E2C8
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_0569D768
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,14_2_0040D2AC
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,14_2_0040C74C
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,14_2_0564E2C8
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,14_2_0564D768
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIdJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIdJump to behavior
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\GfxDriverUpdater.exeCode function: 0_2_005016B0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_005016B0
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: 8_2_05B55034 GetVersionExW,GetVersionExW,LoadLibraryW,8_2_05B55034
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected DanaBot stealer dll
            Source: Yara matchFile source: 00000008.00000003.2638647255.000000007E6D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000003.2792024513.000000007E860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2638810493.000000007E8E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2801166151.0000000005659000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2918581460.000000007DC90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2804111019.000000007DE20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000003.2792100374.000000007EA70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: pipanel.exe PID: 6640, type: MEMORYSTR
            Source: Yara matchFile source: 0000000E.00000003.2791732483.000000007E3B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2638810493.000000007E8E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2801166151.0000000005659000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2638188923.000000007E220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2918581460.000000007DC90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2804111019.000000007DE20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000003.2792100374.000000007EA70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: pipanel.exe PID: 6640, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: pipanel.exe PID: 3696, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected DanaBot stealer dll
            Source: Yara matchFile source: 00000008.00000003.2638647255.000000007E6D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000003.2792024513.000000007E860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2638810493.000000007E8E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2801166151.0000000005659000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2918581460.000000007DC90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2804111019.000000007DE20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000003.2792100374.000000007EA70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: pipanel.exe PID: 6640, type: MEMORYSTR
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: cmd.exe /C 8_2_007E9508
            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exeCode function: cmd.exe /C 14_2_007E9508

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		612
            Process Injection            		1
            Masquerading            		1
            Credential API Hooking            		1
            System Time Discovery            		Remote Services1
            Credential API Hooking            		22
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts12
            Command and Scripting Interpreter            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		11
            Virtualization/Sandbox Evasion            		LSASS Memory321
            Security Software Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		1
            Multi-hop Proxy            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Native API            		Logon Script (Windows)Logon Script (Windows)612
            Process Injection            		Security Account Manager11
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Deobfuscate/Decode Files or Information            		NTDS2
            Process Discovery            		Distributed Component Object ModelInput Capture1
            Proxy            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Hidden Files and Directories            		LSA Secrets1
            Application Window Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Obfuscated Files or Information            		Cached Domain Credentials2
            System Owner/User Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Software Packing            		DCSync3
            File and Directory Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc Filesystem365
            System Information Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1581428 Sample: GfxDriverUpdater.exe Startdate: 27/12/2024 Architecture: WINDOWS Score: 100 64 Multi AV Scanner detection for submitted file 2->64 66 Yara detected DanaBot stealer dll 2->66 68 PE file has nameless sections 2->68 70 3 other signatures 2->70 10 GfxDriverUpdater.exe 2 2->10         started        process3 signatures4 88 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->88 90 Hijacks the control flow in another process 10->90 92 Injects code into the Windows Explorer (explorer.exe) 10->92 94 7 other signatures 10->94 13 explorer.exe 11 1 10->13 injected 15 pipanel.exe 4 10->15         started        19 pipanel.exe 10->19         started        21 pipanel.exe 10->21         started        process5 dnsIp6 23 bumbguard.exe 1 13->23         started        26 bumbguard.exe 1 13->26         started        56 91.242.163.235, 443, 49827 OOO-SYSMEDIA-ASRU Russian Federation 15->56 58 94.131.15.11, 443, 49822 NASSIST-ASGI Ukraine 15->58 60 2 other IPs or domains 15->60 62 May use the Tor software to hide its network traffic 15->62 28 cmd.exe 1 15->28         started        signatures7 process8 signatures9 74 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 23->74 76 Hijacks the control flow in another process 23->76 78 Injects code into the Windows Explorer (explorer.exe) 23->78 80 Injects a PE file into a foreign processes 23->80 30 pipanel.exe 23->30         started        32 pipanel.exe 23->32         started        82 Writes to foreign memory regions 26->82 84 Allocates memory in foreign processes 26->84 86 Creates a thread in another existing process (thread injection) 26->86 34 pipanel.exe 4 26->34         started        37 WMIC.exe 1 28->37         started        40 conhost.exe 28->40         started        process10 dnsIp11 42 cmd.exe 30->42         started        54 127.0.0.1 unknown unknown 34->54 44 cmd.exe 1 34->44         started        72 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 37->72 signatures12 process13 process14 46 conhost.exe 42->46         started        48 WMIC.exe 42->48         started        50 WMIC.exe 1 44->50         started        52 conhost.exe 44->52         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            GfxDriverUpdater.exe16%ReversingLabsWin32.Infostealer.Babar

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://html4/loose.dtdpipanel.exe, pipanel.exe, 00000008.00000003.2638647255.000000007E6D0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2638810493.000000007E8E0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.2918581460.000000007DC90000.00000004.00001000.00020000.00000000.sdmpfalse
              		high
              https://aka.ms/odirmrexplorer.exe, 00000009.00000000.2603694386.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                		high
                http://schemas.miexplorer.exe, 00000009.00000000.2609924987.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2925332432.000000000C964000.00000004.00000001.00020000.00000000.sdmpfalse
                  		high
                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                    		high
                    http://www.openssl.org/Vpipanel.exe, 00000008.00000002.2917539718.0000000063469000.00000040.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.2918330461.000000006E66F000.00000040.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2642670419.000000007E470000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2641943702.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2641608701.000000007E710000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2644398063.000000007E910000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2645447377.000000007F860000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2647661380.000000007E770000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2646211711.000000007F920000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2643313414.000000007E830000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 0000000E.00000003.2795654411.000000007EAA0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 0000000E.00000003.2795518146.000000007E9C0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 0000000E.00000003.2794317336.000000007EC70000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 0000000E.00000003.2794012316.000000007E8A0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 0000000E.00000002.2803620386.0000000063469000.00000040.00001000.00020000.00000000.sdmp, pipanel.exe, 0000000E.00000003.2797028117.000000007E900000.00000004.00001000.00020000.00000000.sdmpfalse
                      		high
                      https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 00000009.00000000.2603694386.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        https://powerpoint.office.comcemberexplorer.exe, 00000009.00000002.2925332432.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2609924987.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2606241424.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2920075641.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              https://excel.office.comexplorer.exe, 00000009.00000002.2925332432.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2609924987.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                http://.csspipanel.exe, 00000008.00000003.2638647255.000000007E6D0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2638810493.000000007E8E0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.2918581460.000000007DC90000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.microexplorer.exe, 00000009.00000000.2605607944.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2607406476.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.2918300826.0000000007F40000.00000002.00000001.00040000.00000000.sdmpfalse
                                    		high
                                    https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.openssl.org/support/faq.htmlpipanel.exe, 00000008.00000003.2642670419.000000007E470000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2641123463.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2641943702.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2641608701.000000007E710000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.2917539718.0000000063281000.00000040.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2646211711.000000007F920000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 0000000E.00000003.2794317336.000000007EC70000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 0000000E.00000003.2793654303.000000007EBF0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 0000000E.00000003.2794012316.000000007E8A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		high
                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 00000009.00000002.2914544681.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2603694386.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://api.msn.com/qexplorer.exe, 00000009.00000000.2606241424.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2920075641.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&ocexplorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000009.00000002.2925332432.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://.jpgpipanel.exe, pipanel.exe, 00000008.00000003.2638647255.000000007E6D0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2638810493.000000007E8E0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.2918581460.000000007DC90000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svgexplorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-darkexplorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-Aexplorer.exe, 00000009.00000002.2914544681.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2603694386.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://wns.windows.com/Lexplorer.exe, 00000009.00000000.2609924987.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2925332432.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://word.office.comexplorer.exe, 00000009.00000002.2925332432.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2609924987.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000009.00000002.2914544681.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2603694386.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headereventexplorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.micrexplorer.exe, 00000009.00000000.2609924987.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2925332432.000000000C964000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://aka.ms/Vh5j3kexplorer.exe, 00000009.00000000.2603694386.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://api.msn.com/v1/news/Feed/Windows?&explorer.exe, 00000009.00000002.2920075641.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2606241424.00000000096DF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.openssl.org/support/faq.htmlRANDpipanel.exe, 00000008.00000003.2642670419.000000007E470000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2641123463.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2641943702.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2641608701.000000007E710000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.2917539718.0000000063281000.00000040.00001000.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.2646211711.000000007F920000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 0000000E.00000003.2794317336.000000007EC70000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 0000000E.00000003.2793654303.000000007EBF0000.00000004.00001000.00020000.00000000.sdmp, pipanel.exe, 0000000E.00000003.2794012316.000000007E8A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svgexplorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://android.notify.windows.com/iOSexplorer.exe, 00000009.00000002.2925332432.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2609924987.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/arexplorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 00000009.00000002.2914544681.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2603694386.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://api.msn.com/explorer.exe, 00000009.00000000.2606241424.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2920075641.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-dexplorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://outlook.com_explorer.exe, 00000009.00000002.2925332432.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2609924987.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-darkexplorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://www.msn.com:443/en-us/feedexplorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-ofexplorer.exe, 00000009.00000000.2603694386.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2914544681.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          		high

                                                                                                                          World Map of Contacted IPs

                                                                                                                          • No. of IPs < 25%
                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                          • 75% < No. of IPs

                                                                                                                          Public IPs

                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                          198.23.237.249
                                                                                                                          		unknownUnited States
                                                                                                                          		36352AS-COLOCROSSINGUSfalse
                                                                                                                          91.242.163.235
                                                                                                                          		unknownRussian Federation
                                                                                                                          		61335OOO-SYSMEDIA-ASRUfalse
                                                                                                                          52.47.90.144
                                                                                                                          		unknownUnited States
                                                                                                                          		16509AMAZON-02USfalse
                                                                                                                          94.131.15.11
                                                                                                                          		unknownUkraine
                                                                                                                          		29632NASSIST-ASGIfalse

                                                                                                                          Private

                                                                                                                          IP
                                                                                                                          127.0.0.1

                                                                                                                          General Information

                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                          Analysis ID:1581428
                                                                                                                          Start date and time:2024-12-27 16:04:06 +01:00
                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                          Overall analysis duration:0h 8m 45s
                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                          Report type:full
                                                                                                                          Cookbook file name:default.jbs
                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                          Number of analysed new started processes analysed:23
                                                                                                                          Number of new started drivers analysed:0
                                                                                                                          Number of existing processes analysed:0
                                                                                                                          Number of existing drivers analysed:0
                                                                                                                          Number of injected processes analysed:1
                                                                                                                          Technologies:
                                                                                                                          • HCA enabled
                                                                                                                          • EGA enabled
                                                                                                                          • AMSI enabled
                                                                                                                          Analysis Mode:default
                                                                                                                          Analysis stop reason:Timeout
                                                                                                                          Sample name:GfxDriverUpdater.exe
                                                                                                                          Detection:MAL
                                                                                                                          Classification:mal100.troj.evad.winEXE@32/0@0/5
                                                                                                                          EGA Information:
                                                                                                                          • Successful, ratio: 100%
                                                                                                                          HCA Information:Failed
                                                                                                                          Cookbook Comments:
                                                                                                                          • Found application associated with file extension: .exe

                                                                                                                          Warnings

                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                          • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
                                                                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                          • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                          • VT rate limit hit for: GfxDriverUpdater.exe

                                                                                                                          Simulations

                                                                                                                          Behavior and APIs

                                                                                                                          TimeTypeDescription
                                                                                                                          10:06:30API Interceptor3x Sleep call for process: WMIC.exe modified
                                                                                                                          15:06:26AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exe

                                                                                                                          Joe Sandbox View / Context

                                                                                                                          IPs

                                                                                                                          No context

                                                                                                                          Domains

                                                                                                                          No context

                                                                                                                          ASNs

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          AS-COLOCROSSINGUS1evAkYZpwDV0N4v.exeGet hashmaliciousRemcosBrowse
                                                                                                                          • 192.3.64.152
                                                                                                                          Recaipt202431029.exeGet hashmaliciousXWormBrowse
                                                                                                                          • 172.245.244.69
                                                                                                                          powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                          • 23.249.167.71
                                                                                                                          file.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, XWormBrowse
                                                                                                                          • 104.168.28.10
                                                                                                                          dbus.elfGet hashmaliciousUnknownBrowse
                                                                                                                          • 107.172.88.151
                                                                                                                          cB1ItKbbhY.msiGet hashmaliciousUnknownBrowse
                                                                                                                          • 23.94.207.151
                                                                                                                          tTdMHr6SlJ.dllGet hashmaliciousUnknownBrowse
                                                                                                                          • 23.94.207.151
                                                                                                                          e5mIhMkcj5.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 23.94.207.151
                                                                                                                          PVKDyWHOaX.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 23.94.207.151
                                                                                                                          RcFBMph6zu.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 23.94.207.151
                                                                                                                          AMAZON-02USmips.elfGet hashmaliciousUnknownBrowse
                                                                                                                          • 54.171.230.55
                                                                                                                          JA7cOAGHym.exeGet hashmaliciousVidarBrowse
                                                                                                                          • 108.139.47.92
                                                                                                                          byte.ppc.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                          • 54.171.230.55
                                                                                                                          .i.elfGet hashmaliciousUnknownBrowse
                                                                                                                          • 54.171.230.55
                                                                                                                          grand-theft-auto-5-theme-1-installer_qb8W-j1.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 44.236.142.208
                                                                                                                          Space.arm6.elfGet hashmaliciousUnknownBrowse
                                                                                                                          • 54.217.10.153
                                                                                                                          https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102Get hashmaliciousUnknownBrowse
                                                                                                                          • 52.53.112.200
                                                                                                                          https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102Get hashmaliciousUnknownBrowse
                                                                                                                          • 52.53.112.200
                                                                                                                          https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102Get hashmaliciousUnknownBrowse
                                                                                                                          • 52.53.112.200
                                                                                                                          https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102Get hashmaliciousUnknownBrowse
                                                                                                                          • 52.53.112.200
                                                                                                                          NASSIST-ASGITeikwYB2tm.exeGet hashmaliciousDanaBotBrowse
                                                                                                                          • 94.131.118.216
                                                                                                                          TeikwYB2tm.exeGet hashmaliciousDanaBotBrowse
                                                                                                                          • 94.131.118.216
                                                                                                                          A4FY1OA97K.lnkGet hashmaliciousDanaBotBrowse
                                                                                                                          • 94.131.118.216
                                                                                                                          vreFmptfUu.lnkGet hashmaliciousDanaBotBrowse
                                                                                                                          • 94.131.118.216
                                                                                                                          https://reddsuth.outfitsrl.it/?46525SU=4TI90K00DGet hashmaliciousUnknownBrowse
                                                                                                                          • 94.131.117.116
                                                                                                                          tmpzNIZ0YQ.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                          • 95.164.16.15
                                                                                                                          H36NgltNe7.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                          • 95.164.16.15
                                                                                                                          lat0Kwfbuj.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                          • 95.164.16.15
                                                                                                                          Josho.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                                                          • 95.164.4.65
                                                                                                                          J5uGzpvcAa.elfGet hashmaliciousUnknownBrowse
                                                                                                                          • 95.164.4.65
                                                                                                                          OOO-SYSMEDIA-ASRUfile.exeGet hashmaliciousDanaBotBrowse
                                                                                                                          • 91.242.163.155
                                                                                                                          file.exeGet hashmaliciousDanaBotBrowse
                                                                                                                          • 91.242.163.155

                                                                                                                          JA3 Fingerprints

                                                                                                                          No context

                                                                                                                          Dropped Files

                                                                                                                          No context

                                                                                                                          Created / dropped Files

                                                                                                                          No created / dropped files found

                                                                                                                          Static File Info

                                                                                                                          General

                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Entropy (8bit):7.73423206165675
                                                                                                                          TrID:
                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.83%
                                                                                                                          • Windows Screen Saver (13104/52) 0.13%
                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                          File name:GfxDriverUpdater.exe
                                                                                                                          File size:5'409'368 bytes
                                                                                                                          MD5:d23183c5a659b5f5ce29168fa2cf9455
                                                                                                                          SHA1:43e625dae54df9d8adbf687885beda89aa312357
                                                                                                                          SHA256:2ef2d5e126c0508e5a8d9d4d9fa08d60d4987b4ca401a8d2d62c89a8ef4bcc0f
                                                                                                                          SHA512:f820c327848d0fae8828b0d28c10201842e49205530e7f3f88408ffb77a813e82fc75706a889758879174d5d1cb70379fc4f2ce55a0f330ab7aa3eb8b15095a6
                                                                                                                          SSDEEP:98304:s7kjPDsYH/UGWaAdZ1D+OT07W/7G8556K1B+4AES5wj3n5LZDEUHxJxbZUlYg:sW/03107WC4DUZtMUS1Zg
                                                                                                                          TLSH:5C4602223E918476C2333531824AE779B6EDEC318A77C24766811F393E75552A93CB2F
                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........V..B7g.B7g.B7g.KO..c7g.B7f..5g.KO..m7g.KO...7g.KO..+6g.KO..F7g.KO..C7g.KO..C7g.RichB7g.................PE..L.....IO...........

                                                                                                                          File Icon

                                                                                                                          Icon Hash:3d6ec6a383839ea2

                                                                                                                          Static PE Info

                                                                                                                          General

                                                                                                                          Entrypoint:0x4fa619
                                                                                                                          Entrypoint Section:
                                                                                                                          Digitally signed:true
                                                                                                                          Imagebase:0x400000
                                                                                                                          Subsystem:windows gui
                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                          DLL Characteristics:
                                                                                                                          Time Stamp:0x4F491BC3 [Sat Feb 25 17:34:59 2012 UTC]
                                                                                                                          TLS Callbacks:
                                                                                                                          CLR (.Net) Version:
                                                                                                                          OS Version Major:5
                                                                                                                          OS Version Minor:0
                                                                                                                          File Version Major:5
                                                                                                                          File Version Minor:0
                                                                                                                          Subsystem Version Major:5
                                                                                                                          Subsystem Version Minor:0
                                                                                                                          Import Hash:3928592f51d28c9331d7717eb92657f1

                                                                                                                          Authenticode Signature

                                                                                                                          Signature Valid:false
                                                                                                                          Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                                                                                                                          Signature Validation Error:A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
                                                                                                                          Error Number:-2146762495
                                                                                                                          Not Before, Not After
                                                                                                                          • 13/12/2024 16:00:43 14/12/2025 16:00:43
                                                                                                                          Subject Chain
                                                                                                                          • CN=ALLstore Software-Entwicklungs GmbH, O=ALLstore Software-Entwicklungs GmbH, STREET=Ogugasse 5/2/31, L=Vienna, S=Vienna, C=AT, OID.1.3.6.1.4.1.311.60.2.1.1=Vienna, OID.1.3.6.1.4.1.311.60.2.1.2=Vienna, OID.1.3.6.1.4.1.311.60.2.1.3=AT, SERIALNUMBER=517249k, OID.2.5.4.15=Private Organization
                                                                                                                          Version:3
                                                                                                                          Thumbprint MD5:E798274C97B4398B73CD94B899523AF6
                                                                                                                          Thumbprint SHA-1:77443D5DB8718CBEBC953CEFF4A8795EDBFB6ABC
                                                                                                                          Thumbprint SHA-256:ACFB98701262E20260BCFBA67FE1DB36F4ED1E1D5B4DB51C4B47F9A68B62EB77
                                                                                                                          Serial:1D9ABA861B4A70AE4E3B400D

                                                                                                                          Entrypoint Preview

                                                                                                                          Instruction
                                                                                                                          call 00007F52D8C5E3A7h
                                                                                                                          jmp 00007F52D8C5718Eh
                                                                                                                          mov edi, edi
                                                                                                                          push ebp
                                                                                                                          mov ebp, esp
                                                                                                                          push ecx
                                                                                                                          push ebx
                                                                                                                          push esi
                                                                                                                          push edi
                                                                                                                          push dword ptr [00900EE8h]
                                                                                                                          call 00007F52D8C5DD91h
                                                                                                                          push dword ptr [00900EE4h]
                                                                                                                          mov edi, eax
                                                                                                                          mov dword ptr [ebp-04h], edi
                                                                                                                          call 00007F52D8C5DD81h
                                                                                                                          mov esi, eax
                                                                                                                          pop ecx
                                                                                                                          pop ecx
                                                                                                                          cmp esi, edi
                                                                                                                          jc 00007F52D8C57399h
                                                                                                                          mov ebx, esi
                                                                                                                          sub ebx, edi
                                                                                                                          lea eax, dword ptr [ebx+04h]
                                                                                                                          cmp eax, 04h
                                                                                                                          jc 00007F52D8C57389h
                                                                                                                          push edi
                                                                                                                          call 00007F52D8C5AA69h
                                                                                                                          mov edi, eax
                                                                                                                          lea eax, dword ptr [ebx+04h]
                                                                                                                          pop ecx
                                                                                                                          cmp edi, eax
                                                                                                                          jnc 00007F52D8C5735Ah
                                                                                                                          mov eax, 00000800h
                                                                                                                          cmp edi, eax
                                                                                                                          jnc 00007F52D8C57314h
                                                                                                                          mov eax, edi
                                                                                                                          add eax, edi
                                                                                                                          cmp eax, edi
                                                                                                                          jc 00007F52D8C57321h
                                                                                                                          push eax
                                                                                                                          push dword ptr [ebp-04h]
                                                                                                                          call 00007F52D8C5E463h
                                                                                                                          pop ecx
                                                                                                                          pop ecx
                                                                                                                          test eax, eax
                                                                                                                          jne 00007F52D8C57328h
                                                                                                                          lea eax, dword ptr [edi+10h]
                                                                                                                          cmp eax, edi
                                                                                                                          jc 00007F52D8C57352h
                                                                                                                          push eax
                                                                                                                          push dword ptr [ebp-04h]
                                                                                                                          call 00007F52D8C5E44Dh
                                                                                                                          pop ecx
                                                                                                                          pop ecx
                                                                                                                          test eax, eax
                                                                                                                          je 00007F52D8C57343h
                                                                                                                          sar ebx, 02h
                                                                                                                          push eax
                                                                                                                          lea esi, dword ptr [eax+ebx*4]
                                                                                                                          call 00007F52D8C5DC9Ch
                                                                                                                          pop ecx
                                                                                                                          mov dword ptr [00900EE8h], eax
                                                                                                                          push dword ptr [ebp+08h]
                                                                                                                          call 00007F52D8C5DC8Eh
                                                                                                                          mov dword ptr [esi], eax
                                                                                                                          add esi, 04h
                                                                                                                          push esi
                                                                                                                          call 00007F52D8C5DC83h
                                                                                                                          pop ecx
                                                                                                                          mov dword ptr [00900EE4h], eax
                                                                                                                          mov eax, dword ptr [ebp+08h]
                                                                                                                          pop ecx
                                                                                                                          jmp 00007F52D8C57314h
                                                                                                                          xor eax, eax
                                                                                                                          pop edi
                                                                                                                          pop esi
                                                                                                                          pop ebx
                                                                                                                          leave
                                                                                                                          ret
                                                                                                                          mov edi, edi
                                                                                                                          push esi

                                                                                                                          Rich Headers

                                                                                                                          Programming Language:
                                                                                                                          • [IMP] VS2008 SP1 build 30729
                                                                                                                          • [ASM] VS2008 SP1 build 30729
                                                                                                                          • [ C ] VS2008 SP1 build 30729
                                                                                                                          • [C++] VS2008 SP1 build 30729
                                                                                                                          • [LNK] VS2008 SP1 build 30729

                                                                                                                          Data Directories

                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x4f07440x140
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x5010000xb700
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x5278000x1258
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x50d0000x194b4
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x4aec500x1c
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x4ae0000x8a8
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x4f06940x40
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                          Sections

                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                          0x10000x4acfe40x4ad0001f370a009faf790764bae9f08e825395unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                          0x4ae0000x456260x45800d3c6bf55ce0b43d6959ce1695d6d9913False0.2745686263489209data5.013594547314559IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                          0x4f40000xcef80x5e0098c02f4ecadfe5bcdddc978047f3de7dFalse0.28756648936170215data4.768842453538788IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                          0x5010000xb7000xb800b17c4c8aad9951229a190f63bbd924ffFalse0.33939792798913043data5.366651361055996IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                          0x50d0000x22f1a0x23000318abe53405fbdff243ee08f389f674cFalse0.3086704799107143data5.4435249966585655IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                          0x5300000x10600x200e55107f3a94c62b2fe6b153d0dca61b4False1.021484375data7.68124514254966IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                          0x5320000x10500x200061479d0d879834838a83a15715509c1False1.021484375data7.585409688680837IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                          0x5340000x10e80x20002e320514652eaa765a5629f1e2f7fa9False1.021484375data7.612286971966915IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                          Resources

                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                          RT_CURSOR0x501d180x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4805194805194805
                                                                                                                          RT_CURSOR0x501e4c0xb4Targa image data - Map 32 x 65536 x 1 +16 "\001"EnglishUnited States0.7
                                                                                                                          RT_CURSOR0x501f000x134AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rdEnglishUnited States0.36363636363636365
                                                                                                                          RT_CURSOR0x5020340x134Targa image data - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.35714285714285715
                                                                                                                          RT_CURSOR0x5021680x134dataEnglishUnited States0.37337662337662336
                                                                                                                          RT_CURSOR0x50229c0x134dataEnglishUnited States0.37662337662337664
                                                                                                                          RT_CURSOR0x5023d00x134Targa image data 64 x 65536 x 1 +32 "\001"EnglishUnited States0.36688311688311687
                                                                                                                          RT_CURSOR0x5025040x134Targa image data 64 x 65536 x 1 +32 "\001"EnglishUnited States0.37662337662337664
                                                                                                                          RT_CURSOR0x5026380x134Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.36688311688311687
                                                                                                                          RT_CURSOR0x50276c0x134Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                                                                          RT_CURSOR0x5028a00x134dataEnglishUnited States0.44155844155844154
                                                                                                                          RT_CURSOR0x5029d40x134dataEnglishUnited States0.4155844155844156
                                                                                                                          RT_CURSOR0x502b080x134AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rdEnglishUnited States0.5422077922077922
                                                                                                                          RT_CURSOR0x502c3c0x134dataEnglishUnited States0.2662337662337662
                                                                                                                          RT_CURSOR0x502d700x134dataEnglishUnited States0.2824675324675325
                                                                                                                          RT_CURSOR0x502ea40x134dataEnglishUnited States0.3246753246753247
                                                                                                                          RT_BITMAP0x502fd80xb8Device independent bitmap graphic, 12 x 10 x 4, image size 80EnglishUnited States0.44565217391304346
                                                                                                                          RT_BITMAP0x5030900x144Device independent bitmap graphic, 33 x 11 x 4, image size 220EnglishUnited States0.37962962962962965
                                                                                                                          RT_ICON0x5031d40x128Device independent bitmap graphic, 16 x 32 x 4, image size 1920.36824324324324326
                                                                                                                          RT_ICON0x5032fc0x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 3840.26024590163934425
                                                                                                                          RT_ICON0x5034e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 6400.20430107526881722
                                                                                                                          RT_ICON0x5037cc0x668Device independent bitmap graphic, 48 x 96 x 4, image size 15360.1152439024390244
                                                                                                                          RT_ICON0x503e340x568Device independent bitmap graphic, 16 x 32 x 8, image size 3200.6828034682080925
                                                                                                                          RT_ICON0x50439c0x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 6720.6647465437788018
                                                                                                                          RT_ICON0x504a640x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 11520.6290613718411552
                                                                                                                          RT_ICON0x50530c0xea8Device independent bitmap graphic, 48 x 96 x 8, image size 26880.5
                                                                                                                          RT_ICON0x5061b40x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.6320921985815603
                                                                                                                          RT_ICON0x50661c0x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.5864754098360656
                                                                                                                          RT_ICON0x506fa40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.3775797373358349
                                                                                                                          RT_ICON0x50804c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.29678423236514523
                                                                                                                          RT_DIALOG0x50a5f40x1d6dataEnglishUnited States0.5106382978723404
                                                                                                                          RT_DIALOG0x50a7cc0xaedataEnglishUnited States0.6781609195402298
                                                                                                                          RT_DIALOG0x50a87c0xe8dataEnglishUnited States0.6336206896551724
                                                                                                                          RT_DIALOG0x50a9640x34dataEnglishUnited States0.9038461538461539
                                                                                                                          RT_STRING0x50a9980x82StarOffice Gallery theme p, 536899072 objects, 1st nEnglishUnited States0.7153846153846154
                                                                                                                          RT_STRING0x50aa1c0x2adataEnglishUnited States0.5476190476190477
                                                                                                                          RT_STRING0x50aa480x184dataEnglishUnited States0.48711340206185566
                                                                                                                          RT_STRING0x50abcc0x4e6dataEnglishUnited States0.37719298245614036
                                                                                                                          RT_STRING0x50b0b40x264dataEnglishUnited States0.3333333333333333
                                                                                                                          RT_STRING0x50b3180x2dadataEnglishUnited States0.3698630136986301
                                                                                                                          RT_STRING0x50b5f40x8adataEnglishUnited States0.6594202898550725
                                                                                                                          RT_STRING0x50b6800xacdataEnglishUnited States0.45348837209302323
                                                                                                                          RT_STRING0x50b72c0xdedataEnglishUnited States0.536036036036036
                                                                                                                          RT_STRING0x50b80c0x4a8dataEnglishUnited States0.3221476510067114
                                                                                                                          RT_STRING0x50bcb40x228dataEnglishUnited States0.4003623188405797
                                                                                                                          RT_STRING0x50bedc0x2cdataEnglishUnited States0.5227272727272727
                                                                                                                          RT_STRING0x50bf080x42dataEnglishUnited States0.6060606060606061
                                                                                                                          RT_GROUP_CURSOR0x50bf4c0x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States1.0294117647058822
                                                                                                                          RT_GROUP_CURSOR0x50bf700x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                                          RT_GROUP_CURSOR0x50bf840x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                          RT_GROUP_CURSOR0x50bf980x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                          RT_GROUP_CURSOR0x50bfac0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                          RT_GROUP_CURSOR0x50bfc00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                          RT_GROUP_CURSOR0x50bfd40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                          RT_GROUP_CURSOR0x50bfe80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                          RT_GROUP_CURSOR0x50bffc0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                          RT_GROUP_CURSOR0x50c0100x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                          RT_GROUP_CURSOR0x50c0240x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                          RT_GROUP_CURSOR0x50c0380x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                          RT_GROUP_CURSOR0x50c04c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                          RT_GROUP_CURSOR0x50c0600x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                          RT_GROUP_CURSOR0x50c0740x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                          RT_GROUP_ICON0x50c0880xaedata0.5919540229885057
                                                                                                                          RT_VERSION0x50c1380x358dataEnglishUnited States0.41939252336448596
                                                                                                                          RT_MANIFEST0x50c4900x26eASCII text, with CRLF line terminatorsEnglishUnited States0.5176848874598071

                                                                                                                          Imports

                                                                                                                          DLLImport
                                                                                                                          KERNEL32.dllCreateFileA, SetEnvironmentVariableA, WriteConsoleW, GetLocaleInfoA, GetUserDefaultLCID, InterlockedCompareExchange, GetConsoleOutputCP, WriteConsoleA, EnumSystemLocalesA, IsValidLocale, GetStringTypeW, GetStringTypeA, GetConsoleMode, GetConsoleCP, GetTimeZoneInformation, LCMapStringA, InitializeCriticalSectionAndSpinCount, LCMapStringW, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, GetVersionExW, QueryPerformanceCounter, VirtualFree, HeapCreate, GetStartupInfoA, SetHandleCount, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetModuleFileNameA, GetStdHandle, GetFileType, SetStdHandle, VirtualQuery, GetSystemInfo, VirtualAlloc, GetSystemTimeAsFileTime, HeapSize, RaiseException, CreateThread, ExitThread, HeapReAlloc, ExitProcess, RtlUnwind, HeapAlloc, HeapFree, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, GetFileTime, GetFileSizeEx, FileTimeToLocalFileTime, Sleep, GetProfileIntW, GetTickCount, SearchPathW, GetSystemDirectoryW, GetTempPathW, GetTempFileNameW, SetErrorMode, FileTimeToSystemTime, lstrlenA, GetFullPathNameW, GetVolumeInformationW, FindFirstFileW, FindClose, GetCurrentProcess, DuplicateHandle, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, GlobalGetAtomNameW, FindResourceExW, CreateFileW, GetFileSize, GetFileAttributesW, lstrcpyW, InterlockedIncrement, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, GlobalFlags, GetModuleHandleA, GetCurrentDirectoryW, CopyFileW, GlobalSize, FormatMessageW, LocalFree, MulDiv, FreeResource, GlobalFindAtomW, CompareStringW, LoadLibraryA, GetVersionExA, GetCurrentProcessId, GlobalAddAtomW, WaitForSingleObject, ResumeThread, SetThreadPriority, CloseHandle, GetLastError, SetLastError, LoadLibraryW, GlobalFree, VirtualProtect, lstrlenW, WritePrivateProfileStringW, GetPrivateProfileIntW, GlobalDeleteAtom, GetCurrentThread, GetCurrentThreadId, ConvertDefaultLocale, EnumResourceLanguagesW, GetModuleFileNameW, lstrcmpA, GetLocaleInfoW, LoadLibraryExW, CompareStringA, MultiByteToWideChar, WideCharToMultiByte, InterlockedExchange, lstrcmpW, FreeLibrary, GetModuleHandleW, GetProcAddress, GlobalUnlock, GlobalLock, GlobalAlloc, FindResourceW, LoadResource, LockResource, SizeofResource, GetSystemTime, InterlockedDecrement, GetNativeSystemInfo
                                                                                                                          USER32.dllDefMDIChildProcW, DefFrameProcW, IsClipboardFormatAvailable, MapVirtualKeyExW, IsCharLowerW, UnpackDDElParam, InsertMenuItemW, TranslateAcceleratorW, GetMenuDefaultItem, SetMenuDefaultItem, UpdateLayeredWindow, EnableScrollBar, UnionRect, SetCursorPos, SetRect, DrawFocusRect, DrawFrameControl, DrawEdge, DrawIconEx, UnregisterClassW, GetKeyNameTextW, GetMenuItemInfoW, LoadImageW, DestroyIcon, CopyImage, DrawStateW, RegisterClipboardFormatW, EnumChildWindows, LockWindowUpdate, BringWindowToTop, IsRectEmpty, KillTimer, SetTimer, InvalidateRect, InflateRect, ReleaseCapture, IsMenu, SetCapture, GetSystemMenu, SetClassLongW, WindowFromPoint, SetParent, CreatePopupMenu, NotifyWinEvent, SetWindowRgn, CreateAcceleratorTableW, LoadAcceleratorsW, DestroyAcceleratorTable, CharUpperW, GetKeyboardState, GetKeyboardLayout, MapVirtualKeyW, ToUnicodeEx, CopyAcceleratorTableW, DestroyMenu, WaitMessage, PostThreadMessageW, GetSysColorBrush, LoadCursorW, SetRectEmpty, EndPaint, BeginPaint, GetWindowDC, ReleaseDC, GetDC, ClientToScreen, GrayStringW, DrawTextExW, DrawTextW, TabbedTextOutW, FillRect, DeleteMenu, GetMenuStringW, AppendMenuW, InsertMenuW, RemoveMenu, GetDesktopWindow, CreateDialogIndirectParamW, DrawMenuBar, EndDialog, MoveWindow, SetWindowTextW, IsDialogMessageW, CheckDlgButton, RegisterWindowMessageW, SendDlgItemMessageW, SendDlgItemMessageA, IsChild, GetClassLongW, GetClassNameW, IsWindow, GetWindowTextLengthW, GetWindowTextW, GetForegroundWindow, BeginDeferWindowPos, EndDeferWindowPos, GetTopWindow, DestroyWindow, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, MapWindowPoints, ScrollWindow, TrackPopupMenu, SetMenu, SetScrollRange, GetScrollRange, SetScrollPos, GetScrollPos, SetForegroundWindow, ShowScrollBar, UpdateWindow, GetClientRect, GetMenuItemID, GetMenuItemCount, CreateWindowExW, GetClassInfoExW, GetClassInfoW, RegisterClassW, GetSysColor, EnableWindow, GetParent, PostMessageW, SendMessageW, LoadIconW, AdjustWindowRectEx, ScreenToClient, EqualRect, DeferWindowPos, GetScrollInfo, SetScrollInfo, SetWindowPlacement, GetDlgCtrlID, DefWindowProcW, CallWindowProcW, CopyRect, PtInRect, GetMenu, SetWindowLongW, IntersectRect, SystemParametersInfoA, TranslateMDISysAccel, FrameRect, GetUpdateRect, CharUpperBuffW, CopyIcon, GetNextDlgGroupItem, SubtractRect, GetIconInfo, GetDoubleClickTime, CreateMenu, GetWindowRgn, DestroyCursor, IsIconic, GetWindowPlacement, GetSystemMetrics, GetWindow, GetWindowThreadProcessId, GetLastActivePopup, MessageBoxW, ShowOwnedPopups, SetCursor, SetWindowsHookExW, CallNextHookEx, DrawIcon, GetNextDlgTabItem, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, PostQuitMessage, IsZoomed, RedrawWindow, MessageBeep, OffsetRect, SystemParametersInfoW, WinHelpW, IsWindowEnabled, GetDlgItem, GetWindowLongW, GetWindowRect, SetFocus, GetFocus, GetAsyncKeyState, RemovePropW, GetPropW, ShowWindow, SetWindowPos, MapDialogRect, SetActiveWindow, GetActiveWindow, GetCapture, SetPropW, GetSubMenu, LoadMenuW, CheckMenuItem, EnableMenuItem, GetMenuState, ModifyMenuW, LoadBitmapW, GetMenuCheckMarkDimensions, SetMenuItemBitmaps, ValidateRect, GetCursorPos, PeekMessageW, GetKeyState, IsWindowVisible, DispatchMessageW, TranslateMessage, GetMessageW, ReuseDDElParam
                                                                                                                          GDI32.dllGetRgnBox, CreateDIBitmap, CreateFontIndirectW, CreateCompatibleBitmap, GetTextMetricsW, EnumFontFamiliesW, GetTextCharsetInfo, CreateRoundRectRgn, GetTextColor, GetTextExtentPoint32W, SetDIBColorTable, PatBlt, GetDIBits, RealizePalette, CombineRgn, StretchBlt, SetPixel, CreateDIBSection, EnumFontFamiliesExW, SetRectRgn, DPtoLP, CreateEllipticRgn, CreatePolygonRgn, GetBkColor, Polyline, Ellipse, Polygon, Rectangle, RoundRect, OffsetRgn, GetPaletteEntries, GetWindowOrgEx, PtInRegion, FillRgn, FrameRgn, GetBoundsRect, GetViewportOrgEx, LPtoDP, ExtFloodFill, SetPaletteEntries, GetNearestPaletteIndex, GetSystemPaletteEntries, GetTextFaceW, SetPixelV, SetViewportOrgEx, SelectObject, Escape, CreateHatchBrush, CreateRectRgnIndirect, CreateSolidBrush, CreatePen, GetObjectType, SelectPalette, GetStockObject, CreateCompatibleDC, CreatePatternBrush, DeleteDC, ExtSelectClipRgn, ScaleWindowExtEx, SetWindowExtEx, OffsetWindowOrgEx, SetWindowOrgEx, ScaleViewportExtEx, SetViewportExtEx, CreatePalette, CreateBitmap, ExtTextOutW, TextOutW, RectVisible, PtVisible, GetPixel, BitBlt, GetWindowExtEx, GetViewportExtEx, CreateRectRgn, SelectClipRgn, DeleteObject, SetTextAlign, MoveToEx, LineTo, IntersectClipRect, ExcludeClipRect, SetMapMode, SetROP2, SetPolyFillMode, SetBkMode, RestoreDC, SaveDC, CopyMetaFileW, GetDeviceCaps, GetObjectW, SetBkColor, SetTextColor, GetClipBox, GetDCOrgEx, OffsetViewportOrgEx
                                                                                                                          MSIMG32.dllTransparentBlt, AlphaBlend
                                                                                                                          COMDLG32.dllGetFileTitleW
                                                                                                                          WINSPOOL.DRVDocumentPropertiesW, ClosePrinter, OpenPrinterW
                                                                                                                          ADVAPI32.dllRegQueryValueExW, RegOpenKeyExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyW, RegOpenKeyW, RegQueryValueW, RegCloseKey, RegEnumKeyExW
                                                                                                                          SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHAppBarMessage, DragQueryFileW, DragFinish, SHGetFileInfoW, ShellExecuteW
                                                                                                                          COMCTL32.dllInitCommonControlsEx, ImageList_GetIconSize
                                                                                                                          SHLWAPI.dllPathStripToRootW, PathIsUNCW, PathRemoveFileSpecW, PathFindExtensionW, PathFindFileNameW
                                                                                                                          ole32.dllIsAccelerator, OleTranslateAccelerator, OleDestroyMenuDescriptor, OleCreateMenuDescriptor, CoInitializeEx, CoUninitialize, OleGetClipboard, DoDragDrop, OleLockRunning, CreateStreamOnHGlobal, OleDuplicateData, CoTaskMemAlloc, ReleaseStgMedium, CoTaskMemFree, CoSetProxyBlanket, CoCreateInstance, RevokeDragDrop, CoLockObjectExternal, RegisterDragDrop
                                                                                                                          OLEAUT32.dllSysAllocString, SysFreeString, VariantClear, SysAllocStringLen, VariantChangeType, VariantInit, SysStringLen
                                                                                                                          gdiplus.dllGdipDrawImageI, GdipGetImageGraphicsContext, GdiplusShutdown, GdiplusStartup, GdipBitmapUnlockBits, GdipBitmapLockBits, GdipCreateBitmapFromScan0, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipGetImagePalette, GdipGetImagePaletteSize, GdipGetImagePixelFormat, GdipGetImageHeight, GdipGetImageWidth, GdipDisposeImage, GdipDeleteGraphics, GdipAlloc, GdipFree, GdipCloneImage
                                                                                                                          IMM32.dllImmReleaseContext, ImmGetContext, ImmGetOpenStatus
                                                                                                                          WINMM.dllPlaySoundW

                                                                                                                          Possible Origin

                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                          EnglishUnited States

                                                                                                                          Network Behavior

                                                                                                                          Network Port Distribution

                                                                                                                          TCP Packets

                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Dec 27, 2024 16:06:36.599231958 CET49822443192.168.2.494.131.15.11
                                                                                                                          Dec 27, 2024 16:06:36.599273920 CET4434982294.131.15.11192.168.2.4
                                                                                                                          Dec 27, 2024 16:06:36.599351883 CET49822443192.168.2.494.131.15.11
                                                                                                                          Dec 27, 2024 16:06:36.671843052 CET49822443192.168.2.494.131.15.11
                                                                                                                          Dec 27, 2024 16:06:36.671874046 CET4434982294.131.15.11192.168.2.4
                                                                                                                          Dec 27, 2024 16:06:36.671943903 CET49822443192.168.2.494.131.15.11
                                                                                                                          Dec 27, 2024 16:06:36.671952963 CET4434982294.131.15.11192.168.2.4
                                                                                                                          Dec 27, 2024 16:06:36.671957970 CET4434982294.131.15.11192.168.2.4
                                                                                                                          Dec 27, 2024 16:06:37.691284895 CET49827443192.168.2.491.242.163.235
                                                                                                                          Dec 27, 2024 16:06:37.691348076 CET4434982791.242.163.235192.168.2.4
                                                                                                                          Dec 27, 2024 16:06:37.691453934 CET49827443192.168.2.491.242.163.235
                                                                                                                          Dec 27, 2024 16:06:37.748378992 CET49827443192.168.2.491.242.163.235
                                                                                                                          Dec 27, 2024 16:06:37.748414040 CET4434982791.242.163.235192.168.2.4
                                                                                                                          Dec 27, 2024 16:06:37.748428106 CET49827443192.168.2.491.242.163.235
                                                                                                                          Dec 27, 2024 16:06:37.748435020 CET4434982791.242.163.235192.168.2.4
                                                                                                                          Dec 27, 2024 16:06:37.748464108 CET4434982791.242.163.235192.168.2.4
                                                                                                                          Dec 27, 2024 16:06:39.038697958 CET49829443192.168.2.4198.23.237.249
                                                                                                                          Dec 27, 2024 16:06:39.038752079 CET44349829198.23.237.249192.168.2.4
                                                                                                                          Dec 27, 2024 16:06:39.038820028 CET49829443192.168.2.4198.23.237.249
                                                                                                                          Dec 27, 2024 16:06:39.145345926 CET49829443192.168.2.4198.23.237.249
                                                                                                                          Dec 27, 2024 16:06:39.145361900 CET44349829198.23.237.249192.168.2.4
                                                                                                                          Dec 27, 2024 16:06:39.145411015 CET49829443192.168.2.4198.23.237.249
                                                                                                                          Dec 27, 2024 16:06:39.145415068 CET44349829198.23.237.249192.168.2.4
                                                                                                                          Dec 27, 2024 16:06:39.145430088 CET44349829198.23.237.249192.168.2.4
                                                                                                                          Dec 27, 2024 16:06:40.175127029 CET49834443192.168.2.452.47.90.144
                                                                                                                          Dec 27, 2024 16:06:40.175160885 CET4434983452.47.90.144192.168.2.4
                                                                                                                          Dec 27, 2024 16:06:40.175242901 CET49834443192.168.2.452.47.90.144
                                                                                                                          Dec 27, 2024 16:06:40.243948936 CET49834443192.168.2.452.47.90.144
                                                                                                                          Dec 27, 2024 16:06:40.243984938 CET4434983452.47.90.144192.168.2.4
                                                                                                                          Dec 27, 2024 16:06:40.244031906 CET49834443192.168.2.452.47.90.144
                                                                                                                          Dec 27, 2024 16:06:40.244041920 CET4434983452.47.90.144192.168.2.4
                                                                                                                          Dec 27, 2024 16:06:40.244052887 CET4434983452.47.90.144192.168.2.4

                                                                                                                          Statistics

                                                                                                                          CPU Usage

                                                                                                                          Click to jump to process

                                                                                                                          Memory Usage

                                                                                                                          Click to jump to process

                                                                                                                          High Level Behavior Distribution

                                                                                                                          Click to dive into process behavior distribution

                                                                                                                          Behavior

                                                                                                                          Click to jump to process

                                                                                                                          System Behavior

                                                                                                                          General

                                                                                                                          Target ID:0
                                                                                                                          Start time:10:04:55
                                                                                                                          Start date:27/12/2024
                                                                                                                          Path:C:\Users\user\Desktop\GfxDriverUpdater.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Desktop\GfxDriverUpdater.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:5'409'368 bytes
                                                                                                                          MD5 hash:D23183C5A659B5F5CE29168FA2CF9455
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:6
                                                                                                                          Start time:10:06:25
                                                                                                                          Start date:27/12/2024
                                                                                                                          Path:C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:"C:\Users\user\Desktop\GfxDriverUpdater.exe"
                                                                                                                          Imagebase:0xea0000
                                                                                                                          File size:7'680 bytes
                                                                                                                          MD5 hash:3C98CEE428375B531A5C98F101B1E063
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:moderate
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:7
                                                                                                                          Start time:10:06:25
                                                                                                                          Start date:27/12/2024
                                                                                                                          Path:C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:"C:\Users\user\Desktop\GfxDriverUpdater.exe"
                                                                                                                          Imagebase:0xea0000
                                                                                                                          File size:7'680 bytes
                                                                                                                          MD5 hash:3C98CEE428375B531A5C98F101B1E063
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:moderate
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:8
                                                                                                                          Start time:10:06:26
                                                                                                                          Start date:27/12/2024
                                                                                                                          Path:C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Desktop\GfxDriverUpdater.exe"
                                                                                                                          Imagebase:0xea0000
                                                                                                                          File size:7'680 bytes
                                                                                                                          MD5 hash:3C98CEE428375B531A5C98F101B1E063
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:Borland Delphi
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000008.00000003.2638647255.000000007E6D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000003.2638810493.000000007E8E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000008.00000003.2638810493.000000007E8E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000003.2638188923.000000007E220000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2918581460.000000007DC90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000008.00000002.2918581460.000000007DC90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          Reputation:moderate
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:9
                                                                                                                          Start time:10:06:29
                                                                                                                          Start date:27/12/2024
                                                                                                                          Path:C:\Windows\explorer.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\Explorer.EXE
                                                                                                                          Imagebase:0x7ff72b770000
                                                                                                                          File size:5'141'208 bytes
                                                                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:10
                                                                                                                          Start time:10:06:30
                                                                                                                          Start date:27/12/2024
                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
                                                                                                                          Imagebase:0x240000
                                                                                                                          File size:236'544 bytes
                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:11
                                                                                                                          Start time:10:06:30
                                                                                                                          Start date:27/12/2024
                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                          File size:862'208 bytes
                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:12
                                                                                                                          Start time:10:06:30
                                                                                                                          Start date:27/12/2024
                                                                                                                          Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
                                                                                                                          Imagebase:0xbe0000
                                                                                                                          File size:427'008 bytes
                                                                                                                          MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:moderate
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:13
                                                                                                                          Start time:10:06:34
                                                                                                                          Start date:27/12/2024
                                                                                                                          Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:5'409'368 bytes
                                                                                                                          MD5 hash:D23183C5A659B5F5CE29168FA2CF9455
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:14
                                                                                                                          Start time:10:06:39
                                                                                                                          Start date:27/12/2024
                                                                                                                          Path:C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exe"
                                                                                                                          Imagebase:0xea0000
                                                                                                                          File size:7'680 bytes
                                                                                                                          MD5 hash:3C98CEE428375B531A5C98F101B1E063
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:Borland Delphi
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 0000000E.00000003.2792024513.000000007E860000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000003.2791732483.000000007E3B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2801166151.0000000005659000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 0000000E.00000002.2801166151.0000000005659000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2804111019.000000007DE20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 0000000E.00000002.2804111019.000000007DE20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000003.2792100374.000000007EA70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 0000000E.00000003.2792100374.000000007EA70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          Reputation:moderate
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:15
                                                                                                                          Start time:10:06:44
                                                                                                                          Start date:27/12/2024
                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
                                                                                                                          Imagebase:0x240000
                                                                                                                          File size:236'544 bytes
                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:16
                                                                                                                          Start time:10:06:44
                                                                                                                          Start date:27/12/2024
                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                          File size:862'208 bytes
                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:17
                                                                                                                          Start time:10:06:44
                                                                                                                          Start date:27/12/2024
                                                                                                                          Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
                                                                                                                          Imagebase:0xbe0000
                                                                                                                          File size:427'008 bytes
                                                                                                                          MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:18
                                                                                                                          Start time:10:06:49
                                                                                                                          Start date:27/12/2024
                                                                                                                          Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:C:\Windows\Explorer.EXE
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:5'409'368 bytes
                                                                                                                          MD5 hash:D23183C5A659B5F5CE29168FA2CF9455
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:19
                                                                                                                          Start time:10:06:53
                                                                                                                          Start date:27/12/2024
                                                                                                                          Path:C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\Explorer.EXE
                                                                                                                          Imagebase:0xea0000
                                                                                                                          File size:7'680 bytes
                                                                                                                          MD5 hash:3C98CEE428375B531A5C98F101B1E063
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:20
                                                                                                                          Start time:10:06:53
                                                                                                                          Start date:27/12/2024
                                                                                                                          Path:C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:C:\Windows\Explorer.EXE
                                                                                                                          Imagebase:0xea0000
                                                                                                                          File size:7'680 bytes
                                                                                                                          MD5 hash:3C98CEE428375B531A5C98F101B1E063
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:Borland Delphi
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:21
                                                                                                                          Start time:10:06:57
                                                                                                                          Start date:27/12/2024
                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
                                                                                                                          Imagebase:0x240000
                                                                                                                          File size:236'544 bytes
                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:22
                                                                                                                          Start time:10:06:57
                                                                                                                          Start date:27/12/2024
                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                          File size:862'208 bytes
                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:23
                                                                                                                          Start time:10:06:57
                                                                                                                          Start date:27/12/2024
                                                                                                                          Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
                                                                                                                          Imagebase:0xbe0000
                                                                                                                          File size:427'008 bytes
                                                                                                                          MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:false

                                                                                                                          Disassembly

                                                                                                                          Reset < >

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:1%
                                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                                            Signature Coverage:32.5%
                                                                                                                            Total number of Nodes:114
                                                                                                                            Total number of Limit Nodes:9
                                                                                                                            execution_graph 14567 b61387 14570 b613a1 WriteProcessMemory 14567->14570 14571 b613de 14570->14571 14572 b61050 14573 b61073 14572->14573 14576 b61084 14572->14576 14586 b60400 14573->14586 14575 b6107d 14613 b60c30 14575->14613 14582 b61153 14576->14582 14626 b60da0 14576->14626 14579 b610e8 14579->14582 14632 b60e30 14579->14632 14581 b6112c 14581->14582 14583 b60400 3 API calls 14581->14583 14584 b6114c 14583->14584 14585 b60c30 VirtualAlloc 14584->14585 14585->14582 14587 b60417 14586->14587 14588 b60412 14586->14588 14603 b60465 14587->14603 14638 b60830 14587->14638 14643 b60810 GetPEB 14588->14643 14592 b60c30 VirtualAlloc 14593 b6049a 14592->14593 14594 b60c30 VirtualAlloc 14593->14594 14593->14603 14595 b60507 14594->14595 14596 b60c30 VirtualAlloc 14595->14596 14597 b60522 14596->14597 14598 b60c30 VirtualAlloc 14597->14598 14599 b6053d 14598->14599 14600 b60c30 VirtualAlloc 14599->14600 14601 b60558 14600->14601 14602 b60830 2 API calls 14601->14602 14601->14603 14604 b606f8 14602->14604 14603->14575 14644 b60890 14604->14644 14609 b60ec0 VirtualAlloc 14610 b607c3 14609->14610 14611 b60ec0 VirtualAlloc 14610->14611 14612 b607ed 14611->14612 14612->14575 14614 b60ec0 VirtualAlloc 14613->14614 14615 b60c52 14614->14615 14616 b60ec0 VirtualAlloc 14615->14616 14617 b60c77 14616->14617 14618 b60ec0 VirtualAlloc 14617->14618 14621 b60ca3 14618->14621 14619 b60d81 14619->14576 14620 b60ec0 VirtualAlloc 14620->14621 14621->14619 14621->14620 14622 b60d2d 14621->14622 14623 b60ec0 VirtualAlloc 14622->14623 14624 b60d55 14623->14624 14625 b60ec0 VirtualAlloc 14624->14625 14625->14619 14627 b60db0 14626->14627 14630 b60dc1 14626->14630 14628 b60400 3 API calls 14627->14628 14629 b60dba 14628->14629 14631 b60c30 VirtualAlloc 14629->14631 14630->14579 14631->14630 14633 b60e40 14632->14633 14637 b60e51 14632->14637 14634 b60400 3 API calls 14633->14634 14635 b60e4a 14634->14635 14636 b60c30 VirtualAlloc 14635->14636 14636->14637 14637->14581 14639 b60890 2 API calls 14638->14639 14640 b6083f 14639->14640 14641 b6047f 14640->14641 14642 b60ec0 VirtualAlloc 14640->14642 14641->14592 14642->14641 14643->14587 14656 b60990 14644->14656 14647 b60ec0 VirtualAlloc 14648 b608c0 14647->14648 14649 b60ec0 VirtualAlloc 14648->14649 14650 b608f3 14649->14650 14651 b60ec0 VirtualAlloc 14650->14651 14652 b60757 14650->14652 14651->14650 14653 b60ec0 14652->14653 14654 b60fa7 VirtualAlloc 14653->14654 14655 b6077e 14653->14655 14654->14655 14655->14609 14657 b6089f 14656->14657 14658 b60a2f VirtualAlloc 14656->14658 14657->14647 14659 b60ec0 VirtualAlloc 14658->14659 14659->14657 14660 b56a7c 14661 b56a8c 14660->14661 14670 b51161 14661->14670 14663 b56a98 CreateFileW 14664 b56b09 14663->14664 14665 b56ab6 14663->14665 14666 b51161 LoadLibraryA 14665->14666 14667 b56ac8 14666->14667 14668 b51161 LoadLibraryA 14667->14668 14669 b56adf CloseHandle 14668->14669 14669->14664 14671 b5119b 14670->14671 14672 b5118c 14670->14672 14671->14663 14672->14671 14673 b51213 LoadLibraryA 14672->14673 14674 b51230 14673->14674 14674->14663 14674->14671 14675 b540df 14697 b56575 14675->14697 14677 b540ef LoadLibraryA 14678 b51161 LoadLibraryA 14677->14678 14679 b5410f CoInitialize 14678->14679 14681 b54132 14679->14681 14682 b51161 LoadLibraryA 14681->14682 14683 b54142 14682->14683 14684 b54185 LoadLibraryA 14683->14684 14696 b54251 14683->14696 14688 b541aa 14684->14688 14685 b51161 LoadLibraryA 14686 b542d3 14685->14686 14687 b51161 LoadLibraryA 14686->14687 14689 b542ed 14687->14689 14690 b51161 LoadLibraryA 14688->14690 14688->14696 14691 b541e2 SHCreateItemFromParsingName 14690->14691 14692 b54206 LoadLibraryA 14691->14692 14691->14696 14693 b51161 LoadLibraryA 14692->14693 14694 b54229 14693->14694 14695 b54238 SHCreateItemFromParsingName 14694->14695 14695->14696 14696->14685 14698 b564de 14697->14698

                                                                                                                            Executed Functions

                                                                                                                            Function 00B60400 Relevance: 6.6, Strings: 5, Instructions: 338COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2630496889.0000000000B51000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B51000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_b51000_GfxDriverUpdater.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: kernel32.dll$kernel32.dll$kernelbase.dll$ntdll.dll$user32.dll
                                                                                                                            • API String ID: 0-1713383623
                                                                                                                            • Opcode ID: bd73e9b5d5e465a5e20b258e624617f640394e21312dbfbb77272e9f05a7487b
                                                                                                                            • Instruction ID: a85f4f538e07b92bc1716fcb6a767f7df95b8b5106e96a80705c004aa94a3d14
                                                                                                                            • Opcode Fuzzy Hash: bd73e9b5d5e465a5e20b258e624617f640394e21312dbfbb77272e9f05a7487b
                                                                                                                            • Instruction Fuzzy Hash: 38C140B1E10208AFEB14DBA5DC82FAEB7F5EF88304F248259F515BB281E6746940CF54
                                                                                                                            Function 00B60EC0 Relevance: 60.1, APIs: 1, Strings: 39, Instructions: 105memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 0 b60ec0-b60fa5 1 b60fa7-b60fc4 VirtualAlloc 0->1 2 b60fe9-b61048 0->2 3 b60fcf-b60fd3 1->3 3->2 5 b60fd5-b60fe7 3->5 5->3
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,00000036,00003000,00000040), ref: 00B60FB2
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2630496889.0000000000B51000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B51000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_b51000_GfxDriverUpdater.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID: "$"$"$"$"$#$3$3$3$3$3$3$6$D$D$D$D$D$H$H$H$H$U$U$U$V$W$^$_$f$f$f$h$h$j$j$w$w$w
                                                                                                                            • API String ID: 4275171209-2237795235
                                                                                                                            • Opcode ID: 2bc74e27f2e491af17c0e247d2f6c63531178a1b4a4bf89fea8506a342eb3038
                                                                                                                            • Instruction ID: 30d98e327fcfea573d2db066d4e65f7f3f6b01182cab355fd4d9afb6be9f6f5a
                                                                                                                            • Opcode Fuzzy Hash: 2bc74e27f2e491af17c0e247d2f6c63531178a1b4a4bf89fea8506a342eb3038
                                                                                                                            • Instruction Fuzzy Hash: 0B514D609083C9DEDB12CBACD45879DBFB16F26318F184188D5983B3D2C7BA4649C77A
                                                                                                                            Function 00B60990 Relevance: 34.6, APIs: 1, Strings: 22, Instructions: 74memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 7 b60990-b60a2d 8 b60a62-b60a99 7->8 9 b60a2f-b60a5a VirtualAlloc call b60ec0 7->9 11 b60a5f 9->11 11->8
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,00000024,00003000,00000040), ref: 00B60A3A
                                                                                                                              • Part of subcall function 00B60EC0: VirtualAlloc.KERNELBASE(00000000,00000036,00003000,00000040), ref: 00B60FB2
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2630496889.0000000000B51000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B51000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_b51000_GfxDriverUpdater.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID: "$"$"$#$%$3$3$3$3$D$D$D$H$H$H$`$e$g$h$h$j$j
                                                                                                                            • API String ID: 4275171209-1009948329
                                                                                                                            • Opcode ID: a819780f18a0f10f91a274f2d98a4876399628bafa28d17761478a7cbd8f84be
                                                                                                                            • Instruction ID: 8d268102376cccbdd018e32f461cdf1d077ba4cb860427a19bf3a96ccd96f365
                                                                                                                            • Opcode Fuzzy Hash: a819780f18a0f10f91a274f2d98a4876399628bafa28d17761478a7cbd8f84be
                                                                                                                            • Instruction Fuzzy Hash: 834134509083C9DEEB12C7A8D85979EBFB15F26308F0881C8D5843B2D2D6BB0749C7B6
                                                                                                                            Function 00B540DF Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 136libraryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNEL32(?,33656C4F,00000032,00004E20), ref: 00B540F7
                                                                                                                            • CoInitialize.OLE32(00000000,?,6E496F43,61697469,657A696C,00000000,33656C4F,00000032,00004E20), ref: 00B54126
                                                                                                                            • LoadLibraryA.KERNEL32(?,6C656853,2E32336C,006C6C64,?,72436F43,65746165,74736E49,65636E61,00000000,?,6E496F43,61697469,657A696C,00000000,33656C4F), ref: 00B54195
                                                                                                                              • Part of subcall function 00B51161: LoadLibraryA.KERNEL32(NTDLL,?), ref: 00B51229
                                                                                                                            • SHCreateItemFromParsingName.SHELL32(C:\Users\user\Desktop\GfxDriverUpdater.exe,00000000,00B6E190,00B7BC8C), ref: 00B541F8
                                                                                                                            • LoadLibraryA.KERNEL32(?,776C6873,2E697061,006C6C64,?,6C656853,2E32336C,006C6C64,?,72436F43,65746165,74736E49,65636E61,00000000,?,6E496F43), ref: 00B54216
                                                                                                                            • SHCreateItemFromParsingName.SHELL32(?,00000000,00B6E190,00B7BC90), ref: 00B54247
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2630496889.0000000000B51000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B51000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_b51000_GfxDriverUpdater.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad$CreateFromItemNameParsing$Initialize
                                                                                                                            • String ID: C:\Users\user\Desktop\GfxDriverUpdater.exe$bumbguard.exe
                                                                                                                            • API String ID: 2167549273-1316834555
                                                                                                                            • Opcode ID: 9a1fafbcc042c31a67784a895758f5749ad03214f757c1972290750c4a04aea2
                                                                                                                            • Instruction ID: fcbdadf68d25764e70a31e8c31821eeafb192898318056883b7af20ddaa130d1
                                                                                                                            • Opcode Fuzzy Hash: 9a1fafbcc042c31a67784a895758f5749ad03214f757c1972290750c4a04aea2
                                                                                                                            • Instruction Fuzzy Hash: 45418530284204BBEE026B74ED46F1A3BA1EB50B42F0085E0FE18B75F5EFA199959E55
                                                                                                                            Function 00B56A1B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 114 b56a1b-b56a23 115 b56a25-b56a7a call b51161 call b564d9 call b51161 114->115 116 b56a8c-b56ab4 call b51161 CreateFileW 114->116 121 b56b17 116->121 122 b56ab6-b56b07 call b51161 * 2 CloseHandle 116->122 122->121 134 b56b09-b56b0f 122->134 134->121
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNELBASE(C:\Users\user\Desktop\GfxDriverUpdater.exe,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00B56AAF
                                                                                                                            • CloseHandle.KERNELBASE(00000000), ref: 00B56AE0
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2630496889.0000000000B51000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B51000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_b51000_GfxDriverUpdater.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCreateFileHandle
                                                                                                                            • String ID: C:\Users\user\Desktop\GfxDriverUpdater.exe
                                                                                                                            • API String ID: 3498533004-2496068828
                                                                                                                            • Opcode ID: b8814824009727eb6a068c08025d6dfd3800cddfe4454b4255d1f0f7a0371eb0
                                                                                                                            • Instruction ID: 519b07f43d88125b39b860c534fb7a68e4b804328ca7424f101cf463358b129a
                                                                                                                            • Opcode Fuzzy Hash: b8814824009727eb6a068c08025d6dfd3800cddfe4454b4255d1f0f7a0371eb0
                                                                                                                            • Instruction Fuzzy Hash: 201193327402147FEE156768DC82F6932E2EB80B12F1581E0FA2CBF6F1DFA189458B45
                                                                                                                            Function 00B56A7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 135 b56a7c-b56ab4 call b51161 CreateFileW 139 b56b17 135->139 140 b56ab6-b56b07 call b51161 * 2 CloseHandle 135->140 140->139 146 b56b09-b56b0f 140->146 146->139
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNELBASE(C:\Users\user\Desktop\GfxDriverUpdater.exe,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00B56AAF
                                                                                                                              • Part of subcall function 00B51161: LoadLibraryA.KERNEL32(NTDLL,?), ref: 00B51229
                                                                                                                            • CloseHandle.KERNELBASE(00000000), ref: 00B56AE0
                                                                                                                            Strings
                                                                                                                            • C:\Users\user\Desktop\GfxDriverUpdater.exe, xrefs: 00B56AAA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2630496889.0000000000B51000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B51000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_b51000_GfxDriverUpdater.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCreateFileHandleLibraryLoad
                                                                                                                            • String ID: C:\Users\user\Desktop\GfxDriverUpdater.exe
                                                                                                                            • API String ID: 2506845977-2496068828
                                                                                                                            • Opcode ID: 64366ac48d1b07f5f371bff601ca7f5b78a6b046e8b5c11d84c701520bff7c43
                                                                                                                            • Instruction ID: 3312bebb0e00a68c3943630ce41e7b485bbb44db3515e834de8fb05311c67f88
                                                                                                                            • Opcode Fuzzy Hash: 64366ac48d1b07f5f371bff601ca7f5b78a6b046e8b5c11d84c701520bff7c43
                                                                                                                            • Instruction Fuzzy Hash: B201DF327542056FEB19AB28CC86F2977D1FB81701F2542E4FA28EB6E1DF70A9548B04
                                                                                                                            Function 00B61387 Relevance: 1.5, APIs: 1, Instructions: 43injectionCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 147 b61387-b6139f 148 b613a4-b613ac 147->148 149 b613a1 147->149 150 b613c4-b613d9 WriteProcessMemory call b613de 148->150 151 b613ae-b613af 148->151 149->148 152 b613b3-b613b6 151->152 152->150 154 b613b8-b613c2 152->154 154->152
                                                                                                                            APIs
                                                                                                                            • WriteProcessMemory.KERNELBASE ref: 00B613C8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2630496889.0000000000B51000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B51000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_b51000_GfxDriverUpdater.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MemoryProcessWrite
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3559483778-0
                                                                                                                            • Opcode ID: 3e8305159a71e640bfe16a740774c4df1d6b7a33e869004c862a1cff4d2e687a
                                                                                                                            • Instruction ID: 74aad5ab4219745c3d8bc2c86ebfa5232f2b8ba512f25a35c99b0fe5db0a8c3e
                                                                                                                            • Opcode Fuzzy Hash: 3e8305159a71e640bfe16a740774c4df1d6b7a33e869004c862a1cff4d2e687a
                                                                                                                            • Instruction Fuzzy Hash: 9EF06231F08D0DAF8F11EAACD5049ECBBF2FF64310B254645E409E3144DA31E9118B44

                                                                                                                            Non-executed Functions

                                                                                                                            Function 00B51F9C Relevance: 12.7, Strings: 10, Instructions: 160COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2630496889.0000000000B51000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B51000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_b51000_GfxDriverUpdater.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: Basi$Micr$Para$RDPU$VMwa$VMwa$llel$reVM$t Hv$ware
                                                                                                                            • API String ID: 0-710289715
                                                                                                                            • Opcode ID: 247fcabf7b149dcc0fb4de1d0efe1bf776d594021d5bee98906e0a47f70e09d7
                                                                                                                            • Instruction ID: 94b3519eb1f54478b513fca6c824f167f5840317b30e9cad9a71dab5112578c9
                                                                                                                            • Opcode Fuzzy Hash: 247fcabf7b149dcc0fb4de1d0efe1bf776d594021d5bee98906e0a47f70e09d7
                                                                                                                            • Instruction Fuzzy Hash: 2D51AF3434620AABDB159B90DC85B99B7B1FF4A302F5442F4EB089B191CF71A9C5CB92
                                                                                                                            Function 00B61530 Relevance: 7.0, Strings: 5, Instructions: 757COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2630496889.0000000000B51000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B51000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_b51000_GfxDriverUpdater.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: header crc mismatch$incorrect header check$invalid window size$unknown compression method$unknown header flags set
                                                                                                                            • API String ID: 0-3633268661
                                                                                                                            • Opcode ID: 8d6763b5bf68023935074e882b48a4845a322c9059848daa469bb6ff95ab8c26
                                                                                                                            • Instruction ID: 4380f6052fc767058c49879a582cd22a5875e248e9e8d72421047841a026051d
                                                                                                                            • Opcode Fuzzy Hash: 8d6763b5bf68023935074e882b48a4845a322c9059848daa469bb6ff95ab8c26
                                                                                                                            • Instruction Fuzzy Hash: 46624AB1E012159FDB14CF99C5846ADBBF1FF88304F2885A9D818AB392D739D946CF90
                                                                                                                            Function 00B578E0 Relevance: .8, Instructions: 756COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2630496889.0000000000B51000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B51000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_b51000_GfxDriverUpdater.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 09bd550da3c6a70dceff792c19522d8913a6610f17b3630636426bf6ff7e7084
                                                                                                                            • Instruction ID: cb60e62938d6c654c00e60d1c62f866f9c515eb5770001b85c76de820e387ceb
                                                                                                                            • Opcode Fuzzy Hash: 09bd550da3c6a70dceff792c19522d8913a6610f17b3630636426bf6ff7e7084
                                                                                                                            • Instruction Fuzzy Hash: 4A42D271E04605ABDF10DF64E8417AEBBF5FF08326F1841E9EC14B7291EB35A9588B90
                                                                                                                            Function 00B6D190 Relevance: .4, Instructions: 368COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2630496889.0000000000B51000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B51000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_b51000_GfxDriverUpdater.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: ea17ddca5fad8d762c0cc389c365e74edf26e2ea134986e5e2eeb1470a531575
                                                                                                                            • Instruction ID: af109653e37d3beb3b893c6a4a459ea124b6e44ef116ac9568c73175e4bcd463
                                                                                                                            • Opcode Fuzzy Hash: ea17ddca5fad8d762c0cc389c365e74edf26e2ea134986e5e2eeb1470a531575
                                                                                                                            • Instruction Fuzzy Hash: 4CF15D75A092118FC709CF18C5D48F57BF1EFA9310B1A82FDD8899B3A6D735A980CB91
                                                                                                                            Function 00B5F150 Relevance: .3, Instructions: 293COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2630496889.0000000000B51000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B51000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_b51000_GfxDriverUpdater.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 1cd79fc56365feffd318e051d0f890358aa65c1b91b036558dcf6f8d249ecabb
                                                                                                                            • Instruction ID: 3ce6a3329d8fc3c58bc3c2f79bdc9a1d34a67eb84971f560142bdef1173181f1
                                                                                                                            • Opcode Fuzzy Hash: 1cd79fc56365feffd318e051d0f890358aa65c1b91b036558dcf6f8d249ecabb
                                                                                                                            • Instruction Fuzzy Hash: 87C1C9349001698FDF4CCF5EECC443A77E1EB8530274941AADA51972D5CA7CF616CBA0
                                                                                                                            Function 00B526BB Relevance: .2, Instructions: 230COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2630496889.0000000000B51000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B51000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_b51000_GfxDriverUpdater.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 2cacf490f58bdf4ff4af670fc3285697853514b0ee765931d00c2210ba863a8e
                                                                                                                            • Instruction ID: 110141fe5f7e90e6f3841c0d8fd7c38def9413a1c23e3f8045bb032843eca9c8
                                                                                                                            • Opcode Fuzzy Hash: 2cacf490f58bdf4ff4af670fc3285697853514b0ee765931d00c2210ba863a8e
                                                                                                                            • Instruction Fuzzy Hash: 6C6167B2B022016BE3119B28CC81F2B7BD5EFDA705F5581E8FD49A7386D631EE018690
                                                                                                                            Function 00B53A53 Relevance: .2, Instructions: 159COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2630496889.0000000000B51000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B51000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_b51000_GfxDriverUpdater.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1029625771-0
                                                                                                                            • Opcode ID: 0e4add32cde270d39c2a3e40bc4e37771007191606db57eb2838dbcaa64871c2
                                                                                                                            • Instruction ID: 4b163f74f2fcac66c433349a475500b234b98572030fcba44110430dbb3cf0fc
                                                                                                                            • Opcode Fuzzy Hash: 0e4add32cde270d39c2a3e40bc4e37771007191606db57eb2838dbcaa64871c2
                                                                                                                            • Instruction Fuzzy Hash: A6519072600205AFEB119F28DC46F153BE2EB94B52F1540E4FE0CA7772EB3149998F40
                                                                                                                            Function 00B60C30 Relevance: .1, Instructions: 145COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2630496889.0000000000B51000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B51000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_b51000_GfxDriverUpdater.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4275171209-0
                                                                                                                            • Opcode ID: 38feda19dea376615d46f663bf178bd2f5c1e6b063b145903f0926c12bc5be2c
                                                                                                                            • Instruction ID: 179516654c411e143338cc3c791e0ea92f8fa9c00f87b1695442bdd798e974f7
                                                                                                                            • Opcode Fuzzy Hash: 38feda19dea376615d46f663bf178bd2f5c1e6b063b145903f0926c12bc5be2c
                                                                                                                            • Instruction Fuzzy Hash: A9416FB1E10118BBEB14DFA4CC82FFF73BAEB84704F44C558F915AB281D675AA008B90
                                                                                                                            Function 00B53A6E Relevance: .1, Instructions: 143COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2630496889.0000000000B51000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B51000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_b51000_GfxDriverUpdater.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1029625771-0
                                                                                                                            • Opcode ID: 5c765d483bea33374a26b7c52591206be4aad3ffe4befc96f428b7618ade693a
                                                                                                                            • Instruction ID: dd3deefe210f793c20852a1150cfcf804df757650f887e591d841a38f9ccdb19
                                                                                                                            • Opcode Fuzzy Hash: 5c765d483bea33374a26b7c52591206be4aad3ffe4befc96f428b7618ade693a
                                                                                                                            • Instruction Fuzzy Hash: A8419472700205AFDB219F28EC45F053BE1EB94B52F1580E4FE08673B2EB715A988F44
                                                                                                                            Function 00B51257 Relevance: .0, Instructions: 34COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2630496889.0000000000B51000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B51000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_b51000_GfxDriverUpdater.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 2b6ad26908321792fdce15bb5755181406fccfd7b79d24d59f7413ac628f0f1f
                                                                                                                            • Instruction ID: 737c656bc40ffb2a394d59be71f6fae43f09a9eaf85e4088b1503a3a8e866b6a
                                                                                                                            • Opcode Fuzzy Hash: 2b6ad26908321792fdce15bb5755181406fccfd7b79d24d59f7413ac628f0f1f
                                                                                                                            • Instruction Fuzzy Hash: 30F0BE36A002198B8750DA28D480B53F3E6FB98761B118DE1CC08C7201D631E8C289D0
                                                                                                                            Function 00B52A75 Relevance: .0, Instructions: 30COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2630496889.0000000000B51000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B51000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_b51000_GfxDriverUpdater.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 3747b216bb7640c08f949b015196ec800bea75b710efc7667a09099d45f6f0fe
                                                                                                                            • Instruction ID: b23daad451a03ba9a1406bfe8148c5e919f7668cfa8dff727a539744de3a8fc3
                                                                                                                            • Opcode Fuzzy Hash: 3747b216bb7640c08f949b015196ec800bea75b710efc7667a09099d45f6f0fe
                                                                                                                            • Instruction Fuzzy Hash: 53F03977A8160A8BD724CA11D481B07B39ABBE9B61F51C2E1CD085B705DA30EDC68AD5
                                                                                                                            Function 00B5613A Relevance: .0, Instructions: 24COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2630496889.0000000000B51000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B51000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_b51000_GfxDriverUpdater.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 92c7eeea0311dd5012d698f3f7d80a2bd4cd6b289522c388f7f1b6975a47da21
                                                                                                                            • Instruction ID: bfaeab8a854d1745b0578bf4f73772e57e08224ddc19f6689187049a292ea63b
                                                                                                                            • Opcode Fuzzy Hash: 92c7eeea0311dd5012d698f3f7d80a2bd4cd6b289522c388f7f1b6975a47da21
                                                                                                                            • Instruction Fuzzy Hash: 32E03276A41615CBC714DF44E880AA2F7A8FB647A174182A6CD082B706C330F8C5CAE0
                                                                                                                            Function 00B5384E Relevance: .0, Instructions: 19COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2630496889.0000000000B51000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B51000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_b51000_GfxDriverUpdater.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 030f45737306472040fd804f08ade6ffa5201275c9961ef35cd96cc10e73d93a
                                                                                                                            • Instruction ID: d48efc8bb21bd3d11f98f095132ca9dc865161f82260669ca88e2dd77a067f77
                                                                                                                            • Opcode Fuzzy Hash: 030f45737306472040fd804f08ade6ffa5201275c9961ef35cd96cc10e73d93a
                                                                                                                            • Instruction Fuzzy Hash: 19D05E792005009FD706CB78C580F29F7E9FB4E7A0FA044F4F845DB322C564DA009A10
                                                                                                                            Function 00B60810 Relevance: .0, Instructions: 10COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2630496889.0000000000B51000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B51000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_b51000_GfxDriverUpdater.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                                                                                                                            • Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
                                                                                                                            • Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                                                                                                                            • Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80
                                                                                                                            Function 00B81873 Relevance: .0, Instructions: 3COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2630496889.0000000000B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_b80000_GfxDriverUpdater.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 76d19356b69858ac19ff1ad81e711392b3872bf4ecf994bf78ade77a923da614
                                                                                                                            • Instruction ID: 9717cb86c1fbcc9860a72e1032eb35fbc924ee275d79a9561f6ff3041d479ebf
                                                                                                                            • Opcode Fuzzy Hash: 76d19356b69858ac19ff1ad81e711392b3872bf4ecf994bf78ade77a923da614
                                                                                                                            • Instruction Fuzzy Hash:
                                                                                                                            Function 00B53C75 Relevance: 13.5, APIs: 6, Strings: 3, Instructions: 43stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • lstrcpyW.KERNEL32(00B7C4EB,C:\Users\user\Desktop\GfxDriverUpdater.exe), ref: 00B53C85
                                                                                                                            • lstrcpyW.KERNEL32(00B7C6F7,Gbumps Inc), ref: 00B53C95
                                                                                                                            • lstrcpyW.KERNEL32(00B7C727,C:\Users\user\AppData\Local\Gbumps Inc\bumbguard.exe), ref: 00B53CA5
                                                                                                                            • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Gbumps Inc\bumbguard.exe), ref: 00B53CB0
                                                                                                                            • lstrcpyW.KERNEL32(00B7C92F,00B732CC,00B76F9A,00B732CC), ref: 00B53CDC
                                                                                                                            • lstrcpy.KERNEL32(00B7C98F,00B76F9A), ref: 00B53CEC
                                                                                                                            Strings
                                                                                                                            • C:\Users\user\Desktop\GfxDriverUpdater.exe, xrefs: 00B53C7B
                                                                                                                            • C:\Users\user\AppData\Local\Gbumps Inc\bumbguard.exe, xrefs: 00B53C9B, 00B53CAB
                                                                                                                            • Gbumps Inc, xrefs: 00B53C8B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2630496889.0000000000B51000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B51000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_b51000_GfxDriverUpdater.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrcpy$lstrlen
                                                                                                                            • String ID: C:\Users\user\AppData\Local\Gbumps Inc\bumbguard.exe$C:\Users\user\Desktop\GfxDriverUpdater.exe$Gbumps Inc
                                                                                                                            • API String ID: 367037083-862242091
                                                                                                                            • Opcode ID: 125ca504bb3829639c7a69a649908ab95ff8059ad0e247215068e257f4dfecfb
                                                                                                                            • Instruction ID: d7f4a6b7a30af975abb23d14f2ef4328695197c28304ba48103469bafceaefed
                                                                                                                            • Opcode Fuzzy Hash: 125ca504bb3829639c7a69a649908ab95ff8059ad0e247215068e257f4dfecfb
                                                                                                                            • Instruction Fuzzy Hash: 5301F4317C1B117FD65037B08D17F49BAE0AB05F02F4494DCBABDA51F6DBE1A1444616
                                                                                                                            Function 00B53FF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNEL32(00B76F9A,00B76F9A,00002710,00B732CC), ref: 00B5402E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2630496889.0000000000B51000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B51000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_b51000_GfxDriverUpdater.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad
                                                                                                                            • String ID: C:\Users\user\AppData\Local\Gbumps Inc\bumbguard.exe$bumbguard.exe
                                                                                                                            • API String ID: 1029625771-2378045078
                                                                                                                            • Opcode ID: db4f92fcb5d055191d2c8f14fe4958e3b397e814e60dc3c46e96b72a119709d4
                                                                                                                            • Instruction ID: cd7a646d4b2f6a9d5340843de77c6a5082c111fdcfe4bd2c3a80b1d7e296b33f
                                                                                                                            • Opcode Fuzzy Hash: db4f92fcb5d055191d2c8f14fe4958e3b397e814e60dc3c46e96b72a119709d4
                                                                                                                            • Instruction Fuzzy Hash: FD11A1307806147EEE2237B49C47F293AE18B85F16F4445D4FE6CB21F7EF82198555A2
                                                                                                                            Function 00B53FF3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNEL32(00B76F9A,00B76F9A,00002710,00B732CC), ref: 00B5402E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2630496889.0000000000B51000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B51000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_b51000_GfxDriverUpdater.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad
                                                                                                                            • String ID: C:\Users\user\AppData\Local\Gbumps Inc\bumbguard.exe$bumbguard.exe
                                                                                                                            • API String ID: 1029625771-2378045078
                                                                                                                            • Opcode ID: 95cc65419aae3a3bf4094f9e2c5b18892fb1884b2db5db658498e1a56087453e
                                                                                                                            • Instruction ID: fd21ea287b4999289ab322b82574b85fd73ebdd6bad4a7b1862c444ded477705
                                                                                                                            • Opcode Fuzzy Hash: 95cc65419aae3a3bf4094f9e2c5b18892fb1884b2db5db658498e1a56087453e
                                                                                                                            • Instruction Fuzzy Hash: 8C11A1307806147EEE2237B49C47F2A3AE19B85B16F4445E4FE6CB21F3EF82198555A2

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:23%
                                                                                                                            Dynamic/Decrypted Code Coverage:18.5%
                                                                                                                            Signature Coverage:7.7%
                                                                                                                            Total number of Nodes:2000
                                                                                                                            Total number of Limit Nodes:28
                                                                                                                            execution_graph 8647 5b49b34 8648 5b49b77 8647->8648 8649 5b49bd0 RegisterServiceCtrlHandlerExW 8648->8649 8650 5b49be4 SetServiceStatus 8649->8650 8651 5b49c45 8649->8651 8657 5699d58 8650->8657 8661 5699ee0 8651->8661 8653 5b49c2b 8655 5b49c32 Sleep 8653->8655 8655->8651 8655->8655 8658 5699d75 8657->8658 8659 5699d94 CreateThread 8658->8659 8660 5699dbd 8659->8660 8664 5699d20 8659->8664 8660->8653 8662 5699ef4 8661->8662 8663 5699ee6 SysFreeString 8661->8663 8663->8662 8665 5699d28 8664->8665 8666 408180 8667 408150 8666->8667 8668 408178 8667->8668 8670 406f48 8667->8670 8671 406f5a 8670->8671 8672 406f6d 8671->8672 8676 40ff84 8671->8676 8684 406f3c 8672->8684 8677 40ff93 8676->8677 8678 40ffb9 TlsGetValue 8676->8678 8677->8672 8679 40ffc3 8678->8679 8680 40ff9e 8678->8680 8679->8672 8687 40ff40 8680->8687 8683 40ffb2 8683->8672 8685 409a78 11 API calls 8684->8685 8686 406f47 8685->8686 8686->8668 8688 40ff46 8687->8688 8689 40ff5f 8688->8689 8696 40ff74 TlsGetValue 8688->8696 8697 409a84 8688->8697 8700 40ff2c LocalAlloc 8689->8700 8692 40ff66 8693 40ff76 TlsSetValue 8692->8693 8694 40ff6a 8692->8694 8693->8696 8695 409a84 10 API calls 8694->8695 8695->8696 8696->8683 8701 409a78 8697->8701 8700->8692 8704 409948 8701->8704 8705 409964 8704->8705 8706 40996e 8704->8706 8714 4098b0 8705->8714 8707 40997e GetCurrentThreadId 8706->8707 8710 40998b 8706->8710 8707->8710 8709 406efc 8 API calls 8709->8710 8710->8709 8711 409a1b FreeLibrary 8710->8711 8712 409a43 ExitProcess 8710->8712 8711->8710 8715 4098ba GetStdHandle WriteFile 8714->8715 8717 409917 8714->8717 8720 40a420 8715->8720 8717->8706 8719 409907 GetStdHandle WriteFile 8719->8706 8721 40a426 8720->8721 8721->8719 9152 40ee08 9153 40ee10 9152->9153 9157 40ee5d 9153->9157 9158 40c270 9153->9158 9155 40ee4c LoadStringW 9163 409ddc 9155->9163 9159 40c29d 9158->9159 9160 40c27e 9158->9160 9159->9155 9160->9159 9168 40c228 9160->9168 9164 409ba8 11 API calls 9163->9164 9165 409dec 9164->9165 9166 409c78 11 API calls 9165->9166 9167 409e06 9166->9167 9167->9157 9169 40c254 9168->9169 9170 40c238 GetModuleFileNameW 9168->9170 9169->9155 9172 40d49c GetModuleFileNameW 9170->9172 9173 40d4ea 9172->9173 9182 40d378 9173->9182 9175 40d516 9176 40d530 9175->9176 9178 40d528 LoadLibraryExW 9175->9178 9208 409cb4 9176->9208 9178->9176 9183 40d399 9182->9183 9184 409c54 11 API calls 9183->9184 9185 40d3b6 9184->9185 9186 40d421 9185->9186 9216 40a07c 9185->9216 9188 409cb4 11 API calls 9186->9188 9189 40d48e 9188->9189 9189->9175 9190 40d3fc 9220 40d0b4 9190->9220 9195 40d423 GetUserDefaultUILanguage 9240 40ca64 RtlEnterCriticalSection 9195->9240 9196 40d414 9228 40d1e0 9196->9228 9200 40d1e0 13 API calls 9201 40d43d 9200->9201 9202 40d465 9201->9202 9203 40d44b GetSystemDefaultUILanguage 9201->9203 9202->9186 9265 40d2ac 9202->9265 9204 40ca64 28 API calls 9203->9204 9206 40d458 9204->9206 9207 40d1e0 13 API calls 9206->9207 9207->9202 9210 409cba 9208->9210 9209 409ce0 9212 409c54 9209->9212 9210->9209 9211 406e74 11 API calls 9210->9211 9211->9210 9213 409c75 9212->9213 9214 409c5a 9212->9214 9213->9169 9214->9213 9215 406e74 11 API calls 9214->9215 9215->9213 9218 40a080 9216->9218 9217 40a0a4 9217->9190 9283 40aaf8 9217->9283 9218->9217 9287 406e74 9218->9287 9221 40d0d6 9220->9221 9222 40d0e8 9220->9222 9292 40cd98 9221->9292 9226 409c54 11 API calls 9222->9226 9224 40d0e0 9318 40d118 9224->9318 9227 40d10a 9226->9227 9227->9195 9227->9196 9229 40d1fe 9228->9229 9230 409c54 11 API calls 9229->9230 9231 40d21b 9230->9231 9232 40d279 9231->9232 9234 40d280 9231->9234 9237 40aaf8 11 API calls 9231->9237 9346 40a988 9231->9346 9361 40d174 9231->9361 9233 409c54 11 API calls 9232->9233 9233->9234 9235 409cb4 11 API calls 9234->9235 9236 40d29a 9235->9236 9236->9186 9237->9231 9241 40cab0 RtlLeaveCriticalSection 9240->9241 9242 40ca90 9240->9242 9243 409c54 11 API calls 9241->9243 9244 40caa1 RtlLeaveCriticalSection 9242->9244 9245 40cac1 IsValidLocale 9243->9245 9246 40cb52 9244->9246 9247 40cad0 9245->9247 9248 40cb1f RtlEnterCriticalSection 9245->9248 9252 409c54 11 API calls 9246->9252 9250 40cae4 9247->9250 9251 40cad9 9247->9251 9249 40cb37 9248->9249 9258 40cb48 RtlLeaveCriticalSection 9249->9258 9398 40c74c 9250->9398 9379 40c948 GetThreadUILanguage 9251->9379 9255 40cb67 9252->9255 9255->9200 9258->9246 9259 40caf7 9260 40cb08 GetSystemDefaultUILanguage 9259->9260 9410 40a930 9259->9410 9261 40c74c 14 API calls 9260->9261 9263 40cb15 9261->9263 9264 40a930 11 API calls 9263->9264 9264->9248 9475 409d38 9265->9475 9268 40d2fc 9269 40a988 11 API calls 9268->9269 9270 40d309 9269->9270 9271 40d174 13 API calls 9270->9271 9275 40d310 9271->9275 9272 40d349 9273 409cb4 11 API calls 9272->9273 9274 40d363 9273->9274 9276 409c54 11 API calls 9274->9276 9275->9272 9277 40a988 11 API calls 9275->9277 9278 40d36b 9276->9278 9279 40d337 9277->9279 9278->9186 9280 40d174 13 API calls 9279->9280 9281 40d33e 9280->9281 9281->9272 9282 409c54 11 API calls 9281->9282 9282->9272 9284 40ab03 9283->9284 9285 409ddc 11 API calls 9284->9285 9286 40ab39 9285->9286 9286->9190 9288 406e82 9287->9288 9289 406e78 9287->9289 9288->9217 9289->9288 9290 406f48 11 API calls 9289->9290 9291 406fa7 9290->9291 9291->9217 9293 40cdaf 9292->9293 9294 40cdc3 GetModuleFileNameW 9293->9294 9295 40cdd8 9293->9295 9294->9295 9296 40ce00 RegOpenKeyExW 9295->9296 9297 40cfa7 9295->9297 9298 40cec1 9296->9298 9299 40ce27 RegOpenKeyExW 9296->9299 9300 409c54 11 API calls 9297->9300 9324 40cba8 GetModuleHandleW 9298->9324 9299->9298 9301 40ce45 RegOpenKeyExW 9299->9301 9303 40cfbc 9300->9303 9301->9298 9304 40ce63 RegOpenKeyExW 9301->9304 9303->9224 9304->9298 9306 40ce81 RegOpenKeyExW 9304->9306 9305 40cedf RegQueryValueExW 9307 40cf30 RegQueryValueExW 9305->9307 9308 40cefd 9305->9308 9306->9298 9309 40ce9f RegOpenKeyExW 9306->9309 9311 40cf4c 9307->9311 9317 40cf2e 9307->9317 9336 406e58 9308->9336 9309->9297 9309->9298 9314 406e58 11 API calls 9311->9314 9312 40cf96 RegCloseKey 9312->9224 9313 40cf05 RegQueryValueExW 9313->9317 9315 40cf54 RegQueryValueExW 9314->9315 9315->9317 9316 406e74 11 API calls 9316->9312 9317->9312 9317->9316 9319 40d130 9318->9319 9320 40d126 9318->9320 9322 406e58 11 API calls 9319->9322 9323 40d14d 9319->9323 9321 406e74 11 API calls 9320->9321 9321->9319 9322->9323 9323->9222 9325 40cbd0 GetProcAddress 9324->9325 9326 40cbe1 9324->9326 9325->9326 9328 40cbf7 9326->9328 9332 40cc43 9326->9332 9342 40cb84 9326->9342 9328->9305 9330 40cb84 CharNextW 9330->9332 9331 40cb84 CharNextW 9331->9332 9332->9328 9332->9331 9333 40ccc8 FindFirstFileW 9332->9333 9335 40cd32 lstrlenW 9332->9335 9333->9328 9334 40cce4 FindClose lstrlenW 9333->9334 9334->9328 9334->9332 9335->9332 9337 406e6f 9336->9337 9339 406e5c 9336->9339 9337->9313 9338 406e66 9338->9313 9339->9338 9340 406f48 11 API calls 9339->9340 9341 406fa7 9340->9341 9341->9313 9343 40cb92 9342->9343 9344 40cba0 9343->9344 9345 40cb8a CharNextW 9343->9345 9344->9328 9344->9330 9345->9343 9347 40a9fa 9346->9347 9348 40a98c 9346->9348 9349 40a034 9348->9349 9350 40a994 9348->9350 9356 40a048 9349->9356 9368 409ba8 9349->9368 9350->9347 9352 40a9a3 9350->9352 9373 40a034 9350->9373 9351 40a078 9351->9231 9352->9347 9355 409ba8 11 API calls 9352->9355 9358 40a9c4 9355->9358 9356->9351 9357 406e74 11 API calls 9356->9357 9357->9351 9359 40a034 11 API calls 9358->9359 9360 40a9f6 9359->9360 9360->9231 9362 40d189 9361->9362 9363 40d1a6 FindFirstFileW 9362->9363 9364 40d1b6 FindClose 9363->9364 9365 40d1bc 9363->9365 9364->9365 9366 409c54 11 API calls 9365->9366 9367 40d1d1 9366->9367 9367->9231 9369 409be0 9368->9369 9370 409bac 9368->9370 9369->9356 9370->9369 9371 406e58 11 API calls 9370->9371 9372 409bbb 9371->9372 9372->9356 9374 40a038 9373->9374 9377 40a048 9373->9377 9376 409ba8 11 API calls 9374->9376 9374->9377 9375 40a078 9375->9352 9376->9377 9377->9375 9378 406e74 11 API calls 9377->9378 9378->9375 9380 40c964 9379->9380 9381 40c9bd 9379->9381 9424 40c904 GetThreadPreferredUILanguages 9380->9424 9382 40c904 13 API calls 9381->9382 9390 40c9c5 9382->9390 9385 40ca06 9386 40ca5c 9385->9386 9387 40ca0c SetThreadPreferredUILanguages 9385->9387 9386->9248 9389 40c904 13 API calls 9387->9389 9391 40ca22 9389->9391 9390->9385 9393 406e74 11 API calls 9390->9393 9392 40ca3d SetThreadPreferredUILanguages 9391->9392 9394 40ca4d 9391->9394 9392->9394 9393->9385 9395 406e74 11 API calls 9394->9395 9396 40ca54 9395->9396 9397 406e74 11 API calls 9396->9397 9397->9386 9399 409c54 11 API calls 9398->9399 9403 40c787 9399->9403 9400 40c7dd 9401 40c7f0 IsValidLocale 9400->9401 9402 40c893 9400->9402 9401->9402 9405 40c803 GetLocaleInfoW GetLocaleInfoW 9401->9405 9404 409cb4 11 API calls 9402->9404 9403->9400 9429 40c66c 9403->9429 9406 40c8b0 GetSystemDefaultUILanguage 9404->9406 9408 40c83e 9405->9408 9406->9248 9406->9259 9442 40aa10 9408->9442 9411 40a97f 9410->9411 9412 40a934 9410->9412 9411->9260 9413 40a034 9412->9413 9414 40a93e 9412->9414 9419 409ba8 11 API calls 9413->9419 9421 40a048 9413->9421 9414->9411 9416 40a974 9414->9416 9417 40a959 9414->9417 9415 40a078 9415->9260 9420 40a8b0 11 API calls 9416->9420 9418 40a8b0 11 API calls 9417->9418 9423 40a95e 9418->9423 9419->9421 9420->9423 9421->9415 9422 406e74 11 API calls 9421->9422 9422->9415 9423->9260 9425 40c925 9424->9425 9426 40c93e SetThreadPreferredUILanguages 9424->9426 9427 406e58 11 API calls 9425->9427 9426->9381 9428 40c92e GetThreadPreferredUILanguages 9427->9428 9428->9426 9430 40c692 9429->9430 9431 40a07c 11 API calls 9430->9431 9433 40c714 9430->9433 9432 40c6be 9431->9432 9435 409c54 11 API calls 9432->9435 9434 409cb4 11 API calls 9433->9434 9436 40c72e 9434->9436 9440 40c6c5 9435->9440 9436->9400 9437 40aa10 11 API calls 9437->9440 9438 40a07c 11 API calls 9438->9440 9440->9433 9440->9437 9440->9438 9441 40aaf8 11 API calls 9440->9441 9451 40c600 9440->9451 9441->9440 9443 40aa26 9442->9443 9444 40aaab 9443->9444 9445 40aa71 9443->9445 9446 40aa53 9443->9446 9444->9444 9448 409ba8 11 API calls 9445->9448 9455 40a8b0 9446->9455 9449 40aa61 9448->9449 9449->9444 9450 40a034 11 API calls 9449->9450 9450->9444 9452 40c610 9451->9452 9453 409c54 11 API calls 9452->9453 9454 40c65b 9453->9454 9454->9440 9456 40a8bd 9455->9456 9461 40a907 9455->9461 9459 40a8fb 9456->9459 9462 40a8d5 9456->9462 9457 409c78 11 API calls 9460 40a8f8 9457->9460 9458 409ba8 11 API calls 9458->9461 9459->9458 9460->9449 9461->9457 9466 406e8c 9462->9466 9464 40a8dd 9464->9460 9471 409c78 9464->9471 9470 406e92 9466->9470 9467 406f48 11 API calls 9468 406fa7 9467->9468 9468->9464 9469 406ea4 9469->9464 9470->9464 9470->9467 9470->9469 9472 409c7e 9471->9472 9474 409c99 9471->9474 9473 406e74 11 API calls 9472->9473 9472->9474 9473->9474 9474->9460 9476 409d3c GetUserDefaultUILanguage GetLocaleInfoW 9475->9476 9476->9268 9582 405ecc 9583 405f64 9582->9583 9584 405edc 9582->9584 9587 405804 9583->9587 9588 405f6d 9583->9588 9585 405f20 9584->9585 9586 405ee9 9584->9586 9589 405950 10 API calls 9585->9589 9590 405ef4 9586->9590 9597 405950 10 API calls 9586->9597 9591 4061df 9587->9591 9595 405907 9587->9595 9596 405828 VirtualQuery 9587->9596 9592 406094 9588->9592 9593 405f85 9588->9593 9594 405f37 9589->9594 9606 4060f8 9592->9606 9609 4060d0 Sleep 9592->9609 9618 406111 9592->9618 9599 405fa8 9593->9599 9600 40606c 9593->9600 9611 405f8c 9593->9611 9614 405cd4 10 API calls 9594->9614 9621 405f5d 9594->9621 9602 405950 10 API calls 9595->9602 9626 4058ba 9595->9626 9607 405861 9596->9607 9608 4058cf 9596->9608 9603 405f01 9597->9603 9598 405950 10 API calls 9620 4061a8 9598->9620 9610 405fe8 Sleep 9599->9610 9599->9611 9605 405950 10 API calls 9600->9605 9622 40591e 9602->9622 9604 405f19 9603->9604 9619 405cd4 10 API calls 9603->9619 9624 406075 9605->9624 9606->9598 9606->9618 9607->9608 9617 40588e VirtualAlloc 9607->9617 9632 405950 9608->9632 9609->9606 9615 4060ea Sleep 9609->9615 9610->9611 9616 406000 Sleep 9610->9616 9613 40608d 9614->9621 9615->9592 9616->9599 9617->9608 9623 4058a4 VirtualAlloc 9617->9623 9619->9604 9620->9618 9625 405cd4 10 API calls 9620->9625 9622->9626 9630 405cd4 10 API calls 9622->9630 9623->9608 9623->9626 9624->9613 9628 405cd4 10 API calls 9624->9628 9629 4061cc 9625->9629 9627 4058d6 9627->9626 9656 405cd4 9627->9656 9628->9613 9630->9626 9633 405bb0 9632->9633 9634 405968 9632->9634 9635 405cc8 9633->9635 9636 405b74 9633->9636 9643 40597a 9634->9643 9648 405a05 Sleep 9634->9648 9637 405cd1 9635->9637 9638 4056fc VirtualAlloc 9635->9638 9644 405b8e Sleep 9636->9644 9646 405bce 9636->9646 9637->9627 9640 405737 9638->9640 9641 405727 9638->9641 9639 405989 9639->9627 9640->9627 9676 4056b0 9641->9676 9642 405a68 9655 405a74 9642->9655 9681 405634 9642->9681 9643->9639 9643->9642 9649 405a49 Sleep 9643->9649 9644->9646 9647 405ba4 Sleep 9644->9647 9650 405634 VirtualAlloc 9646->9650 9654 405bec 9646->9654 9647->9636 9648->9643 9651 405a1b Sleep 9648->9651 9649->9642 9653 405a5f Sleep 9649->9653 9650->9654 9651->9634 9653->9643 9654->9627 9655->9627 9657 405dcc 9656->9657 9660 405ce9 9656->9660 9658 405760 9657->9658 9662 405cef 9657->9662 9659 405ec6 9658->9659 9664 4056b0 2 API calls 9658->9664 9659->9626 9660->9662 9663 405d66 Sleep 9660->9663 9661 405cf8 9661->9626 9662->9661 9666 405daa Sleep 9662->9666 9670 405de1 9662->9670 9663->9662 9665 405d80 Sleep 9663->9665 9667 405771 9664->9667 9665->9660 9666->9670 9671 405dc0 Sleep 9666->9671 9668 4057a1 9667->9668 9669 405787 VirtualFree 9667->9669 9672 405798 9668->9672 9673 4057aa VirtualQuery VirtualFree 9668->9673 9669->9672 9674 405e60 VirtualFree 9670->9674 9675 405e04 9670->9675 9671->9662 9672->9626 9673->9668 9673->9672 9674->9626 9675->9626 9677 4056f8 9676->9677 9678 4056b9 9676->9678 9677->9640 9678->9677 9679 4056c4 Sleep 9678->9679 9679->9677 9680 4056de Sleep 9679->9680 9680->9678 9685 4055c8 9681->9685 9683 40563d VirtualAlloc 9684 405654 9683->9684 9684->9655 9686 405568 9685->9686 9686->9683 8994 e9007d CreateMutexA 9151 5b78760 WSAStartup GetLastError 8722 5b54a54 LoadLibraryA GetProcAddress 8727 569cd60 8722->8727 8724 5b54aa7 8730 5b548fc 8724->8730 8733 569cab8 8727->8733 8729 569cd6a 8729->8724 8960 5b54894 8730->8960 8734 569caf6 8733->8734 8737 569cadb 8733->8737 8735 569cb64 8734->8735 8739 569cc31 8734->8739 8738 569cbcb 8735->8738 8744 569ca74 8735->8744 8737->8729 8738->8737 8740 569cab8 32 API calls 8738->8740 8739->8738 8761 569c100 8739->8761 8740->8738 8742 569cb7c 8742->8738 8754 569bfd8 8742->8754 8765 56a11f8 8744->8765 8746 569ca7d 8747 569ca85 8746->8747 8749 569ca93 8746->8749 8748 56a11f8 11 API calls 8747->8748 8750 569ca8a 8748->8750 8751 56a11f8 11 API calls 8749->8751 8750->8742 8752 569caa1 8751->8752 8753 56a11f8 11 API calls 8752->8753 8753->8750 8755 569bff4 8754->8755 8756 569c038 8754->8756 8755->8756 8759 569c0a1 8755->8759 8760 569c072 8755->8760 8756->8738 8757 569bfd8 32 API calls 8757->8760 8759->8756 8808 569bcfc 8759->8808 8760->8756 8760->8757 8762 569c109 8761->8762 8763 569c111 8761->8763 8936 569bec0 8762->8936 8763->8738 8766 56a122d TlsGetValue 8765->8766 8767 56a1207 8765->8767 8768 56a1212 8766->8768 8769 56a1237 8766->8769 8767->8746 8773 56a11b4 8768->8773 8769->8746 8772 56a1226 8772->8746 8775 56a11ba 8773->8775 8774 56a11e8 TlsGetValue 8774->8772 8775->8774 8776 56a11d3 8775->8776 8783 5699cc8 8775->8783 8786 56a11a0 LocalAlloc 8776->8786 8779 56a11da 8780 56a11ea TlsSetValue 8779->8780 8781 56a11de 8779->8781 8780->8774 8782 5699cc8 10 API calls 8781->8782 8782->8774 8787 5699cbc 8783->8787 8786->8779 8790 5699b8c 8787->8790 8791 5699ba8 8790->8791 8794 5699bb2 8790->8794 8800 5699af4 8791->8800 8792 5699bc2 GetCurrentThreadId 8796 5699bcf 8792->8796 8794->8792 8794->8796 8795 5696fa0 8 API calls 8795->8796 8796->8795 8797 5699c5f FreeLibrary 8796->8797 8798 5699c87 ExitProcess 8796->8798 8797->8796 8801 5699b5b 8800->8801 8802 5699afe GetStdHandle WriteFile 8800->8802 8801->8794 8806 569a91c 8802->8806 8805 5699b4b GetStdHandle WriteFile 8805->8794 8807 569a922 8806->8807 8807->8805 8809 569be9b 8808->8809 8813 569bd1f 8808->8813 8809->8759 8810 569bfd8 32 API calls 8810->8813 8811 569bcfc 32 API calls 8811->8813 8813->8809 8813->8810 8813->8811 8815 569f908 8813->8815 8821 569f8dc 8813->8821 8816 569f91a 8815->8816 8817 569f8dc 14 API calls 8816->8817 8818 569f92f 8817->8818 8825 569f870 8818->8825 8820 569f946 8820->8813 8822 569f901 8821->8822 8823 569f8e7 8821->8823 8822->8813 8925 569f8a8 8823->8925 8826 569f87b 8825->8826 8827 569f8a3 8825->8827 8829 569f4b0 8826->8829 8827->8820 8830 569f4cc 8829->8830 8831 569f4d4 8829->8831 8841 569f34c 8830->8841 8851 569f1f0 8831->8851 8834 569f4fc 8840 569f53f 8834->8840 8855 569f2b8 8834->8855 8866 569f258 8840->8866 8842 569f365 8841->8842 8850 569f3f9 8841->8850 8847 569f376 8842->8847 8870 56988d4 8842->8870 8845 569f3a5 8846 569f3d4 8845->8846 8889 569f1dc 8845->8889 8892 5698bc8 8846->8892 8874 5698a30 8847->8874 8850->8831 8852 569f1f9 8851->8852 8853 569f203 8851->8853 8854 5698a30 13 API calls 8852->8854 8853->8834 8854->8853 8856 569f2c0 8855->8856 8857 569f2c9 8856->8857 8921 569ed88 8856->8921 8859 569f06c 8857->8859 8860 569f086 8859->8860 8861 569f08f 8860->8861 8863 569f0a9 8860->8863 8862 569cd60 32 API calls 8861->8862 8864 569f0a4 8862->8864 8863->8864 8865 569cd60 32 API calls 8863->8865 8864->8840 8865->8864 8867 569f268 8866->8867 8868 569f261 8866->8868 8867->8827 8869 5698bc8 2 API calls 8868->8869 8869->8867 8871 56988dd 8870->8871 8873 56988e2 8870->8873 8897 56987a8 GetModuleHandleW GetProcAddress 8871->8897 8873->8847 8876 5698a3e 8874->8876 8877 5698a67 GetTickCount 8876->8877 8878 5698a7f GetTickCount 8876->8878 8879 5698ad9 GetTickCount 8876->8879 8880 5698b10 GetTickCount 8876->8880 8882 5698a8c 8876->8882 8883 5698aae GetCurrentThreadId 8876->8883 8903 5698ebc GetCurrentThreadId 8876->8903 8908 56986ec 8876->8908 8877->8876 8878->8876 8878->8882 8879->8876 8879->8882 8915 5698c28 8880->8915 8882->8845 8883->8882 8885 5698b3a GetTickCount 8886 5698b20 8885->8886 8886->8880 8886->8885 8887 5698ba4 8886->8887 8887->8882 8888 5698baa GetCurrentThreadId 8887->8888 8888->8882 8890 56988d4 5 API calls 8889->8890 8891 569f1e4 8890->8891 8891->8845 8919 56988bc GetCurrentThreadId 8892->8919 8894 5698bd3 8895 5698c28 Sleep 8894->8895 8896 5698bff 8894->8896 8895->8896 8896->8850 8898 56987d0 GetLogicalProcessorInformation 8897->8898 8902 5698818 8897->8902 8899 56987df GetLastError 8898->8899 8898->8902 8900 56987e9 8899->8900 8899->8902 8901 56987f1 GetLogicalProcessorInformation 8900->8901 8901->8902 8902->8873 8904 5698ec9 8903->8904 8905 5698ed0 8903->8905 8904->8876 8906 5698ef7 8905->8906 8907 5698ee4 GetCurrentThreadId 8905->8907 8906->8876 8907->8906 8909 56986f7 8908->8909 8910 5698745 8909->8910 8911 569871d Sleep 8909->8911 8912 5698726 8909->8912 8910->8876 8911->8910 8913 569873e SwitchToThread 8912->8913 8914 5698735 Sleep 8912->8914 8913->8910 8914->8910 8916 5698c81 8915->8916 8918 5698c3a 8915->8918 8916->8886 8917 5698c68 Sleep 8917->8918 8918->8916 8918->8917 8920 56988c9 8919->8920 8920->8894 8922 569ed93 8921->8922 8923 56988d4 5 API calls 8922->8923 8924 569ed9a 8923->8924 8924->8857 8926 569f8b9 8925->8926 8927 569f8ac 8925->8927 8926->8822 8929 569f588 8927->8929 8930 569f5a8 8929->8930 8931 569f634 8929->8931 8932 569f1f0 13 API calls 8930->8932 8931->8926 8933 569f5d0 8932->8933 8934 569f258 2 API calls 8933->8934 8935 569f60f 8934->8935 8935->8926 8937 569bed5 8936->8937 8943 569bef2 8936->8943 8939 569bf26 8937->8939 8940 569beda 8937->8940 8939->8943 8946 569a2ec 8939->8946 8941 569bee9 8940->8941 8942 569bf65 8940->8942 8940->8943 8941->8943 8953 569bb54 8941->8953 8942->8943 8945 569bec0 32 API calls 8942->8945 8943->8763 8945->8942 8947 569a2f0 8946->8947 8948 569a313 8946->8948 8949 5699e78 8947->8949 8952 569a303 SysReAllocStringLen 8947->8952 8948->8939 8950 5699ef4 8949->8950 8951 5699ee6 SysFreeString 8949->8951 8950->8939 8951->8950 8952->8948 8952->8949 8954 569bce3 8953->8954 8955 569bb79 8953->8955 8954->8941 8955->8954 8956 569f908 32 API calls 8955->8956 8957 569a2ec 2 API calls 8955->8957 8958 569bec0 32 API calls 8955->8958 8959 569bb54 32 API calls 8955->8959 8956->8955 8957->8955 8958->8955 8959->8955 8965 583be68 8960->8965 8962 5b548b7 8963 5b548e9 8962->8963 8964 583be68 14 API calls 8962->8964 8964->8963 8966 583be8e 8965->8966 8971 583c778 8966->8971 8968 583bea0 8969 583bea4 VirtualProtect 8968->8969 8970 583bebd 8968->8970 8969->8970 8970->8962 8972 583c78f 8971->8972 8973 583c924 8972->8973 8974 583c8c2 LoadLibraryW 8972->8974 8975 583c820 LoadLibraryW 8972->8975 8976 583c804 LoadLibraryW 8972->8976 8977 583c8a9 LoadLibraryW 8972->8977 8978 583c7e8 LoadLibraryW 8972->8978 8979 583c90d LoadLibraryW 8972->8979 8980 583c890 LoadLibraryW 8972->8980 8981 583c874 LoadLibraryW 8972->8981 8982 583c8f4 LoadLibraryW 8972->8982 8983 583c8db LoadLibraryW 8972->8983 8984 583c858 LoadLibraryW 8972->8984 8985 583c83c LoadLibraryW 8972->8985 8986 583c92c 8973->8986 8989 583c94a 8973->8989 8974->8973 8975->8973 8976->8973 8977->8973 8978->8973 8979->8973 8980->8973 8981->8973 8982->8973 8983->8973 8984->8973 8985->8973 8990 583ca90 8986->8990 8988 583c937 8988->8989 8989->8968 8991 583caac 8990->8991 8992 583cbc8 8991->8992 8993 583cba3 LoadLibraryW 8991->8993 8992->8988 8993->8991 11566 e9004a 11567 e90053 11566->11567 11569 e9007d CreateMutexA 11567->11569 8995 583eae4 9000 56a007c 8995->9000 8997 583eb04 9005 5699558 8997->9005 9001 56a0084 9000->9001 9004 56a00d1 9001->9004 9011 569d28c 9001->9011 9003 56a00c0 LoadStringW 9003->9004 9004->8997 9006 569955c 9005->9006 9007 5699566 9005->9007 9008 5699cc8 11 API calls 9006->9008 9010 56995a4 9007->9010 9148 5696fd4 9007->9148 9008->9007 9012 569d2b9 9011->9012 9013 569d29a 9011->9013 9012->9003 9013->9012 9016 569d244 9013->9016 9017 569d254 GetModuleFileNameW 9016->9017 9019 569d270 9016->9019 9020 569e4b8 GetModuleFileNameW 9017->9020 9019->9003 9021 569e506 9020->9021 9026 569e394 9021->9026 9023 569e532 9024 569e544 LoadLibraryExW 9023->9024 9025 569e54c 9023->9025 9024->9025 9025->9019 9030 569e3b5 9026->9030 9027 569e43d 9027->9023 9029 569e42a 9031 569e43f GetUserDefaultUILanguage 9029->9031 9032 569e430 9029->9032 9030->9027 9044 569e0d0 9030->9044 9048 569da80 EnterCriticalSection 9031->9048 9033 569e1fc 2 API calls 9032->9033 9033->9027 9035 569e44c 9068 569e1fc 9035->9068 9037 569e459 9038 569e481 9037->9038 9039 569e467 GetSystemDefaultUILanguage 9037->9039 9038->9027 9072 569e2c8 9038->9072 9041 569da80 17 API calls 9039->9041 9042 569e474 9041->9042 9043 569e1fc 2 API calls 9042->9043 9043->9038 9045 569e0f2 9044->9045 9047 569e0fc 9044->9047 9080 569ddb4 9045->9080 9047->9029 9049 569dacc LeaveCriticalSection 9048->9049 9050 569daac 9048->9050 9117 5699e98 9049->9117 9053 569dabd LeaveCriticalSection 9050->9053 9052 569dadd IsValidLocale 9054 569db3b EnterCriticalSection 9052->9054 9055 569daec 9052->9055 9056 569db6e 9053->9056 9057 569db53 9054->9057 9058 569db00 9055->9058 9059 569daf5 9055->9059 9056->9035 9063 569db64 LeaveCriticalSection 9057->9063 9132 569d768 9058->9132 9119 569d964 GetThreadUILanguage 9059->9119 9062 569db09 GetSystemDefaultUILanguage 9062->9054 9064 569db13 9062->9064 9063->9056 9065 569db24 GetSystemDefaultUILanguage 9064->9065 9066 569d768 3 API calls 9065->9066 9067 569dafe 9066->9067 9067->9054 9070 569e21a 9068->9070 9069 569e295 9069->9037 9070->9069 9141 569e190 9070->9141 9146 5699f7c 9072->9146 9075 569e318 9076 569e190 2 API calls 9075->9076 9077 569e32c 9076->9077 9078 569e35a 9077->9078 9079 569e190 2 API calls 9077->9079 9078->9027 9079->9078 9081 569ddcb 9080->9081 9082 569dddf GetModuleFileNameW 9081->9082 9083 569ddf4 9081->9083 9082->9083 9084 569de1c RegOpenKeyExW 9083->9084 9085 569dfc3 9083->9085 9086 569dedd 9084->9086 9087 569de43 RegOpenKeyExW 9084->9087 9085->9047 9101 569dbc4 GetModuleHandleW 9086->9101 9087->9086 9088 569de61 RegOpenKeyExW 9087->9088 9088->9086 9090 569de7f RegOpenKeyExW 9088->9090 9090->9086 9092 569de9d RegOpenKeyExW 9090->9092 9091 569defb RegQueryValueExW 9093 569df19 9091->9093 9094 569df4c RegQueryValueExW 9091->9094 9092->9086 9097 569debb RegOpenKeyExW 9092->9097 9099 569df21 RegQueryValueExW 9093->9099 9095 569df68 9094->9095 9096 569df4a 9094->9096 9100 569df70 RegQueryValueExW 9095->9100 9098 569dfb2 RegCloseKey 9096->9098 9097->9085 9097->9086 9098->9047 9099->9096 9100->9096 9102 569dbfd 9101->9102 9103 569dbec GetProcAddress 9101->9103 9104 569dc13 9102->9104 9109 569dc5f 9102->9109 9113 569dba0 9102->9113 9103->9102 9104->9091 9107 569dba0 CharNextW 9107->9109 9108 569dba0 CharNextW 9108->9109 9109->9104 9109->9108 9110 569dce4 FindFirstFileW 9109->9110 9112 569dd4e lstrlenW 9109->9112 9110->9104 9111 569dd00 FindClose lstrlenW 9110->9111 9111->9104 9111->9109 9112->9109 9114 569dbae 9113->9114 9115 569dbbc 9114->9115 9116 569dba6 CharNextW 9114->9116 9115->9104 9115->9107 9116->9114 9118 5699e9e 9117->9118 9118->9052 9120 569d9d9 9119->9120 9121 569d980 9119->9121 9123 569d920 2 API calls 9120->9123 9137 569d920 GetThreadPreferredUILanguages 9121->9137 9129 569d9e1 9123->9129 9125 569da28 SetThreadPreferredUILanguages 9127 569d920 2 API calls 9125->9127 9128 569da3e 9127->9128 9130 569da59 SetThreadPreferredUILanguages 9128->9130 9131 569da69 9128->9131 9129->9125 9129->9131 9130->9131 9131->9067 9133 569d7a3 9132->9133 9134 569d80c IsValidLocale 9133->9134 9135 569d85a 9133->9135 9134->9135 9136 569d81f GetLocaleInfoW GetLocaleInfoW 9134->9136 9135->9062 9136->9135 9138 569d95a SetThreadPreferredUILanguages 9137->9138 9139 569d941 9137->9139 9138->9120 9140 569d94a GetThreadPreferredUILanguages 9139->9140 9140->9138 9142 569e1a5 9141->9142 9143 569e1c2 FindFirstFileW 9142->9143 9144 569e1d2 FindClose 9143->9144 9145 569e1d8 9143->9145 9144->9145 9145->9070 9147 5699f80 GetUserDefaultUILanguage GetLocaleInfoW 9146->9147 9147->9075 9149 56a11f8 11 API calls 9148->9149 9150 5696fd9 9149->9150 9150->9010 9687 5b8d444 9690 56a1764 GetModuleHandleW 9687->9690 9689 5b8d454 9691 56a179f 9690->9691 9691->9689 9692 7eee00 9715 4104f0 GetModuleHandleW 9692->9715 9694 7eee18 9717 7e937c waveOutGetVolume 9694->9717 9697 7eef02 9698 409cb4 11 API calls 9697->9698 9700 7eef1c 9698->9700 9701 7eee3b 9701->9697 9702 7eee97 9701->9702 9703 7eee79 Sleep 9701->9703 9702->9697 9725 7e9724 9702->9725 9703->9702 9703->9703 9705 7eeeac 9705->9697 9742 7e9978 GetTickCount64 9705->9742 9707 7eeec0 9707->9697 9744 7e9998 SystemParametersInfoW 9707->9744 9711 7eeed7 9711->9697 9767 409b14 9711->9767 9716 41052b 9715->9716 9716->9694 9718 7e9391 9717->9718 9718->9697 9719 7e93d8 CoInitialize 9718->9719 9831 40d6fc 9719->9831 9722 7e9436 9723 7e9425 9722->9723 9724 7e94b6 CoUninitialize 9722->9724 9723->9701 9724->9701 9724->9723 9726 409c54 11 API calls 9725->9726 9727 7e9769 9726->9727 9833 40a744 9727->9833 9730 40a930 11 API calls 9731 7e9786 9730->9731 9836 42187c 9731->9836 9735 7e97aa 9860 729ee4 9735->9860 9737 7e983a 9737->9705 9739 7e97b6 9739->9737 9740 7e9824 9739->9740 9864 41f8e8 9739->9864 9741 40aaf8 11 API calls 9740->9741 9741->9737 9743 7e998d 9742->9743 9743->9707 9745 7e99c2 9744->9745 9745->9697 9746 7e99f0 9745->9746 9747 729ee4 60 API calls 9746->9747 9748 7e9a32 GetSystemInfo 9747->9748 9749 42187c 80 API calls 9748->9749 9750 7e9a6a 9749->9750 9751 42187c 80 API calls 9750->9751 9752 7e9a92 GetLogicalProcessorInformation GetLastError 9751->9752 9754 7e9ab7 9752->9754 9760 7e9ae2 9752->9760 9755 40be80 34 API calls 9754->9755 9756 7e9ace GetLogicalProcessorInformation 9755->9756 9757 7e9b33 9756->9757 9756->9760 9758 42187c 80 API calls 9757->9758 9763 7e9b60 9758->9763 9759 409cb4 11 API calls 9761 7e9bc1 9759->9761 9760->9759 9762 409c54 11 API calls 9761->9762 9764 7e9bc9 9762->9764 9763->9711 9765 40bfa4 27 API calls 9764->9765 9766 7e9bd7 9765->9766 9766->9711 9768 409b3f 9767->9768 9770 409b31 CreateThread 9767->9770 9769 406e58 11 API calls 9768->9769 9769->9770 9772 409b80 9770->9772 9773 409b79 9770->9773 10301 409adc 9770->10301 9775 7e9d18 9772->9775 9774 406e74 11 API calls 9773->9774 9774->9772 10305 7e7ec8 9775->10305 9777 7e9d51 10310 7e9238 GetModuleHandleW GetProcAddress 9777->10310 9782 7e9d8a 10319 7b5354 9782->10319 9784 7e9df3 GetModuleHandleW 9785 7e9e10 9784->9785 10433 7b3fd8 9785->10433 9786 7e9da4 9786->9784 9787 72bdb8 57 API calls 9786->9787 9789 7e9dc5 9787->9789 10360 7e29c0 9789->10360 9795 409c54 11 API calls 9798 7e9f28 9795->9798 9801 409c9c SysFreeString 9798->9801 9803 7e9f30 9801->9803 9806 409cb4 11 API calls 9803->9806 9805 4071b8 13 API calls 9807 7e9e62 9805->9807 9808 7e9f3d 9806->9808 10452 421318 9807->10452 9810 409c78 11 API calls 9808->9810 9811 7e9f45 9810->9811 9812 409c54 11 API calls 9811->9812 9813 7e9f4d 9812->9813 9816 409cb4 11 API calls 9813->9816 9814 7e9ea9 9817 40a930 11 API calls 9814->9817 9815 7e9e6d 9815->9814 9821 40aaf8 11 API calls 9815->9821 9818 7e9f5a 9816->9818 9819 7e9eb9 9817->9819 9818->9697 9820 4071b8 13 API calls 9819->9820 9822 7e9ec3 9820->9822 9821->9814 9823 40a988 11 API calls 9822->9823 9825 7e9ed5 9823->9825 9824 7e9ef0 9827 40a988 11 API calls 9824->9827 9825->9824 9826 40a930 11 API calls 9825->9826 9826->9824 9828 7e9efe 9827->9828 10456 7b40e0 GetModuleHandleW 9828->10456 9830 7e9f11 9830->9795 9832 40d702 CoCreateInstance 9831->9832 9832->9722 9832->9723 9834 409ddc 11 API calls 9833->9834 9835 40a751 9834->9835 9835->9730 9874 4218a4 9836->9874 9839 7e9508 9840 7e9511 9839->9840 9840->9840 9841 409c54 11 API calls 9840->9841 9842 7e9548 9841->9842 9843 7e9565 CreatePipe 9842->9843 9844 7e9597 GetStdHandle 9843->9844 9845 7e9592 9843->9845 9847 40a988 11 API calls 9844->9847 9929 428598 GetLastError 9845->9929 9848 7e95e5 9847->9848 9849 7e95f0 CreateProcessW 9848->9849 9850 7e95fc 9849->9850 9851 7e9601 CloseHandle CloseHandle 9849->9851 9852 428598 83 API calls 9850->9852 9919 72d1ac 9851->9919 9852->9851 9854 7e9643 ReadFile 9855 7e9668 9854->9855 9856 7e961f 9854->9856 9925 72d2fc 9855->9925 9856->9854 9856->9855 9932 72bdb8 9856->9932 9859 7e9673 9859->9735 9861 729eea 9860->9861 10292 727838 9861->10292 9863 729eff 9863->9739 9868 41f8fb 9864->9868 9865 41f92f 9866 41f947 9865->9866 9869 41f950 9865->9869 9867 409c54 11 API calls 9866->9867 9873 41f92d 9867->9873 9868->9865 9870 41f923 9868->9870 10298 42b678 9869->10298 9872 40a034 11 API calls 9870->9872 9872->9873 9873->9739 9877 4218d4 9874->9877 9878 4218dd 9877->9878 9880 42193d 9878->9880 9890 4217f4 9878->9890 9881 4219b0 9880->9881 9888 42195a 9880->9888 9882 409ddc 11 API calls 9881->9882 9884 42189c 9882->9884 9883 4219a4 9885 40a8b0 11 API calls 9883->9885 9884->9839 9885->9884 9886 409c54 11 API calls 9886->9888 9887 40a8b0 11 API calls 9887->9888 9888->9883 9888->9886 9888->9887 9889 4217f4 80 API calls 9888->9889 9889->9888 9893 421c0c 9890->9893 9898 421c5f 9893->9898 9900 421c66 9893->9900 9894 409cb4 11 API calls 9895 4225b0 9894->9895 9896 409c54 11 API calls 9895->9896 9897 42180d 9896->9897 9897->9880 9899 421778 80 API calls 9898->9899 9898->9900 9901 4204b8 34 API calls 9898->9901 9902 40a744 11 API calls 9898->9902 9905 420158 9898->9905 9912 4201c4 9898->9912 9899->9898 9900->9894 9901->9898 9902->9898 9906 420172 9905->9906 9907 420162 9905->9907 9909 41fd4c 11 API calls 9906->9909 9915 41fd4c 9907->9915 9911 42017d 9909->9911 9910 42016f 9910->9898 9911->9898 9913 41fd4c 11 API calls 9912->9913 9914 4201d5 9913->9914 9914->9898 9916 41fd5e 9915->9916 9917 40a8b0 11 API calls 9916->9917 9918 41fdd8 9917->9918 9918->9910 9920 72d1b2 9919->9920 9941 42bcfc 9920->9941 9922 72d1c3 9945 72d064 9922->9945 9924 72d1d1 9924->9856 9926 72d308 9925->9926 10230 42d1d8 9926->10230 9928 72d317 9928->9859 10274 4285a8 9929->10274 9933 72bdd5 9932->9933 9934 42644c 57 API calls 9933->9934 9939 72bdf2 9933->9939 9936 72bded 9934->9936 9935 72be2d 9935->9854 9937 409314 11 API calls 9936->9937 9937->9939 9938 42644c 57 API calls 9938->9939 9939->9935 9939->9938 9940 409314 11 API calls 9939->9940 9940->9939 9942 42bd1c 9941->9942 9943 42bd05 GetACP 9941->9943 9942->9922 9953 42d49c 9943->9953 9946 72d076 9945->9946 9982 42c764 9946->9982 9950 72d0cc 9992 40bfa4 9950->9992 9954 42d4a8 9953->9954 9955 42d4c2 9954->9955 9956 42d4b8 GetACP 9954->9956 9957 42d4c5 GetCPInfo 9955->9957 9956->9957 9958 42d4e2 9957->9958 9962 42d4f9 9957->9962 9963 42644c 9958->9963 9960 42d4f4 9967 409314 9960->9967 9962->9942 9964 426453 9963->9964 9973 40ee08 9964->9973 9966 42646b 9966->9960 9968 409322 9967->9968 9969 409318 9967->9969 9972 409360 9968->9972 9979 406f30 9968->9979 9970 409a84 11 API calls 9969->9970 9970->9968 9974 40ee10 9973->9974 9975 40c270 56 API calls 9974->9975 9978 40ee5d 9974->9978 9976 40ee4c LoadStringW 9975->9976 9977 409ddc 11 API calls 9976->9977 9977->9978 9978->9966 9980 40ff84 11 API calls 9979->9980 9981 406f35 9980->9981 9981->9972 9983 42c77b 9982->9983 9998 40be80 9983->9998 9987 42c7d3 9988 72cf2c 9987->9988 9989 72cf38 9988->9989 9990 40bfe8 27 API calls 9989->9990 9991 72cf60 9990->9991 9991->9950 9994 40bfaa 9992->9994 9997 40bfe4 9992->9997 9993 40bfdb 9995 406e74 11 API calls 9993->9995 9994->9993 9994->9997 10177 40aec4 9994->10177 9995->9997 9997->9924 10031 40bbd8 9998->10031 10001 42c7f8 10002 42c840 10001->10002 10003 42c81c 10001->10003 10005 42c869 10002->10005 10009 42644c 57 API calls 10002->10009 10167 42651c 10003->10167 10007 42c896 10005->10007 10010 42651c 80 API calls 10005->10010 10011 42c8be 10007->10011 10012 42651c 80 API calls 10007->10012 10008 409314 11 API calls 10008->10002 10013 42c864 10009->10013 10014 42c891 10010->10014 10016 42c8f5 10011->10016 10020 42651c 80 API calls 10011->10020 10015 42c8b9 10012->10015 10017 409314 11 API calls 10013->10017 10018 409314 11 API calls 10014->10018 10019 409314 11 API calls 10015->10019 10023 42651c 80 API calls 10016->10023 10026 42c931 10016->10026 10017->10005 10018->10007 10019->10011 10021 42c8f0 10020->10021 10022 409314 11 API calls 10021->10022 10022->10016 10024 42c92c 10023->10024 10025 409314 11 API calls 10024->10025 10025->10026 10027 42644c 57 API calls 10026->10027 10030 42c96b 10026->10030 10028 42c966 10027->10028 10029 409314 11 API calls 10028->10029 10029->10030 10030->9987 10032 40bbfb 10031->10032 10036 40bc16 10031->10036 10033 40bc06 10032->10033 10064 406f94 10032->10064 10035 40bfa4 27 API calls 10033->10035 10053 40bc11 10035->10053 10037 40bc64 10036->10037 10038 406f94 11 API calls 10036->10038 10039 40bc72 10037->10039 10040 406f94 11 API calls 10037->10040 10038->10037 10041 40bc84 10039->10041 10042 40bd51 10039->10042 10040->10039 10043 40bc94 10041->10043 10044 40bd3f 10041->10044 10046 406e58 11 API calls 10042->10046 10067 40bb94 10043->10067 10045 406e8c 11 API calls 10044->10045 10054 40bd12 10045->10054 10051 40bd58 10046->10051 10049 40bca0 10055 406e58 11 API calls 10049->10055 10050 40bd14 10052 406e8c 11 API calls 10050->10052 10059 40bd99 10051->10059 10086 40b6b8 10051->10086 10052->10054 10053->10001 10054->10053 10057 40bbd8 34 API calls 10054->10057 10060 40bcb7 10055->10060 10056 40bfa4 27 API calls 10056->10054 10057->10054 10059->10056 10060->10054 10077 40b590 10060->10077 10062 40bceb 10063 406e74 11 API calls 10062->10063 10063->10054 10065 406f48 11 API calls 10064->10065 10066 406fa7 10065->10066 10066->10033 10068 40ff84 11 API calls 10067->10068 10069 40bb9d 10068->10069 10070 40bbb3 10069->10070 10071 40bba5 10069->10071 10074 40ff84 11 API calls 10070->10074 10072 40ff84 11 API calls 10071->10072 10073 40bbaa 10072->10073 10073->10049 10073->10050 10075 40bbc1 10074->10075 10076 40ff84 11 API calls 10075->10076 10076->10073 10078 40b5ac 10077->10078 10080 40b5f0 10077->10080 10079 40b682 10078->10079 10078->10080 10081 40b659 10078->10081 10082 40b62a 10078->10082 10083 406f94 11 API calls 10079->10083 10080->10062 10081->10080 10090 40b2b4 10081->10090 10082->10080 10085 40b590 34 API calls 10082->10085 10083->10080 10085->10082 10087 40b6c1 10086->10087 10088 40b6c9 10086->10088 10112 40b478 10087->10112 10088->10059 10091 40b453 10090->10091 10092 40b2d7 10090->10092 10091->10081 10092->10091 10093 406f94 11 API calls 10092->10093 10094 40b590 34 API calls 10092->10094 10095 40b2b4 34 API calls 10092->10095 10098 40e8ec 10092->10098 10106 40e8c0 10092->10106 10093->10092 10094->10092 10095->10092 10099 40e8fe 10098->10099 10100 40e8c0 25 API calls 10099->10100 10101 40e913 10100->10101 10102 408180 11 API calls 10101->10102 10103 40e922 10102->10103 10104 40e854 34 API calls 10103->10104 10105 40e92a 10104->10105 10105->10092 10107 40e8e5 10106->10107 10108 40e8cb 10106->10108 10107->10092 10109 408180 11 API calls 10108->10109 10110 40e8d8 10109->10110 10111 40e88c 25 API calls 10110->10111 10111->10107 10113 40b4bc 10112->10113 10114 40b48d 10112->10114 10129 40b4d9 10113->10129 10134 40a0d0 10113->10134 10115 40b492 10114->10115 10116 40b4de 10114->10116 10118 40b4f5 10115->10118 10119 40b497 10115->10119 10116->10129 10140 40a0a8 10116->10140 10121 40a034 11 API calls 10118->10121 10118->10129 10122 40b509 10119->10122 10123 40b49c 10119->10123 10121->10118 10122->10129 10147 40b0f4 10122->10147 10124 40b4a1 10123->10124 10125 40b51d 10123->10125 10127 40b540 10124->10127 10128 40b4aa 10124->10128 10125->10129 10130 40b478 34 API calls 10125->10130 10127->10129 10152 40b10c 10127->10152 10128->10113 10128->10129 10132 40b571 10128->10132 10129->10088 10130->10125 10132->10129 10163 40bfe8 10132->10163 10135 40a0d4 10134->10135 10138 40a0e8 10134->10138 10137 409be8 11 API calls 10135->10137 10135->10138 10136 40a116 10136->10113 10137->10138 10138->10136 10139 406e74 11 API calls 10138->10139 10139->10136 10141 40a0ac 10140->10141 10142 40a0cf 10140->10142 10143 409c34 10141->10143 10144 40a0bf SysReAllocStringLen 10141->10144 10142->10116 10145 409cb0 10143->10145 10146 409ca2 SysFreeString 10143->10146 10144->10142 10144->10143 10145->10116 10146->10145 10148 40b104 10147->10148 10149 40b0fd 10147->10149 10150 406f94 11 API calls 10148->10150 10149->10122 10151 40b10b 10150->10151 10151->10122 10153 40b29b 10152->10153 10154 40b131 10152->10154 10153->10127 10154->10153 10155 40e8ec 34 API calls 10154->10155 10156 40a0d0 11 API calls 10154->10156 10157 40a0a8 SysFreeString SysReAllocStringLen 10154->10157 10158 40a034 11 API calls 10154->10158 10159 40b0f4 11 API calls 10154->10159 10160 40b478 34 API calls 10154->10160 10161 40b10c 34 API calls 10154->10161 10162 40bfe8 27 API calls 10154->10162 10155->10154 10156->10154 10157->10154 10158->10154 10159->10154 10160->10154 10161->10154 10162->10154 10164 40bfec 10163->10164 10165 40bfa4 27 API calls 10164->10165 10166 40c015 10164->10166 10165->10166 10166->10132 10168 42652a 10167->10168 10169 40ee08 57 API calls 10168->10169 10170 426554 10169->10170 10171 42187c 80 API calls 10170->10171 10172 426562 10171->10172 10173 40a034 11 API calls 10172->10173 10174 42656d 10173->10174 10175 409cb4 11 API calls 10174->10175 10176 426587 10175->10176 10176->10008 10178 40aecd 10177->10178 10203 40af0a 10177->10203 10179 40aee2 10178->10179 10180 40af0f 10178->10180 10183 40aee6 10179->10183 10184 40af49 10179->10184 10181 40af20 10180->10181 10182 40af16 10180->10182 10208 409ce4 10181->10208 10189 409c78 11 API calls 10182->10189 10185 40aeea 10183->10185 10186 40af2c 10183->10186 10187 40af50 10184->10187 10188 40af57 10184->10188 10191 40af60 10185->10191 10192 40aeee 10185->10192 10195 40af33 10186->10195 10196 40af3d 10186->10196 10193 409c54 11 API calls 10187->10193 10194 409cb4 11 API calls 10188->10194 10189->10203 10191->10203 10219 40aeac 10191->10219 10197 40aef2 10192->10197 10198 40af6f 10192->10198 10193->10203 10194->10203 10212 409c9c 10195->10212 10215 409d14 10196->10215 10205 40af8d 10197->10205 10207 40aefa 10197->10207 10202 40aec4 27 API calls 10198->10202 10198->10203 10202->10198 10203->9993 10205->10203 10224 40ae4c 10205->10224 10206 40bfa4 27 API calls 10206->10207 10207->10203 10207->10206 10210 409cea 10208->10210 10209 409d10 10209->10203 10210->10209 10211 406e74 11 API calls 10210->10211 10211->10210 10213 409cb0 10212->10213 10214 409ca2 SysFreeString 10212->10214 10213->10203 10214->10213 10216 409d1a 10215->10216 10217 409d20 SysFreeString 10216->10217 10218 409d32 10216->10218 10217->10216 10218->10203 10220 40aeb5 10219->10220 10221 40aebc 10219->10221 10220->10191 10222 406f94 11 API calls 10221->10222 10223 40aec3 10222->10223 10223->10191 10226 40ae62 10224->10226 10228 40ae7f 10224->10228 10225 40ae81 10225->10228 10229 40e8c0 25 API calls 10225->10229 10226->10225 10227 40aec4 27 API calls 10226->10227 10226->10228 10227->10226 10228->10205 10229->10225 10233 42d1f5 10230->10233 10231 42d219 10232 42d241 10231->10232 10234 42651c 80 API calls 10231->10234 10238 42651c 80 API calls 10232->10238 10242 42d269 10232->10242 10233->10231 10235 42644c 57 API calls 10233->10235 10237 42d23c 10234->10237 10236 42d214 10235->10236 10239 409314 11 API calls 10236->10239 10240 409314 11 API calls 10237->10240 10241 42d264 10238->10241 10239->10231 10240->10232 10246 409314 11 API calls 10241->10246 10243 42d29e 10242->10243 10244 42651c 80 API calls 10242->10244 10256 42ca88 10243->10256 10247 42d299 10244->10247 10246->10242 10249 409314 11 API calls 10247->10249 10249->10243 10250 42d2cd 10251 40a8b0 11 API calls 10250->10251 10255 42d2d7 10251->10255 10252 42644c 57 API calls 10253 42d2c8 10252->10253 10254 409314 11 API calls 10253->10254 10254->10250 10255->9928 10257 42cab4 10256->10257 10258 42ca99 10256->10258 10259 42cae1 10257->10259 10261 42651c 80 API calls 10257->10261 10258->10257 10260 42644c 57 API calls 10258->10260 10262 42cb09 10259->10262 10265 42651c 80 API calls 10259->10265 10263 42caaf 10260->10263 10264 42cadc 10261->10264 10267 42cb3f 10262->10267 10271 42651c 80 API calls 10262->10271 10268 409314 11 API calls 10263->10268 10269 409314 11 API calls 10264->10269 10266 42cb04 10265->10266 10270 409314 11 API calls 10266->10270 10267->10250 10267->10252 10268->10257 10269->10259 10270->10262 10272 42cb3a 10271->10272 10273 409314 11 API calls 10272->10273 10273->10267 10275 42860b 10274->10275 10276 4285cb 10274->10276 10278 42644c 57 API calls 10275->10278 10286 424dd8 10276->10286 10280 428607 10278->10280 10279 4285de 10281 42651c 80 API calls 10279->10281 10282 409314 11 API calls 10280->10282 10281->10280 10283 428629 10282->10283 10284 409c54 11 API calls 10283->10284 10285 4285a4 10284->10285 10285->9844 10287 424de9 10286->10287 10288 424def FormatMessageW 10286->10288 10287->10288 10289 424e11 10288->10289 10290 409ddc 11 API calls 10289->10290 10291 424e37 LocalFree 10290->10291 10291->10279 10293 72783e 10292->10293 10294 42bcfc 60 API calls 10293->10294 10295 727858 10294->10295 10296 40a034 11 API calls 10295->10296 10297 727868 10296->10297 10297->9863 10299 40aaf8 11 API calls 10298->10299 10300 42b694 10299->10300 10300->9873 10302 409ae4 10301->10302 10303 406e74 11 API calls 10302->10303 10304 409b02 10303->10304 10306 7e7ed7 10305->10306 10309 7e7f1b 10305->10309 10473 7e2d08 10306->10473 10309->9777 10495 7e7dc0 10310->10495 10312 7e9259 ExitProcess 10313 42ea48 10312->10313 10314 42ea51 10313->10314 10315 40a0d0 11 API calls 10314->10315 10316 42ea60 10315->10316 10317 409c54 11 API calls 10316->10317 10318 42ea93 VirtualAlloc 10317->10318 10318->9782 10750 409d48 10319->10750 10322 7b53b5 10323 7b3fd8 11 API calls 10322->10323 10324 7b53be CryptAcquireContextA 10323->10324 10325 7b55d2 10324->10325 10326 7b53e0 LoadLibraryW 10324->10326 10327 409ce4 11 API calls 10325->10327 10328 7b53fd 10326->10328 10329 7b55ec 10327->10329 10330 7b3fd8 11 API calls 10328->10330 10331 409c78 11 API calls 10329->10331 10332 7b5406 CryptCreateHash 10330->10332 10333 7b55f4 10331->10333 10334 7b559b LoadLibraryW 10332->10334 10335 7b542a LoadLibraryW 10332->10335 10333->9786 10337 7b55b8 10334->10337 10336 7b5447 10335->10336 10339 7b3fd8 11 API calls 10336->10339 10338 7b3fd8 11 API calls 10337->10338 10340 7b55c1 CryptReleaseContext 10338->10340 10341 7b5450 CryptHashData 10339->10341 10340->10325 10343 7b5488 LoadLibraryW 10341->10343 10344 7b5566 LoadLibraryW 10341->10344 10345 7b54a5 10343->10345 10346 7b5583 10344->10346 10347 7b3fd8 11 API calls 10345->10347 10348 7b3fd8 11 API calls 10346->10348 10349 7b54ae CryptDeriveKey 10347->10349 10350 7b558c CryptDestroyHash 10348->10350 10349->10344 10351 7b54d4 LoadLibraryW 10349->10351 10350->10334 10352 7b54f9 10351->10352 10353 7b3fd8 11 API calls 10352->10353 10354 7b5502 CryptDecrypt 10353->10354 10355 7b5531 LoadLibraryW 10354->10355 10356 7b5525 10354->10356 10357 7b554e 10355->10357 10356->10355 10358 7b3fd8 11 API calls 10357->10358 10359 7b5557 CryptDestroyKey 10358->10359 10359->10344 10361 7e29e0 10360->10361 10362 409c54 11 API calls 10361->10362 10363 7e2a26 10362->10363 10752 7c9d78 10363->10752 10365 7e2a40 10756 7c9eec 10365->10756 10368 40ae4c 27 API calls 10369 7e2a78 10368->10369 10769 7cb248 10369->10769 10373 7e2a93 10805 7c8758 10373->10805 10379 7e2ad2 10380 7c8758 80 API calls 10379->10380 10381 7e2af6 10380->10381 10382 7c69f0 34 API calls 10381->10382 10383 7e2b01 10382->10383 10384 7c8758 80 API calls 10383->10384 10385 7e2b27 10384->10385 10386 7c69f0 34 API calls 10385->10386 10387 7e2b32 10386->10387 10388 72bf08 80 API calls 10387->10388 10438 7b3ff1 10433->10438 10434 409c78 11 API calls 10435 7b40c7 10434->10435 10436 409c78 11 API calls 10435->10436 10437 7b40cf 10436->10437 10437->9830 10439 4071b8 10437->10439 10438->10434 10440 409c54 11 API calls 10439->10440 10441 4071cc 10440->10441 10442 4071d0 GetModuleFileNameW 10441->10442 10443 4071ee GetCommandLineW 10441->10443 10444 409ddc 11 API calls 10442->10444 10447 4071f5 10443->10447 10445 4071ec 10444->10445 10448 4211a4 10445->10448 10447->10445 11235 4070fc 10447->11235 10449 4211b8 10448->10449 10450 42b678 11 API calls 10449->10450 10451 4211c9 10450->10451 10451->9805 10453 42132c 10452->10453 11239 42b648 10453->11239 10457 7b411f 10456->10457 10458 7b3fd8 11 API calls 10457->10458 10459 7b4128 10458->10459 10460 7b420b GetLastError 10459->10460 10461 7b4149 10459->10461 10472 7b4159 10460->10472 10462 7b4162 GetModuleHandleW 10461->10462 10461->10472 10464 7b417f 10462->10464 10463 409ce4 11 API calls 10465 7b4248 10463->10465 10466 7b3fd8 11 API calls 10464->10466 10465->9830 10467 7b4188 10466->10467 10468 7b41ab GetLastError 10467->10468 10469 7b41bc GetModuleHandleW 10468->10469 10468->10472 10470 7b41d9 10469->10470 10471 7b3fd8 11 API calls 10470->10471 10471->10472 10472->10463 10474 7e2d47 10473->10474 10480 7e2dbf 10474->10480 10481 7e2c98 10474->10481 10476 409cb4 11 API calls 10477 7e2e0c GetSystemInfo 10476->10477 10477->10309 10478 7e2d57 10485 7e2c3c 10478->10485 10480->10476 10483 7e2cb4 10481->10483 10482 7e2ccd 10482->10478 10483->10482 10484 7e2c3c 11 API calls 10483->10484 10484->10482 10486 7e2c57 10485->10486 10488 7e2c73 10486->10488 10491 426318 10486->10491 10488->10480 10489 7e2c6e 10490 409314 11 API calls 10489->10490 10490->10488 10492 42631f 10491->10492 10493 40a034 11 API calls 10492->10493 10494 426337 10493->10494 10494->10489 10500 7e76b0 10495->10500 10497 7e7dde 10504 7e7d24 10497->10504 10499 7e7e01 10499->10312 10501 7e76ba 10500->10501 10502 7e7716 10501->10502 10524 7e7e50 10501->10524 10502->10497 10505 7e7d4c 10504->10505 10506 7e7d39 10504->10506 10508 7e7d65 10505->10508 10510 426318 11 API calls 10505->10510 10507 426318 11 API calls 10506->10507 10509 7e7d47 10507->10509 10586 7e77d8 10508->10586 10512 409314 11 API calls 10509->10512 10513 7e7d60 10510->10513 10512->10505 10515 409314 11 API calls 10513->10515 10514 7e7d70 10516 7e7da2 10514->10516 10593 7e788c 10514->10593 10515->10508 10628 7e7c1c 10516->10628 10522 7e7d91 10602 7e798c 10522->10602 10531 408728 10524->10531 10532 408731 10531->10532 10533 408738 10531->10533 10534 406f94 11 API calls 10532->10534 10535 408b28 10533->10535 10534->10533 10536 408b30 10535->10536 10537 408b71 10536->10537 10556 408754 10536->10556 10541 4088b0 10537->10541 10539 408b46 10539->10537 10540 406e74 11 API calls 10539->10540 10540->10537 10549 4088be 10541->10549 10543 40890c 10543->10502 10544 4088e7 GetTickCount 10544->10549 10545 408959 GetTickCount 10545->10543 10545->10549 10546 408990 GetTickCount 10582 408aa8 10546->10582 10547 4088ff GetTickCount 10547->10543 10547->10549 10549->10543 10549->10544 10549->10545 10549->10546 10549->10547 10550 40892e GetCurrentThreadId 10549->10550 10570 408d3c GetCurrentThreadId 10549->10570 10575 40856c 10549->10575 10550->10543 10552 4089ba GetTickCount 10553 4089a0 10552->10553 10553->10546 10553->10552 10554 408a24 10553->10554 10554->10543 10555 408a2a GetCurrentThreadId 10554->10555 10555->10543 10557 40875d 10556->10557 10559 408762 10556->10559 10560 408628 GetModuleHandleW GetProcAddress 10557->10560 10559->10539 10561 408650 GetLogicalProcessorInformation 10560->10561 10562 4086a5 10560->10562 10561->10562 10563 40865f GetLastError 10561->10563 10562->10559 10563->10562 10564 408669 10563->10564 10565 406e58 11 API calls 10564->10565 10566 408671 GetLogicalProcessorInformation 10565->10566 10567 408698 10566->10567 10567->10562 10568 406e74 11 API calls 10567->10568 10569 4086d5 10568->10569 10569->10559 10571 408d49 10570->10571 10572 408d50 10570->10572 10571->10549 10573 408d77 10572->10573 10574 408d64 GetCurrentThreadId 10572->10574 10573->10549 10574->10573 10576 408577 10575->10576 10577 4085c5 10576->10577 10578 4085a6 10576->10578 10579 40859d Sleep 10576->10579 10577->10549 10580 4085b5 Sleep 10578->10580 10581 4085be SwitchToThread 10578->10581 10579->10577 10580->10577 10581->10577 10583 408b01 10582->10583 10584 408aba 10582->10584 10583->10553 10584->10583 10585 408ae8 Sleep 10584->10585 10585->10584 10587 7e788c 11 API calls 10586->10587 10588 7e781a 10587->10588 10642 7e6284 10588->10642 10590 7e7831 10591 7e6284 11 API calls 10590->10591 10592 7e7851 10590->10592 10591->10592 10592->10514 10594 7e6284 11 API calls 10593->10594 10595 7e78d6 10594->10595 10596 7e78f0 10595->10596 10597 7e788c 11 API calls 10595->10597 10598 7e78fc 10596->10598 10597->10596 10599 7e790f 10598->10599 10601 7e7949 10599->10601 10669 7e6880 10599->10669 10601->10522 10603 7e79ca 10602->10603 10675 7e64bc 10603->10675 10605 7e7a65 10607 426318 11 API calls 10605->10607 10613 7e7a7e 10605->10613 10606 7e6284 11 API calls 10610 7e79df 10606->10610 10609 7e7a79 10607->10609 10608 426318 11 API calls 10608->10610 10611 409314 11 API calls 10609->10611 10610->10605 10610->10606 10610->10608 10612 409314 11 API calls 10610->10612 10611->10613 10612->10610 10678 7e757c 10613->10678 10615 7e7b20 10685 7e616c 10615->10685 10617 7e7b7d 10689 7e650c 10617->10689 10618 7e7b35 10618->10617 10619 7e650c 11 API calls 10618->10619 10619->10617 10622 7e616c VirtualProtect 10623 7e7bb8 10622->10623 10624 7e616c VirtualProtect 10623->10624 10625 7e7bca 10624->10625 10626 7e616c VirtualProtect 10625->10626 10627 7e7be7 10626->10627 10627->10516 10629 7e7c3e 10628->10629 10630 7e7c51 10628->10630 10631 426318 11 API calls 10629->10631 10634 7e650c 11 API calls 10630->10634 10632 7e7c4c 10631->10632 10633 409314 11 API calls 10632->10633 10633->10630 10635 7e7cb6 10634->10635 10636 7e650c 11 API calls 10635->10636 10637 7e7cdf 10636->10637 10638 7e650c 11 API calls 10637->10638 10639 7e7cfe 10638->10639 10640 7e616c VirtualProtect 10639->10640 10641 7e7d19 10640->10641 10641->10499 10643 7e6296 10642->10643 10646 7e5d18 10643->10646 10645 7e62a8 10645->10590 10655 7e2ed0 10646->10655 10649 7e2ed0 11 API calls 10650 7e5d3f 10649->10650 10651 7e2ed0 11 API calls 10650->10651 10652 7e5d52 10650->10652 10651->10652 10653 7e5e50 10652->10653 10654 7e2ed0 11 API calls 10652->10654 10653->10645 10654->10653 10656 40a07c 11 API calls 10655->10656 10658 7e2eff 10656->10658 10657 7e2f05 10659 409c54 11 API calls 10657->10659 10658->10657 10660 7e2f4c 10658->10660 10661 7e2f36 10658->10661 10663 7e2f7c 10659->10663 10662 409c54 11 API calls 10660->10662 10664 40a07c 11 API calls 10661->10664 10665 7e2f4a 10662->10665 10663->10649 10663->10650 10664->10665 10666 426318 11 API calls 10665->10666 10667 7e2f62 10666->10667 10668 409314 11 API calls 10667->10668 10668->10657 10670 7e68a6 10669->10670 10673 7e68b9 10669->10673 10671 426318 11 API calls 10670->10671 10672 7e68b4 10671->10672 10674 409314 11 API calls 10672->10674 10673->10601 10674->10673 10716 7e62f0 10675->10716 10682 7e75ab 10678->10682 10679 7e769d 10679->10615 10680 7e6284 11 API calls 10680->10682 10682->10679 10682->10680 10720 7e70f4 10682->10720 10729 7e73b0 10682->10729 10733 7e6b54 10682->10733 10686 7e6186 10685->10686 10688 7e61ac 10685->10688 10687 7e6192 VirtualProtect 10686->10687 10686->10688 10687->10688 10688->10618 10690 7e655a 10689->10690 10712 7e6594 10689->10712 10691 7e662b 10690->10691 10692 7e66fb 10690->10692 10693 7e65e6 10690->10693 10694 7e6665 10690->10694 10695 7e6581 10690->10695 10690->10712 10702 426318 11 API calls 10691->10702 10691->10712 10696 426318 11 API calls 10692->10696 10701 426318 11 API calls 10693->10701 10693->10712 10697 426318 11 API calls 10694->10697 10698 426318 11 API calls 10695->10698 10699 7e6709 10696->10699 10700 7e6673 10697->10700 10703 7e658f 10698->10703 10705 409314 11 API calls 10699->10705 10706 409314 11 API calls 10700->10706 10707 7e65fa 10701->10707 10708 7e663f 10702->10708 10704 409314 11 API calls 10703->10704 10704->10712 10705->10712 10709 7e6678 10706->10709 10710 409314 11 API calls 10707->10710 10711 409314 11 API calls 10708->10711 10709->10712 10713 426318 11 API calls 10709->10713 10710->10712 10711->10712 10712->10622 10714 7e668c 10713->10714 10715 409314 11 API calls 10714->10715 10715->10712 10717 7e632d GetSystemInfo 10716->10717 10718 7e6310 VirtualAlloc 10716->10718 10719 7e6354 10717->10719 10718->10719 10719->10610 10721 7e7118 10720->10721 10722 7e719d 10721->10722 10723 7e7266 10721->10723 10724 7e7180 10721->10724 10722->10682 10725 426318 11 API calls 10723->10725 10724->10722 10746 409aa0 10724->10746 10727 7e7274 10725->10727 10728 409314 11 API calls 10727->10728 10728->10722 10730 7e73d3 10729->10730 10731 7e650c 11 API calls 10730->10731 10732 7e73f1 10731->10732 10732->10682 10734 406e58 11 API calls 10733->10734 10735 7e6b74 10734->10735 10736 7e6bc7 10735->10736 10743 7e6f14 10735->10743 10740 7e6bd7 10736->10740 10741 7e6d7c 10736->10741 10737 7e6c6b 10738 406e74 11 API calls 10737->10738 10739 7e70af 10738->10739 10739->10682 10740->10737 10742 7e650c 11 API calls 10740->10742 10741->10737 10744 7e650c 11 API calls 10741->10744 10742->10737 10743->10737 10745 7e650c 11 API calls 10743->10745 10744->10737 10745->10737 10747 409ab8 10746->10747 10748 409acd 10746->10748 10747->10722 10749 406f48 11 API calls 10748->10749 10749->10747 10751 409d4c LoadLibraryW 10750->10751 10751->10322 10753 7c9d82 10752->10753 10842 7ce280 10753->10842 10755 7c9da6 10755->10365 10882 7c9fc0 10756->10882 10758 7c9f06 10759 42644c 57 API calls 10758->10759 10765 7c9f23 10758->10765 10760 7c9f1e 10759->10760 10761 409314 11 API calls 10760->10761 10761->10765 10762 7c9f8c 10762->10368 10763 7c9f51 10763->10762 10926 7c8afc 10763->10926 10765->10763 10766 42644c 57 API calls 10765->10766 10767 7c9f4c 10766->10767 10768 409314 11 API calls 10767->10768 10768->10763 10770 7cb277 10769->10770 10771 7cb2c6 10770->10771 10772 42644c 57 API calls 10770->10772 10774 7cb2f1 10771->10774 10775 42644c 57 API calls 10771->10775 10773 7cb2c1 10772->10773 10776 409314 11 API calls 10773->10776 10778 40bfa4 27 API calls 10774->10778 10777 7cb2ec 10775->10777 10776->10771 10779 409314 11 API calls 10777->10779 10780 7cb30a 10778->10780 10779->10774 10781 40ae4c 27 API calls 10780->10781 10782 7cb35a 10781->10782 10783 7a36c4 57 API calls 10782->10783 10784 7cb368 10783->10784 10785 40b10c 34 API calls 10784->10785 10786 7cb388 10785->10786 10787 40ae4c 27 API calls 10786->10787 10788 7cb3be 10787->10788 10789 7c8894 10788->10789 10790 7c88b1 10789->10790 10791 7c88df 10790->10791 10792 42644c 57 API calls 10790->10792 10793 40ae4c 27 API calls 10791->10793 10794 7c88da 10792->10794 10795 7c8904 10793->10795 10796 409314 11 API calls 10794->10796 10797 7a36c4 57 API calls 10795->10797 10796->10791 10798 7c8912 10797->10798 10799 40b10c 34 API calls 10798->10799 10800 7c8932 10799->10800 11050 7c840c 10800->11050 10803 40ae4c 27 API calls 10804 7c895b 10803->10804 10804->10373 10806 7c8775 10805->10806 10807 7c87a3 10806->10807 10808 42644c 57 API calls 10806->10808 10809 40ae4c 27 API calls 10807->10809 10810 7c879e 10808->10810 10811 7c87c8 10809->10811 10812 409314 11 API calls 10810->10812 10813 7a36c4 57 API calls 10811->10813 10812->10807 10814 7c87d6 10813->10814 10815 40b10c 34 API calls 10814->10815 10816 7c87f6 10815->10816 10817 40b10c 34 API calls 10816->10817 10818 7c8807 10817->10818 10819 40ae4c 27 API calls 10818->10819 10820 7c8822 10819->10820 10821 7c69f0 10820->10821 10822 7c6a0c 10821->10822 10823 7c6a78 10822->10823 11073 7c7654 10822->11073 10825 40ae4c 27 API calls 10823->10825 10827 7c6ab9 10825->10827 10830 40ae4c 27 API calls 10827->10830 10828 40b10c 34 API calls 10829 7c6a6d 10828->10829 11085 7c7888 10829->11085 10832 7c6ac7 10830->10832 10833 72bf08 10832->10833 10834 72bf2f 10833->10834 10835 40be80 34 API calls 10834->10835 10840 72bf8d 10835->10840 10836 72bfe6 10837 40bfa4 27 API calls 10836->10837 10838 72c001 10837->10838 10838->10379 10840->10836 11130 72af90 10840->11130 11133 72be34 10840->11133 10843 7ce28f 10842->10843 10848 7d2054 10843->10848 10845 7ce2b8 10851 7ce304 10845->10851 10847 7ce2c5 10847->10755 10855 7a2edc 10848->10855 10850 7d2072 10850->10845 10852 7ce314 10851->10852 10853 7ce38d 10852->10853 10854 7d2054 11 API calls 10852->10854 10853->10847 10854->10853 10856 7a2f16 10855->10856 10857 7a2ee5 10855->10857 10858 7a2f1a 10856->10858 10859 7a2f1e 10856->10859 10860 7a2f14 10857->10860 10867 7a1de8 10857->10867 10861 7a2f29 10858->10861 10862 7a2f1c 10858->10862 10870 7a24a0 10859->10870 10860->10850 10876 7a24d4 10861->10876 10866 406f94 11 API calls 10862->10866 10866->10860 10868 406e58 11 API calls 10867->10868 10869 7a1df8 10868->10869 10869->10860 10871 7a24b0 10870->10871 10873 7a24a5 10870->10873 10871->10860 10872 7a24b6 10872->10860 10873->10872 10874 7a1de8 11 API calls 10873->10874 10875 7a24d2 10874->10875 10875->10860 10877 7a24e4 10876->10877 10879 7a24d9 10876->10879 10877->10860 10878 7a24ea 10878->10860 10879->10878 10880 7a1de8 11 API calls 10879->10880 10881 7a2506 10880->10881 10881->10860 10884 7c9fe8 10882->10884 10883 7ca540 10974 7a515c 10883->10974 10884->10883 10887 7ca05d 10884->10887 10894 7ca29c 10884->10894 10886 7ca568 10886->10758 10888 40ae4c 27 API calls 10887->10888 10889 7ca090 10888->10889 10948 7a36c4 10889->10948 10892 40b10c 34 API calls 10893 7ca0c1 10892->10893 10895 40b10c 34 API calls 10893->10895 10898 7ca3bd 10894->10898 10954 7c6e88 10894->10954 10896 7ca0d5 10895->10896 10899 40ae4c 27 API calls 10896->10899 10897 7ca455 10966 7c7b34 10897->10966 10898->10897 10901 40be80 34 API calls 10898->10901 10902 7ca0f3 10899->10902 10901->10897 10902->10758 10903 7ca380 10957 7c7a70 10903->10957 10911 7ca3a7 10914 7c7a70 73 API calls 10911->10914 10912 7c7af0 57 API calls 10913 7ca4c2 10912->10913 10915 7c7af0 57 API calls 10913->10915 10914->10898 10916 7ca4d6 10915->10916 10917 7c7af0 57 API calls 10916->10917 10918 7ca4ea 10917->10918 10919 7c7b34 57 API calls 10918->10919 10920 7ca4fd 10919->10920 10921 7c7b34 57 API calls 10920->10921 10922 7ca510 10921->10922 10923 7c7af0 57 API calls 10922->10923 10924 7ca524 10923->10924 10924->10883 10925 7c7a70 73 API calls 10924->10925 10925->10883 10927 7c8b17 10926->10927 10928 7a515c 80 API calls 10927->10928 10929 7c8b39 10928->10929 10930 7c8df9 10929->10930 11003 7c972c 10929->11003 10932 40ae4c 27 API calls 10930->10932 10934 7c8e14 10932->10934 10934->10762 10935 42644c 57 API calls 10936 7c8b72 10935->10936 10937 409314 11 API calls 10936->10937 10938 7c8b77 10937->10938 10946 7c8b9d 10938->10946 11016 7c9abc 10938->11016 10940 42644c 57 API calls 10940->10946 10941 409314 11 API calls 10941->10946 10942 7c7a2c 57 API calls 10942->10946 10943 7c79e8 57 API calls 10943->10946 10944 40be80 34 API calls 10944->10946 10945 7c796c 73 API calls 10945->10946 10946->10930 10946->10940 10946->10941 10946->10942 10946->10943 10946->10944 10946->10945 11022 7a50a4 10946->11022 10949 7a36cc 10948->10949 10950 7a36ea 10949->10950 10951 42644c 57 API calls 10949->10951 10950->10892 10952 7a36e5 10951->10952 10953 409314 11 API calls 10952->10953 10953->10950 10955 40be80 34 API calls 10954->10955 10956 7c6ea9 10955->10956 10956->10903 10958 7c7a88 10957->10958 10959 42644c 57 API calls 10958->10959 10961 7c7ac1 10958->10961 10959->10961 10960 40bfa4 27 API calls 10962 7c7ae1 10960->10962 10961->10960 10963 7c6f0c 10962->10963 10964 40be80 34 API calls 10963->10964 10965 7c6f2d 10964->10965 10965->10911 10967 7c7b52 10966->10967 10968 7c7b6c 10967->10968 10969 42644c 57 API calls 10967->10969 10970 7c7af0 10968->10970 10969->10968 10972 7c7b0f 10970->10972 10971 7c7b29 10971->10912 10972->10971 10973 42644c 57 API calls 10972->10973 10973->10971 10979 7a76dc 10974->10979 10980 7a76e7 10979->10980 10984 7a76fe 10979->10984 10981 42644c 57 API calls 10980->10981 10982 7a76f9 10981->10982 10986 409314 11 API calls 10982->10986 10983 7a771d 10985 7a5168 10983->10985 10992 7a5824 10983->10992 10984->10983 10987 7a7530 34 API calls 10984->10987 10989 7a7530 10985->10989 10986->10984 10987->10983 10990 40bbd8 34 API calls 10989->10990 10991 7a5171 10990->10991 10991->10886 10994 7a583c 10992->10994 10993 42644c 57 API calls 10995 7a5869 10993->10995 10994->10993 10996 7a586e 10994->10996 10997 409314 11 API calls 10995->10997 10998 7a59e8 10996->10998 10999 406e58 11 API calls 10996->10999 11000 7a58bf 10996->11000 10997->10996 10998->10985 10999->11000 11001 406e74 11 API calls 11000->11001 11002 7a59c0 11000->11002 11001->11002 11002->10985 11004 7c9756 11003->11004 11005 40be80 34 API calls 11004->11005 11009 7c979b 11005->11009 11006 7c99d2 11007 40bfa4 27 API calls 11006->11007 11008 7c8b5c 11007->11008 11008->10935 11008->10938 11009->11006 11011 7c9950 11009->11011 11027 7c796c 11009->11027 11012 7c99ef 11011->11012 11014 7c9971 11011->11014 11013 40bfa4 27 API calls 11012->11013 11013->11006 11015 40be80 34 API calls 11014->11015 11015->11006 11018 7c9af1 11016->11018 11017 40be80 34 API calls 11020 7c9b2e 11017->11020 11018->11017 11019 40bfa4 27 API calls 11021 7c9bb4 11019->11021 11020->11019 11021->10946 11033 7a62a8 11022->11033 11024 7a50bb 11025 40b6b8 34 API calls 11024->11025 11026 7a50e6 11025->11026 11026->10946 11028 7c7983 11027->11028 11029 7c79b9 11028->11029 11030 42644c 57 API calls 11028->11030 11031 40bfa4 27 API calls 11029->11031 11030->11029 11032 7c79d9 11031->11032 11032->11009 11034 7a62b8 11033->11034 11035 7a62cb 11034->11035 11036 7a62c1 11034->11036 11038 7a62d4 11035->11038 11047 42630c 11035->11047 11041 7a6268 11036->11041 11038->11024 11043 7a627c 11041->11043 11042 7a6287 11044 7a7530 34 API calls 11042->11044 11043->11042 11045 42630c 11 API calls 11043->11045 11046 7a62a4 11044->11046 11045->11043 11046->11024 11048 409314 11 API calls 11047->11048 11049 426316 11048->11049 11049->11038 11051 7c8429 11050->11051 11052 7c844f 11051->11052 11053 7c8440 11051->11053 11055 42d0c8 59 API calls 11052->11055 11063 42d0c8 11053->11063 11056 7c844a 11055->11056 11057 42d1d8 80 API calls 11056->11057 11058 7c84a4 11057->11058 11059 40a034 11 API calls 11058->11059 11060 7c84af 11059->11060 11061 409c54 11 API calls 11060->11061 11062 7c84c4 11061->11062 11062->10803 11064 42d0e2 11063->11064 11065 42d0d2 11063->11065 11064->11056 11066 42d0e0 11065->11066 11069 42d7b4 11065->11069 11066->11056 11068 42d115 11068->11056 11070 42d7ba 11069->11070 11071 42d49c 59 API calls 11070->11071 11072 42d7d8 11071->11072 11072->11068 11074 40bfa4 27 API calls 11073->11074 11083 7c768c 11074->11083 11075 7c7713 11076 40ae4c 27 API calls 11075->11076 11078 7c772e 11076->11078 11079 40bfa4 27 API calls 11078->11079 11081 7c6a5c 11079->11081 11081->10828 11083->11075 11084 40b10c 34 API calls 11083->11084 11095 40beb0 11083->11095 11103 7c791c 11083->11103 11107 7c6f98 11083->11107 11084->11083 11086 7c78a2 11085->11086 11087 40ae4c 27 API calls 11086->11087 11088 7c78c2 11087->11088 11119 7c77e4 11088->11119 11092 7c78e8 11093 40ae4c 27 API calls 11092->11093 11094 7c790e 11093->11094 11094->10823 11098 40bed0 11095->11098 11101 40bf79 11095->11101 11096 40bfa4 27 API calls 11097 40bf96 11096->11097 11097->11083 11099 406e58 11 API calls 11098->11099 11098->11101 11100 40bf3b 11099->11100 11100->11101 11102 40b6b8 34 API calls 11100->11102 11101->11096 11102->11101 11104 7c7933 11103->11104 11105 40be80 34 API calls 11104->11105 11106 7c795c 11105->11106 11106->11083 11108 7c6fb7 11107->11108 11109 426318 11 API calls 11108->11109 11112 7c6fe0 11108->11112 11110 7c6fdb 11109->11110 11111 409314 11 API calls 11110->11111 11111->11112 11113 40be80 34 API calls 11112->11113 11114 7c7022 11113->11114 11115 7c709d 11114->11115 11116 426318 11 API calls 11114->11116 11115->11083 11117 7c7098 11116->11117 11118 409314 11 API calls 11117->11118 11118->11115 11120 7c7802 11119->11120 11121 7c7862 11120->11121 11122 40b10c 34 API calls 11120->11122 11121->11092 11123 7c6f6c 11121->11123 11122->11121 11126 7c7190 11123->11126 11127 7c71a8 11126->11127 11128 40beb0 34 API calls 11127->11128 11129 7c6f91 11128->11129 11129->11092 11136 72af9c 11130->11136 11145 72be40 11133->11145 11137 72afc1 11136->11137 11139 42644c 57 API calls 11137->11139 11143 72afde 11137->11143 11138 72af98 11138->10840 11140 72afd9 11139->11140 11141 409314 11 API calls 11140->11141 11141->11143 11142 42644c 57 API calls 11142->11143 11143->11138 11143->11142 11144 409314 11 API calls 11143->11144 11144->11143 11146 72be63 11145->11146 11147 42644c 57 API calls 11146->11147 11152 72be80 11146->11152 11149 72be7b 11147->11149 11148 72be3c 11148->10840 11150 409314 11 API calls 11149->11150 11150->11152 11151 42644c 57 API calls 11151->11152 11152->11148 11152->11151 11153 409314 11 API calls 11152->11153 11153->11152 11237 407104 11235->11237 11236 40a8b0 11 API calls 11238 40716b 11236->11238 11237->11236 11238->10447 11240 42b65c 11239->11240 11241 40aaf8 11 API calls 11240->11241 11242 42133a 11241->11242 11242->9815

                                                                                                                            Executed Functions

                                                                                                                            Function 007B5354 Relevance: 44.0, APIs: 16, Strings: 9, Instructions: 202libraryencryptionCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • LoadLibraryW.KERNEL32(advapi32.dll,00000000,007B55F5), ref: 007B539D
                                                                                                                            • CryptAcquireContextA.ADVAPI32(00000004,00000000,00000000,00000018,F0000000,advapi32.dll,00000000,007B55F5), ref: 007B53D2
                                                                                                                            • LoadLibraryW.KERNEL32(advapi32.dll), ref: 007B53E5
                                                                                                                            • CryptCreateHash.ADVAPI32(00000004,00008003,00000000,00000000,002CCA80,advapi32.dll), ref: 007B541C
                                                                                                                            • LoadLibraryW.KERNEL32(advapi32.dll), ref: 007B542F
                                                                                                                            • CryptHashData.ADVAPI32(002CCA80,00000000,00000000,00000000,advapi32.dll), ref: 007B547A
                                                                                                                            • LoadLibraryW.KERNEL32(advapi32.dll), ref: 007B548D
                                                                                                                            • CryptDeriveKey.ADVAPI32(00000004,00006610,002CCA80,00000000,00001000,advapi32.dll), ref: 007B54C6
                                                                                                                            • LoadLibraryW.KERNEL32(advapi32.dll), ref: 007B54E1
                                                                                                                            • CryptDecrypt.ADVAPI32(00001000,00000000,000000FF,00000000,?,00000000,advapi32.dll), ref: 007B551B
                                                                                                                            • LoadLibraryW.KERNEL32(advapi32.dll), ref: 007B5536
                                                                                                                            • CryptDestroyKey.ADVAPI32(00001000,advapi32.dll), ref: 007B5560
                                                                                                                            • LoadLibraryW.KERNEL32(advapi32.dll), ref: 007B556B
                                                                                                                            • CryptDestroyHash.ADVAPI32(002CCA80,advapi32.dll), ref: 007B5595
                                                                                                                            • LoadLibraryW.KERNEL32(advapi32.dll), ref: 007B55A0
                                                                                                                            • CryptReleaseContext.ADVAPI32(00000004,00000000,advapi32.dll), ref: 007B55CC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CryptLibraryLoad$Hash$ContextDestroy$AcquireCreateDataDecryptDeriveRelease
                                                                                                                            • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptHashData$CryptReleaseContext$advapi32.dll
                                                                                                                            • API String ID: 356472661-3162055376
                                                                                                                            • Opcode ID: fec46e047e9ddfbb83fe1a6393d567993411663d334542dbc158f3109344dd6e
                                                                                                                            • Instruction ID: 47a17ac59eb57dbe9d34b909bc6e916c90a8f8a8bd0d4f90a573f526ac9ac154
                                                                                                                            • Opcode Fuzzy Hash: fec46e047e9ddfbb83fe1a6393d567993411663d334542dbc158f3109344dd6e
                                                                                                                            • Instruction Fuzzy Hash: BF710F71E0020CAFDB11EFE5D985BEEB7B9EB08704F54812AF504F7291DA78A901CB65
                                                                                                                            Function 007B5008 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 210memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNEL32(?,?,00003000,00000004,00000000,007B52AF), ref: 007B5068
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,00003000,00000004,00000000,007B52AF), ref: 007B5086
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00003000,00000004,00000000,007B52AF), ref: 007B509D
                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,kernel32.dll,?,?,00003000,00000004,00000000,007B52AF), ref: 007B50C8
                                                                                                                            • GetProcessHeap.KERNEL32(00000008,0000001C,ntdll.dll,kernel32.dll,?,?,00003000,00000004,00000000,007B52AF), ref: 007B50F2
                                                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 007B50F9
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 007B510D
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 007B5157
                                                                                                                            • GetNativeSystemInfo.KERNEL32(?,kernel32.dll), ref: 007B5181
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 007B51A2
                                                                                                                              • Part of subcall function 007B4320: VirtualAlloc.KERNEL32(?,00000000,00001000,00000004,00000000,007B4494), ref: 007B43A7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocHandleModuleVirtual$Heap$AllocateInfoNativeProcessSystem
                                                                                                                            • String ID: GetNativeSystemInfo$GetProcessHeap$RtlAllocateHeap$VirtualFree$kernel32.dll$ntdll.dll
                                                                                                                            • API String ID: 3588257604-3383334672
                                                                                                                            • Opcode ID: 5252a676d7cf67b3433c0d4f0307cf49fa20c743a513d3c0947a1f3d5c15c59c
                                                                                                                            • Instruction ID: 5a2516d524bd7c5ddbea5265d8c0d5986cf8ec3fc2fcd87e6724b89241428392
                                                                                                                            • Opcode Fuzzy Hash: 5252a676d7cf67b3433c0d4f0307cf49fa20c743a513d3c0947a1f3d5c15c59c
                                                                                                                            • Instruction Fuzzy Hash: 3991D7B4A006089FDB01EFE8C945BEEB7F4BF09304F1085A5E904AB396D779AE45CB54
                                                                                                                            Function 007B4A04 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 168libraryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 184 7b4a04-7b4a44 call 7b42dc 187 7b4a4f-7b4a57 184->187 188 7b4a46-7b4a4a 184->188 190 7b4a5a-7b4a93 GetModuleHandleW call 40a2dc call 7b3fd8 IsBadReadPtr 187->190 189 7b4bf9-7b4c13 call 409ce4 188->189 190->189 197 7b4a99-7b4aa0 190->197 197->189 198 7b4aa6-7b4abc LoadLibraryA 197->198 199 7b4abe-7b4ac2 198->199 200 7b4ac7-7b4b06 call 40be80 198->200 199->189 203 7b4b08-7b4b1f 200->203 204 7b4b24-7b4b3c 200->204 205 7b4bab-7b4bb1 203->205 204->205 206 7b4b3e-7b4b4f 205->206 207 7b4bb3-7b4bb7 205->207 208 7b4b51-7b4b73 GetProcAddress 206->208 209 7b4b75-7b4b93 GetProcAddress 206->209 210 7b4bb9-7b4bee GetModuleHandleW call 40a2dc call 7b3fd8 207->210 211 7b4bf0-7b4bf4 207->211 212 7b4b95-7b4b9b 208->212 209->212 210->189 211->190 214 7b4b9d-7b4ba1 212->214 215 7b4ba3-7b4ba7 212->215 214->207 215->205
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,007B4C14), ref: 007B4A5F
                                                                                                                            • IsBadReadPtr.KERNEL32(?,00000014), ref: 007B4A8B
                                                                                                                            • LoadLibraryA.KERNEL32(00000004), ref: 007B4AB0
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: HandleLibraryLoadModuleRead
                                                                                                                            • String ID: FreeLibrary$IsBadReadPtr$kernel32.dll$l?{
                                                                                                                            • API String ID: 451321832-101461405
                                                                                                                            • Opcode ID: 971622f1188d7a1cb5bfba1f7b5d6b2348bcffe93499f32e63adb521971de2b6
                                                                                                                            • Instruction ID: 9dcba612fda944ade1e3116f5c822e680645cf716477f5e54a39763873799cd9
                                                                                                                            • Opcode Fuzzy Hash: 971622f1188d7a1cb5bfba1f7b5d6b2348bcffe93499f32e63adb521971de2b6
                                                                                                                            • Instruction Fuzzy Hash: 9A71D3B5A00209DFCB01CF98C885BEEBBF4FB09314F148465E915AB392D338E981CB65
                                                                                                                            Function 007E99F0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 160COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetSystemInfo.KERNEL32(?,00000000,007E9B8C,?,00000000,007E9B9D,?,00000000,007E9BD8), ref: 007E9A47
                                                                                                                            • GetLogicalProcessorInformation.KERNEL32(00000000,00000000,?,00000000,007E9B9D,?,00000000,007E9BD8), ref: 007E9AA8
                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,?,00000000,007E9B9D,?,00000000,007E9BD8), ref: 007E9AAD
                                                                                                                            • GetLogicalProcessorInformation.KERNEL32(007EEF1D,00000000), ref: 007E9AD9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: InformationLogicalProcessor$ErrorInfoLastSystem
                                                                                                                            • String ID: Failed to get logical processor information.$Logical Processor Count: %d$Number of Processors: %d$Processor Architecture: %d$J@
                                                                                                                            • API String ID: 1544102426-2207478826
                                                                                                                            • Opcode ID: 2339d6626d47ba9474be9e537d151d467eb5dc226133e7cccffbeb2a53744075
                                                                                                                            • Instruction ID: fbe9dfa0372ccc05cfa483fef58cdc88ef828daadaa5b9f9fd618da614c26959
                                                                                                                            • Opcode Fuzzy Hash: 2339d6626d47ba9474be9e537d151d467eb5dc226133e7cccffbeb2a53744075
                                                                                                                            • Instruction Fuzzy Hash: 34514EB5A041489FDB04DFA5D88199EBBF5EF4C304F60847AE501E7351EB38AE06CB65
                                                                                                                            Function 007E9508 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 128processfilepipeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • CreatePipe.KERNEL32(?,?,00000000,00000000,00000000,007E96CC,?,00000000,007E96EF), ref: 007E9589
                                                                                                                            • GetStdHandle.KERNEL32(000000F6,00000000,007E96BB,?,?,?,00000000,00000000,00000000,007E96CC,?,00000000,007E96EF), ref: 007E95B3
                                                                                                                            • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08000000,00000000,00000000,00000044,?,000000F6,00000000,007E96BB,?,?,?), ref: 007E95F3
                                                                                                                            • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,000000FF,08000000,00000000,00000000,00000044,?,000000F6,00000000,007E96BB,?,?), ref: 007E9605
                                                                                                                            • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,000000FF,08000000,00000000,00000000,00000044,?,000000F6,00000000,007E96BB), ref: 007E960E
                                                                                                                            • ReadFile.KERNEL32(?,?,00002000,?,00000000,00000000,007E9689,?,?,?,00000000,00000000,00000000,00000000,000000FF,08000000), ref: 007E9659
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Handle$CloseCreate$FilePipeProcessRead
                                                                                                                            • String ID: <p$D$cmd.exe /C
                                                                                                                            • API String ID: 4083379186-4185180293
                                                                                                                            • Opcode ID: 42343ff3d35f8c2b3a18e0bda502392547dc06e527fe378d4099dc0fefe20691
                                                                                                                            • Instruction ID: aea3c24c8656945c2a6e50c6d6569f138bee8bd9435b15d3ee1a623a0e3af2da
                                                                                                                            • Opcode Fuzzy Hash: 42343ff3d35f8c2b3a18e0bda502392547dc06e527fe378d4099dc0fefe20691
                                                                                                                            • Instruction Fuzzy Hash: 3D415CB1A00248AFDB10DFA5CC46BEEB7B8EB09704F514566FA04E7291E738A950CB65
                                                                                                                            Function 007E93D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97comCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CoInitialize.OLE32(00000000), ref: 007E93F2
                                                                                                                            • CoCreateInstance.COMBASE(007F68F0,00000000,00000001,007F6900,00000000), ref: 007E941C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateInitializeInstance
                                                                                                                            • String ID: ;~
                                                                                                                            • API String ID: 3519745914-3055229447
                                                                                                                            • Opcode ID: 6d6446ab4a22b5c229ab1acce25db7fbaa64785fd43dfb239ff7a04bdc353970
                                                                                                                            • Instruction ID: 1b56f296d172d2fc3affbfadac37da574de591152644671a5325bca81054ba8a
                                                                                                                            • Opcode Fuzzy Hash: 6d6446ab4a22b5c229ab1acce25db7fbaa64785fd43dfb239ff7a04bdc353970
                                                                                                                            • Instruction Fuzzy Hash: 5531DFB2604689AFDB10EFA2CC42B6E77B8EB09710F510679F220E61D1DB7999068625
                                                                                                                            Function 05B54A54 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,NtQueryVirtualMemory), ref: 05B54A73
                                                                                                                            • GetProcAddress.KERNEL32(00000000,ntdll.dll), ref: 05B54A79
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmp, Offset: 05690000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2912592330.0000000005690000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005691000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BD1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_5690000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                            • String ID: NtQueryVirtualMemory$ntdll.dll
                                                                                                                            • API String ID: 2574300362-2623246514
                                                                                                                            • Opcode ID: 16d7dfccc2aa32ee6dbe21c2b40d74d5bca20bf2025793efa77812982a3dba70
                                                                                                                            • Instruction ID: c5b8297a6b19a281a9ca0604b60dd977a44c897d2656e525fe2f507abf6e1c5a
                                                                                                                            • Opcode Fuzzy Hash: 16d7dfccc2aa32ee6dbe21c2b40d74d5bca20bf2025793efa77812982a3dba70
                                                                                                                            • Instruction Fuzzy Hash: 0C018B397242849FDB04DBA4E853B5A7FB5E744320F5181A4E8185B384EAB6BD00CFAD
                                                                                                                            Function 007B4F2C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,NtQueryVirtualMemory), ref: 007B4F4B
                                                                                                                            • GetProcAddress.KERNEL32(00000000,ntdll.dll), ref: 007B4F51
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                            • String ID: NtQueryVirtualMemory$ntdll.dll
                                                                                                                            • API String ID: 2574300362-2623246514
                                                                                                                            • Opcode ID: 66ebbfa2784b3ac5fbb9ab1e3a713bf9959c7c3717c5e925c5b7f31504a21437
                                                                                                                            • Instruction ID: f17778a7c0ed964feba1de9a29f05c9ee118eaa7513c5c1b1aaaad5e909bb89e
                                                                                                                            • Opcode Fuzzy Hash: 66ebbfa2784b3ac5fbb9ab1e3a713bf9959c7c3717c5e925c5b7f31504a21437
                                                                                                                            • Instruction Fuzzy Hash: 04F08171A042889FD701DB68ED02BBA37A5A701304F51817AE920673E2D6BE6D04CB4D
                                                                                                                            Function 0040D2AC Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040D36C,?,00000000), ref: 0040D2DE
                                                                                                                            • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040D36C,?,00000000), ref: 0040D2E7
                                                                                                                              • Part of subcall function 0040D174: FindFirstFileW.KERNEL32(00000000,?,00000000,0040D1D2,?,00000001), ref: 0040D1A7
                                                                                                                              • Part of subcall function 0040D174: FindClose.KERNEL32(00000000,00000000,?,00000000,0040D1D2,?,00000001), ref: 0040D1B7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3216391948-0
                                                                                                                            • Opcode ID: 8171befa399776394855f7772752bf61937ae0edf01eb9956f216c50ffbe8403
                                                                                                                            • Instruction ID: 5bee3d7389c6acc46d28f30a4437a6c5884315750edb49e093e002628e217075
                                                                                                                            • Opcode Fuzzy Hash: 8171befa399776394855f7772752bf61937ae0edf01eb9956f216c50ffbe8403
                                                                                                                            • Instruction Fuzzy Hash: E7113670E042099BDB04EBD6C842AAEB3B8EF45304F50447BB904B73D2D7785E089B6A
                                                                                                                            Function 0569E2C8 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0569E388,?,?), ref: 0569E2FA
                                                                                                                            • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0569E388,?,?), ref: 0569E303
                                                                                                                              • Part of subcall function 0569E190: FindFirstFileW.KERNEL32(00000000,?,00000000,0569E1EE,?,00000001), ref: 0569E1C3
                                                                                                                              • Part of subcall function 0569E190: FindClose.KERNEL32(00000000,00000000,?,00000000,0569E1EE,?,00000001), ref: 0569E1D3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2912671216.0000000005691000.00000040.00001000.00020000.00000000.sdmp, Offset: 05690000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2912592330.0000000005690000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BD1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_5690000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3216391948-0
                                                                                                                            • Opcode ID: e484a7dd81afe238666ccb42c66fd226065a1abd2358195859dcfff781561047
                                                                                                                            • Instruction ID: edc62fc5642761d3e3e9f20ff7ed7c46b7c1388a9e22fb4bd81f9973a5c293f2
                                                                                                                            • Opcode Fuzzy Hash: e484a7dd81afe238666ccb42c66fd226065a1abd2358195859dcfff781561047
                                                                                                                            • Instruction Fuzzy Hash: 9F114C70B04209ABDF08EFA4D985AAEF3BDEF49700F50447DA505E7760EB359E04C669
                                                                                                                            Function 0040D174 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,0040D1D2,?,00000001), ref: 0040D1A7
                                                                                                                            • FindClose.KERNEL32(00000000,00000000,?,00000000,0040D1D2,?,00000001), ref: 0040D1B7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2295610775-0
                                                                                                                            • Opcode ID: fe91577be7694345b3bd61ae064f8131bb2564a11eb294cbc6706a48d2411828
                                                                                                                            • Instruction ID: 192523cf65dfd34f1bc7ea18d8bc0f8208b7c2a571063501f4a3b4ccb64d2d8e
                                                                                                                            • Opcode Fuzzy Hash: fe91577be7694345b3bd61ae064f8131bb2564a11eb294cbc6706a48d2411828
                                                                                                                            • Instruction Fuzzy Hash: 15F0BE30900604AEC710FBB5CC5298EB7FCEB45320BA005B6B800F31D2EB389E18995C
                                                                                                                            Function 0569E190 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,0569E1EE,?,00000001), ref: 0569E1C3
                                                                                                                            • FindClose.KERNEL32(00000000,00000000,?,00000000,0569E1EE,?,00000001), ref: 0569E1D3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2912671216.0000000005691000.00000040.00001000.00020000.00000000.sdmp, Offset: 05690000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2912592330.0000000005690000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BD1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_5690000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2295610775-0
                                                                                                                            • Opcode ID: 570302ae2466b2e550b1ec367cdd868874b851ad3d44f13ec65d9c743f64a1b1
                                                                                                                            • Instruction ID: 8794e4b3d95b6447f53ef7d2add2c4eb1638f7d12ec11a69e729237a96635b77
                                                                                                                            • Opcode Fuzzy Hash: 570302ae2466b2e550b1ec367cdd868874b851ad3d44f13ec65d9c743f64a1b1
                                                                                                                            • Instruction Fuzzy Hash: 34F02031600608AFDF19FBB8CD0589EB3ECEF08310B9004B9B804E3A90EB359F00E518
                                                                                                                            Function 0040CD98 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000105), ref: 0040CDD1
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?), ref: 0040CE1A
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?), ref: 0040CE3C
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?), ref: 0040CE5A
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040CE78
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040CE96
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040CEB4
                                                                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040CFA0,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?), ref: 0040CEF4
                                                                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040CFA0,?,80000001), ref: 0040CF1F
                                                                                                                            • RegCloseKey.ADVAPI32(?,0040CFA7,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040CFA0,?,80000001,Software\Embarcadero\Locales), ref: 0040CF9A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Open$QueryValue$CloseFileModuleName
                                                                                                                            • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
                                                                                                                            • API String ID: 2701450724-3496071916
                                                                                                                            • Opcode ID: 46e66a179eb4bbe26a1e050c71660e13605297553b314f6af2c01b25ea4ae4ed
                                                                                                                            • Instruction ID: 31d9fc0e4a97f6cdb70b22023e3312d363e3fc5f4fbd7394f3dccabe31c86c42
                                                                                                                            • Opcode Fuzzy Hash: 46e66a179eb4bbe26a1e050c71660e13605297553b314f6af2c01b25ea4ae4ed
                                                                                                                            • Instruction Fuzzy Hash: C8517575A40609BEEB10EB91CC82FAFB3BCEB08704F60417BB614F61C2D67899059B59
                                                                                                                            Function 0569DDB4 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0569DFD9,?,?), ref: 0569DDED
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0569DFD9,?,?), ref: 0569DE36
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0569DFD9,?,?), ref: 0569DE58
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0569DE76
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0569DE94
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0569DEB2
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0569DED0
                                                                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0569DFBC,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0569DFD9), ref: 0569DF10
                                                                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0569DFBC,?,80000001), ref: 0569DF3B
                                                                                                                            • RegCloseKey.ADVAPI32(?,0569DFC3,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0569DFBC,?,80000001,Software\Embarcadero\Locales), ref: 0569DFB6
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2912671216.0000000005691000.00000040.00001000.00020000.00000000.sdmp, Offset: 05690000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2912592330.0000000005690000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BD1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_5690000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Open$QueryValue$CloseFileModuleName
                                                                                                                            • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
                                                                                                                            • API String ID: 2701450724-3496071916
                                                                                                                            • Opcode ID: 00a2205fd76e5bed42be2016ccbd6c8faa189767706d97017e17dca86961d278
                                                                                                                            • Instruction ID: 778e9ca808ba533a29efc08c60e9a329abf75ca23709f7cb5f911dbb8fed2a4c
                                                                                                                            • Opcode Fuzzy Hash: 00a2205fd76e5bed42be2016ccbd6c8faa189767706d97017e17dca86961d278
                                                                                                                            • Instruction Fuzzy Hash: 19514475B4020CBFEF28DAE4CC46FAEB3BCEB58704F500479B605E6680D670AA44DB59
                                                                                                                            Function 0040CA64 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • RtlEnterCriticalSection.NTDLL(007F9C14), ref: 0040CA82
                                                                                                                            • RtlLeaveCriticalSection.NTDLL(007F9C14), ref: 0040CAA6
                                                                                                                            • RtlLeaveCriticalSection.NTDLL(007F9C14), ref: 0040CAB5
                                                                                                                            • IsValidLocale.KERNEL32(00000000,00000002,00000000,0040CB68,?,?,00000000,00000000,?,0040D430), ref: 0040CAC7
                                                                                                                            • RtlEnterCriticalSection.NTDLL(007F9C14), ref: 0040CB24
                                                                                                                            • RtlLeaveCriticalSection.NTDLL(007F9C14), ref: 0040CB4D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$Leave$Enter$LocaleValid
                                                                                                                            • String ID: en-GB,en,en-US,
                                                                                                                            • API String ID: 975949045-3021119265
                                                                                                                            • Opcode ID: a027c81bc5b0b1ba8908dffc366947824cc29904f552f568dd959eb62179dc25
                                                                                                                            • Instruction ID: 5ba4059f85e3b8fad3d5969036239b0fe54acfcf38ec489f4ad6e162a7c7b5eb
                                                                                                                            • Opcode Fuzzy Hash: a027c81bc5b0b1ba8908dffc366947824cc29904f552f568dd959eb62179dc25
                                                                                                                            • Instruction Fuzzy Hash: 4F216260700604DAD711B7B6989376A32E49B84754BA0853BB200B73D2DABC9D80CABE
                                                                                                                            Function 007B4320 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 120memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 313 7b4320-7b4365 call 7b42a0 316 7b436b-7b436f 313->316 317 7b447a 313->317 318 7b4376-7b437d 316->318 319 7b447e-7b4493 call 409c78 317->319 320 7b4383-7b4390 318->320 321 7b4412-7b4436 VirtualAlloc 318->321 325 7b440c-7b4410 320->325 326 7b4392-7b43b3 VirtualAlloc 320->326 323 7b4438-7b443c 321->323 324 7b443e-7b446a call 7b5330 321->324 323->319 328 7b446e-7b4474 324->328 325->328 330 7b43be-7b4406 GetModuleHandleW call 40a2dc call 7b3fd8 RtlZeroMemory 326->330 331 7b43b5-7b43b9 326->331 328->317 328->318 330->325 331->319
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNEL32(?,00000000,00001000,00000004,00000000,007B4494), ref: 007B43A7
                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,?,00000000,00001000,00000004,00000000,007B4494), ref: 007B43D8
                                                                                                                            • RtlZeroMemory.NTDLL(00000000,00000000), ref: 007B4406
                                                                                                                            • VirtualAlloc.KERNEL32(?,00000000,00001000,00000004,00000000,007B4494), ref: 007B442A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual$HandleMemoryModuleZero
                                                                                                                            • String ID: ($RtlZeroMemory$ntdll.dll
                                                                                                                            • API String ID: 3603811010-1796206821
                                                                                                                            • Opcode ID: 491883d5a52b37a4f23481437eede2406cdcc3989a8c28b3e6a852f1c2f6c987
                                                                                                                            • Instruction ID: 01a23bcc3d4f996a8320fe89851c3d399baee136aba276ddcaaf7be31d1fd522
                                                                                                                            • Opcode Fuzzy Hash: 491883d5a52b37a4f23481437eede2406cdcc3989a8c28b3e6a852f1c2f6c987
                                                                                                                            • Instruction Fuzzy Hash: 0C518B75E002589FCB40DFA8C985BEEB7F4FB08314F2581AAE504B7352D379AD518B64
                                                                                                                            Function 00405CD4 Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 337 405cd4-405ce3 338 405ce9-405ced 337->338 339 405dcc-405dcf 337->339 340 405d50-405d59 338->340 341 405cef-405cf6 338->341 342 405dd5-405ddf 339->342 343 405ebc-405ec0 339->343 340->341 346 405d5b-405d64 340->346 347 405d24-405d26 341->347 348 405cf8-405d03 341->348 349 405d90-405d9d 342->349 350 405de1-405ded 342->350 344 405760-405785 call 4056b0 343->344 345 405ec6-405ecb 343->345 366 4057a1-4057a8 344->366 367 405787-405796 VirtualFree 344->367 346->340 355 405d66-405d7a Sleep 346->355 353 405d28-405d39 347->353 354 405d3b 347->354 358 405d05-405d0a 348->358 359 405d0c-405d21 348->359 349->350 356 405d9f-405da8 349->356 351 405e24-405e32 350->351 352 405def-405df2 350->352 360 405df6-405dfa 351->360 362 405e34-405e39 call 405528 351->362 352->360 353->354 361 405d3e-405d4b 353->361 354->361 355->341 363 405d80-405d8b Sleep 355->363 356->349 364 405daa-405dbe Sleep 356->364 368 405e3c-405e49 360->368 369 405dfc-405e02 360->369 361->342 362->360 363->340 364->350 371 405dc0-405dc7 Sleep 364->371 376 4057aa-4057c6 VirtualQuery VirtualFree 366->376 372 405798-40579a 367->372 373 40579c-40579f 367->373 368->369 378 405e4b-405e52 call 405528 368->378 374 405e54-405e5e 369->374 375 405e04-405e22 call 405568 369->375 371->349 379 4057db-4057dd 372->379 373->379 384 405e60-405e88 VirtualFree 374->384 385 405e8c-405eb9 call 4055c8 374->385 381 4057c8-4057cb 376->381 382 4057cd-4057d3 376->382 378->369 389 4057f2-405802 379->389 390 4057df-4057ef 379->390 381->379 382->379 388 4057d5-4057d9 382->388 388->376 390->389
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNEL32(00000000,?,?,00000000,00405946), ref: 00405D6A
                                                                                                                            • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,00405946), ref: 00405D84
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Sleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3472027048-0
                                                                                                                            • Opcode ID: bf55c4a8b4325fc80d3ba671499515482fef93059d5458a4d5b70fd8e74363ca
                                                                                                                            • Instruction ID: f42874e96fb100516b1e3b15773f3479f6daa7b2b6afeb8833a6be1f5f91c3e8
                                                                                                                            • Opcode Fuzzy Hash: bf55c4a8b4325fc80d3ba671499515482fef93059d5458a4d5b70fd8e74363ca
                                                                                                                            • Instruction Fuzzy Hash: A271C231604A008BE715DB29D988B2BBBD4EF85314F14C2BFE448AB3D6D6788C41CF99
                                                                                                                            Function 05695D58 Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 393 5695d58-5695d67 394 5695d6d-5695d71 393->394 395 5695e50-5695e53 393->395 398 5695d73-5695d7a 394->398 399 5695dd4-5695ddd 394->399 396 5695e59-5695e63 395->396 397 5695f40-5695f44 395->397 402 5695e65-5695e71 396->402 403 5695e14-5695e21 396->403 404 5695f4a-5695f4f 397->404 405 56957e4-5695809 call 5695734 397->405 400 5695da8-5695daa 398->400 401 5695d7c-5695d87 398->401 399->398 406 5695ddf-5695de8 399->406 412 5695dac-5695dbd 400->412 413 5695dbf 400->413 408 5695d89-5695d8e 401->408 409 5695d90-5695da5 401->409 410 5695ea8-5695eb6 402->410 411 5695e73-5695e76 402->411 403->402 415 5695e23-5695e2c 403->415 422 569580b-569581a VirtualFree 405->422 423 5695825-569582c 405->423 406->399 414 5695dea-5695dfe Sleep 406->414 417 5695e7a-5695e7e 410->417 419 5695eb8-5695ebd call 56955ac 410->419 411->417 412->413 418 5695dc2-5695dcf 412->418 413->418 414->398 420 5695e04-5695e0f Sleep 414->420 415->403 421 5695e2e-5695e42 Sleep 415->421 424 5695ec0-5695ecd 417->424 425 5695e80-5695e86 417->425 418->396 419->417 420->399 421->402 427 5695e44-5695e4b Sleep 421->427 428 569581c-569581e 422->428 429 5695820-5695823 422->429 432 569582e-569584a VirtualQuery VirtualFree 423->432 424->425 434 5695ecf-5695ed6 call 56955ac 424->434 430 5695ed8-5695ee2 425->430 431 5695e88-5695ea6 call 56955ec 425->431 427->403 437 569585f-5695861 428->437 429->437 435 5695f10-5695f3d call 569564c 430->435 436 5695ee4-5695f0c VirtualFree 430->436 439 569584c-569584f 432->439 440 5695851-5695857 432->440 434->425 445 5695863-5695873 437->445 446 5695876-5695886 437->446 439->437 440->437 444 5695859-569585d 440->444 444->432 445->446
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNEL32(00000000,?), ref: 05695DEE
                                                                                                                            • Sleep.KERNEL32(0000000A,00000000,?), ref: 05695E08
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2912671216.0000000005691000.00000040.00001000.00020000.00000000.sdmp, Offset: 05690000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2912592330.0000000005690000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BD1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_5690000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Sleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3472027048-0
                                                                                                                            • Opcode ID: 382a7dc8ac13a6c48a60ef025c974eb0eb9210412e6ea644510517fe7bf1b458
                                                                                                                            • Instruction ID: 7376b7cf57cd69d01bb20ff4abe5c14b3e1e9cbee02bd77913347cacb89757b6
                                                                                                                            • Opcode Fuzzy Hash: 382a7dc8ac13a6c48a60ef025c974eb0eb9210412e6ea644510517fe7bf1b458
                                                                                                                            • Instruction Fuzzy Hash: 9F7105716153008FDF1BCF28D988B66BFD9AFA5310F1481AEE44ACB781D7B09845CB95
                                                                                                                            Function 00405ECC Relevance: 10.9, APIs: 7, Instructions: 406COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 449 405ecc-405ed6 450 405f64-405f67 449->450 451 405edc-405ee7 449->451 454 4061d4-4061d9 450->454 455 405f6d-405f7f 450->455 452 405f20-405f39 call 405950 451->452 453 405ee9-405ef2 451->453 471 405f3b-405f41 452->471 472 405f5f-405f62 452->472 457 405ef4-405ef6 453->457 458 405ef8-405f03 call 405950 453->458 459 405804-405822 454->459 460 4061df-4061e1 454->460 461 406094-406099 455->461 462 405f85-405f8a 455->462 492 405f05-405f19 call 40550c call 405cd4 458->492 493 405f1b-405f1d 458->493 464 405907-40590b 459->464 465 405828-405831 459->465 467 40618c-4061ab call 405950 461->467 468 40609f-4060a7 461->468 469 405f94-405f9a 462->469 470 405f8c-405f90 462->470 475 405917-405922 call 405950 464->475 476 40590d-405915 464->476 473 405833-405835 465->473 474 405837 465->474 496 4061ad-4061b3 467->496 497 40617e-406182 467->497 468->467 478 4060ad-4060b4 468->478 480 405fb1-405fcc 469->480 481 405f9c-405fa2 469->481 487 405f43 471->487 488 405f46-405f5d call 405cd4 471->488 489 405839-40585f VirtualQuery 473->489 474->489 490 405946-40594f 475->490 515 405924-40592a 475->515 476->490 494 406111-406116 478->494 495 4060b6-4060c3 478->495 485 406014-406021 480->485 486 405fce-405fdb 480->486 483 405fa8-405faf 481->483 484 40606c-406077 call 405950 481->484 483->470 483->480 528 406079-40608d call 40550c call 405cd4 484->528 529 40608f-406093 484->529 508 406023-406029 485->508 509 40602c-40603b 485->509 502 40600c-406011 486->502 503 405fdd-405fe6 486->503 487->488 488->472 506 405861-405873 489->506 507 4058cf-4058da call 405950 489->507 492->493 504 406123-406147 494->504 505 406118-406122 call 405528 494->505 500 4060c5-4060ce 495->500 501 4060f8-406105 495->501 511 4061b5 496->511 512 4061b8-4061d2 call 4054dc call 405cd4 496->512 500->495 516 4060d0-4060e8 Sleep 500->516 517 406185 501->517 518 406107-40610f 501->518 502->485 503->486 519 405fe8-405ffe Sleep 503->519 521 406154-406167 504->521 522 406149-406150 504->522 505->504 506->507 523 405875-40588a 506->523 507->490 554 4058dc-4058e2 507->554 524 406042-406052 508->524 509->524 525 40603d call 405528 509->525 511->512 532 405934-405941 call 40550c call 405cd4 515->532 533 40592c-405931 515->533 516->501 534 4060ea-4060f5 Sleep 516->534 517->467 518->494 518->517 519->502 535 406000-406009 Sleep 519->535 537 406170-40617c 521->537 540 406169-40616b call 405568 521->540 522->537 538 40588c 523->538 539 40588e-4058a2 VirtualAlloc 523->539 543 406054-406059 call 405568 524->543 544 40605e-40606b 524->544 525->524 528->529 532->490 533->532 534->495 535->486 537->497 538->539 539->507 550 4058a4-4058b8 VirtualAlloc 539->550 540->537 543->544 550->507 560 4058ba-4058cd 550->560 555 4058e4-4058e9 554->555 556 4058ec-405905 call 4054dc call 405cd4 554->556 555->556 556->490 560->490
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 79643ef1003fa301609067a8eb4aa8843e0c70367852bd7da28e5c391c9f8f21
                                                                                                                            • Instruction ID: 8bf2f484fb052dc348627bc6056703cb5cc6fcb1b83457ffed024862f1f7e90f
                                                                                                                            • Opcode Fuzzy Hash: 79643ef1003fa301609067a8eb4aa8843e0c70367852bd7da28e5c391c9f8f21
                                                                                                                            • Instruction Fuzzy Hash: CDC124B2700A014BE714AA7D9C8436FB386DB84324F18823FE615EB3C6DA7CCC558B58
                                                                                                                            Function 05695F50 Relevance: 10.9, APIs: 7, Instructions: 406COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 569 5695f50-5695f5a 570 5695fe8-5695feb 569->570 571 5695f60-5695f6b 569->571 574 5696258-569625d 570->574 575 5695ff1-5696003 570->575 572 5695f6d-5695f76 571->572 573 5695fa4-5695fbd call 56959d4 571->573 577 5695f78-5695f7a 572->577 578 5695f7c-5695f87 call 56959d4 572->578 594 5695fbf-5695fc5 573->594 595 5695fe3-5695fe6 573->595 579 5695888-56958a6 574->579 580 5696263-5696265 574->580 581 5696009-569600e 575->581 582 5696118-569611d 575->582 612 5695f89-5695f9d call 5695590 call 5695d58 578->612 613 5695f9f-5695fa1 578->613 584 569598b-569598f 579->584 585 56958ac-56958b5 579->585 589 5696018-569601e 581->589 590 5696010-5696014 581->590 587 5696210-569622f call 56959d4 582->587 588 5696123-569612b 582->588 598 569599b-56959a6 call 56959d4 584->598 599 5695991-5695999 584->599 596 56958bb 585->596 597 56958b7-56958b9 585->597 625 5696231-5696237 587->625 626 5696202-5696206 587->626 588->587 601 5696131-5696138 588->601 592 5696020-5696026 589->592 593 5696035-5696050 589->593 603 569602c-5696033 592->603 604 56960f0-56960fb call 56959d4 592->604 605 5696098-56960a5 593->605 606 5696052-569605f 593->606 607 5695fca-5695fe1 call 5695d58 594->607 608 5695fc7 594->608 609 56958bd-56958e3 VirtualQuery 596->609 597->609 610 56959ca-56959d3 598->610 647 56959a8-56959ae 598->647 599->610 614 569613a-5696147 601->614 615 5696195-569619a 601->615 603->590 603->593 660 56960fd-5696111 call 5695590 call 5695d58 604->660 661 5696113-5696117 604->661 622 56960b0-56960bf 605->622 623 56960a7-56960ad 605->623 616 5696061-569606a 606->616 617 5696090-5696095 606->617 607->595 608->607 620 5695953-569595e call 56959d4 609->620 621 56958e5-56958f7 609->621 612->613 629 5696149-5696152 614->629 630 569617c-5696189 614->630 618 569619c-56961a6 call 56955ac 615->618 619 56961a7-56961cb 615->619 616->606 634 569606c-5696082 Sleep 616->634 617->605 618->619 636 56961d8-56961eb 619->636 637 56961cd-56961d4 619->637 620->610 671 5695960-5695966 620->671 621->620 638 56958f9-569590e 621->638 639 56960c6-56960d6 622->639 640 56960c1 call 56955ac 622->640 623->639 643 5696239 625->643 644 569623c-5696256 call 5695560 call 5695d58 625->644 629->614 631 5696154-569616c Sleep 629->631 632 5696209 630->632 633 569618b-5696193 630->633 631->630 648 569616e-5696179 Sleep 631->648 632->587 633->615 633->632 634->617 649 5696084-569608d Sleep 634->649 651 56961f4-5696200 636->651 654 56961ed-56961ef call 56955ec 636->654 637->651 652 5695910 638->652 653 5695912-5695926 VirtualAlloc 638->653 657 56960d8-56960dd call 56955ec 639->657 658 56960e2-56960ef 639->658 640->639 643->644 664 56959b8-56959c5 call 5695590 call 5695d58 647->664 665 56959b0-56959b5 647->665 648->614 649->606 651->626 652->653 653->620 667 5695928-569593c VirtualAlloc 653->667 654->651 657->658 660->661 664->610 665->664 667->620 676 569593e-5695951 667->676 677 5695968-569596d 671->677 678 5695970-5695989 call 5695560 call 5695d58 671->678 676->610 677->678 678->610
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2912671216.0000000005691000.00000040.00001000.00020000.00000000.sdmp, Offset: 05690000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2912592330.0000000005690000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BD1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_5690000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 9904275983caea86a1ea49fced6cfe434409fab4249240a8d0c45ccb8d00f20c
                                                                                                                            • Instruction ID: 423060fb97797e7b3d2d95aad1b1c192be5332d56f0dada25b9ecb7e7c2dd983
                                                                                                                            • Opcode Fuzzy Hash: 9904275983caea86a1ea49fced6cfe434409fab4249240a8d0c45ccb8d00f20c
                                                                                                                            • Instruction Fuzzy Hash: 04C103727147010BEF1E9A7CDD8876EB78EAF94221F18823EE55ACB395DA64C806C744
                                                                                                                            Function 007B4514 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 124COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 689 7b4514-7b453d 690 7b4548-7b454f 689->690 691 7b453f-7b4543 689->691 693 7b45db-7b4624 690->693 694 7b4555-7b4560 690->694 692 7b467c-7b4696 call 409ce4 691->692 695 7b462d-7b4679 GetModuleHandleW call 40a2dc call 7b3fd8 VirtualProtect 693->695 696 7b4626 693->696 697 7b45d2-7b45d6 694->697 698 7b4562-7b4569 694->698 695->692 696->695 697->692 701 7b456b-7b4579 698->701 702 7b458f-7b45cb GetModuleHandleW call 40a2dc call 7b3fd8 698->702 701->702 705 7b457b-7b458d 701->705 702->697 705->697 705->702
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,007B4697), ref: 007B4594
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: HandleModule
                                                                                                                            • String ID: VirtualFree$VirtualProtect$kernel32.dll
                                                                                                                            • API String ID: 4139908857-1224923055
                                                                                                                            • Opcode ID: 19c8551c2195fcdceebd7926ab0eb691ef3b0810175740698e713e31f368a411
                                                                                                                            • Instruction ID: 0b8ab5a9b2856f36598400422616f5644310fea3b9dc8890968105fc8d5a7df4
                                                                                                                            • Opcode Fuzzy Hash: 19c8551c2195fcdceebd7926ab0eb691ef3b0810175740698e713e31f368a411
                                                                                                                            • Instruction Fuzzy Hash: 1C511C74A042499FCB05CFA8C484FEDBBF6BF49304F198195E444E7362D778AA50DB54
                                                                                                                            Function 00405950 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 712 405950-405962 713 405bb0-405bb5 712->713 714 405968-405978 712->714 717 405cc8-405ccb 713->717 718 405bbb-405bcc 713->718 715 4059d0-4059d9 714->715 716 40597a-405987 714->716 715->716 723 4059db-4059e7 715->723 721 4059a0-4059ac 716->721 722 405989-405996 716->722 719 405cd1-405cd3 717->719 720 4056fc-405725 VirtualAlloc 717->720 724 405b74-405b81 718->724 725 405bce-405bea 718->725 732 405757-40575d 720->732 733 405727-405754 call 4056b0 720->733 728 405a24-405a2d 721->728 729 4059ae-4059bc 721->729 726 4059c0-4059cd 722->726 727 405998-40599c 722->727 723->716 731 4059e9-4059f5 723->731 724->725 730 405b83-405b8c 724->730 734 405bf8-405c07 725->734 735 405bec-405bf4 725->735 738 405a68-405a72 728->738 739 405a2f-405a3c 728->739 730->724 740 405b8e-405ba2 Sleep 730->740 731->716 741 4059f7-405a03 731->741 733->732 736 405c20-405c28 734->736 737 405c09-405c1d 734->737 743 405c54-405c6a 735->743 745 405c44-405c46 call 405634 736->745 746 405c2a-405c42 736->746 737->743 748 405ae4-405af0 738->748 749 405a74-405a9f 738->749 739->738 747 405a3e-405a47 739->747 740->725 752 405ba4-405bab Sleep 740->752 741->715 753 405a05-405a15 Sleep 741->753 750 405c83-405c8f 743->750 751 405c6c-405c7a 743->751 754 405c4b-405c53 745->754 746->754 747->739 755 405a49-405a5d Sleep 747->755 762 405af2-405b04 748->762 763 405b18-405b27 call 405634 748->763 757 405aa1-405aaf 749->757 758 405ab8-405ac6 749->758 760 405cb0 750->760 761 405c91-405ca4 750->761 751->750 759 405c7c 751->759 752->724 753->716 764 405a1b-405a22 Sleep 753->764 755->738 766 405a5f-405a66 Sleep 755->766 757->758 767 405ab1 757->767 768 405b34 758->768 769 405ac8-405ae2 call 405568 758->769 759->750 770 405cb5-405cc7 760->770 761->770 771 405ca6-405cab call 405568 761->771 772 405b06 762->772 773 405b08-405b16 762->773 774 405b39-405b72 763->774 778 405b29-405b33 763->778 764->715 766->739 767->758 768->774 769->774 771->770 772->773 773->774
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNEL32(00000000,FFFFFFDC,0040591E), ref: 00405A07
                                                                                                                            • Sleep.KERNEL32(0000000A,00000000,FFFFFFDC,0040591E), ref: 00405A1D
                                                                                                                            • Sleep.KERNEL32(00000000,?,?,FFFFFFDC,0040591E), ref: 00405A4B
                                                                                                                            • Sleep.KERNEL32(0000000A,00000000,?,?,FFFFFFDC,0040591E), ref: 00405A61
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Sleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3472027048-0
                                                                                                                            • Opcode ID: e66bb4f38784bfd9137c613fbcda4af8e397fc48fb03a2f0753061454b312cb4
                                                                                                                            • Instruction ID: 448122a87f01940f9d306d6a2908d841a3c3914fb1e7434872886097ef0cf150
                                                                                                                            • Opcode Fuzzy Hash: e66bb4f38784bfd9137c613fbcda4af8e397fc48fb03a2f0753061454b312cb4
                                                                                                                            • Instruction Fuzzy Hash: CDC12672605A518BDB19CF2DE884767BBA0EB85310F09C2BFD0149B3D1C3B8A941CF99
                                                                                                                            Function 056959D4 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNEL32(00000000,?,05696274), ref: 05695A8B
                                                                                                                            • Sleep.KERNEL32(0000000A,00000000,?,05696274), ref: 05695AA1
                                                                                                                            • Sleep.KERNEL32(00000000,?,?,?,05696274), ref: 05695ACF
                                                                                                                            • Sleep.KERNEL32(0000000A,00000000,?,?,?,05696274), ref: 05695AE5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2912671216.0000000005691000.00000040.00001000.00020000.00000000.sdmp, Offset: 05690000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2912592330.0000000005690000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BD1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_5690000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Sleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3472027048-0
                                                                                                                            • Opcode ID: 00eca0c31957f065def993213ff04a5d382dd47d3fca0a9cbcdbcdf4f867d8d5
                                                                                                                            • Instruction ID: 03ef52a893d2d578ad8ed0dcd6a0cc0b39f6eb731de767689ba07206303d0e36
                                                                                                                            • Opcode Fuzzy Hash: 00eca0c31957f065def993213ff04a5d382dd47d3fca0a9cbcdbcdf4f867d8d5
                                                                                                                            • Instruction Fuzzy Hash: 93C14C726153418FCB1ACF28D488725BFD5BFA9310F04826DE41ACF785CBB0A845CB99
                                                                                                                            Function 007E9D18 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 166memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 007E7EC8: GetSystemInfo.KERNEL32(007FCF58,00000000,007E7F3B,?,?,?,?,?,007E9D51,00000000,007E9F5B), ref: 007E7F00
                                                                                                                              • Part of subcall function 007E9238: GetModuleHandleW.KERNEL32(kernel32.dll,ExitProcess,007E9D56,00000000,007E9F5B), ref: 007E9242
                                                                                                                              • Part of subcall function 007E9238: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 007E9248
                                                                                                                            • ExitProcess.KERNEL32(00000001,00000000,007E9F5B), ref: 007E9D58
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,002CCA80,00001000,00000004,00000001,00000000,007E9F5B), ref: 007E9D70
                                                                                                                              • Part of subcall function 007B5354: LoadLibraryW.KERNEL32(advapi32.dll,00000000,007B55F5), ref: 007B539D
                                                                                                                              • Part of subcall function 007B5354: CryptAcquireContextA.ADVAPI32(00000004,00000000,00000000,00000018,F0000000,advapi32.dll,00000000,007B55F5), ref: 007B53D2
                                                                                                                              • Part of subcall function 007B5354: LoadLibraryW.KERNEL32(advapi32.dll), ref: 007B53E5
                                                                                                                              • Part of subcall function 007B5354: CryptCreateHash.ADVAPI32(00000004,00008003,00000000,00000000,002CCA80,advapi32.dll), ref: 007B541C
                                                                                                                              • Part of subcall function 007B5354: LoadLibraryW.KERNEL32(advapi32.dll), ref: 007B542F
                                                                                                                              • Part of subcall function 007B5354: CryptHashData.ADVAPI32(002CCA80,00000000,00000000,00000000,advapi32.dll), ref: 007B547A
                                                                                                                              • Part of subcall function 007B5354: LoadLibraryW.KERNEL32(advapi32.dll), ref: 007B548D
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,002CCA80,00001000,00000004,00000001,00000000,007E9F5B), ref: 007E9DF8
                                                                                                                              • Part of subcall function 007B5008: VirtualAlloc.KERNEL32(?,?,00003000,00000004,00000000,007B52AF), ref: 007B5068
                                                                                                                              • Part of subcall function 007B5008: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,00003000,00000004,00000000,007B52AF), ref: 007B5086
                                                                                                                              • Part of subcall function 007B5008: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00003000,00000004,00000000,007B52AF), ref: 007B509D
                                                                                                                              • Part of subcall function 007B5008: GetModuleHandleW.KERNEL32(ntdll.dll,kernel32.dll,?,?,00003000,00000004,00000000,007B52AF), ref: 007B50C8
                                                                                                                              • Part of subcall function 007B5008: GetProcessHeap.KERNEL32(00000008,0000001C,ntdll.dll,kernel32.dll,?,?,00003000,00000004,00000000,007B52AF), ref: 007B50F2
                                                                                                                              • Part of subcall function 007B5008: RtlAllocateHeap.NTDLL(00000000), ref: 007B50F9
                                                                                                                              • Part of subcall function 007B5008: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 007B510D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: HandleModule$LibraryLoad$AllocCryptVirtual$HashHeapProcess$AcquireAddressAllocateContextCreateDataExitInfoProcSystem
                                                                                                                            • String ID: VirtualFree$kernel32.dll
                                                                                                                            • API String ID: 528590579-864021412
                                                                                                                            • Opcode ID: 918b7068f8ec72758d153b81cd160311601308c42483dd8f54d8782c0b0498ad
                                                                                                                            • Instruction ID: 9d69ba79558f97364bd82286ef3f0e0da92e3bdc48a3e2c4c3618ee282f8d7f6
                                                                                                                            • Opcode Fuzzy Hash: 918b7068f8ec72758d153b81cd160311601308c42483dd8f54d8782c0b0498ad
                                                                                                                            • Instruction Fuzzy Hash: AD611E74E002098FDB00EBA5C882ADDB7B5EF49304F60453AE504BB396DB78AD45CB95
                                                                                                                            Function 007B4C5C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 66memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,007B4D10), ref: 007B4C86
                                                                                                                            • VirtualProtect.KERNEL32(?,00000005,00000040,?,kernel32.dll,00000000,007B4D10), ref: 007B4CB8
                                                                                                                            • VirtualProtect.KERNEL32(?,00000005,?,?), ref: 007B4CEB
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual$HandleModule
                                                                                                                            • String ID: VirtualProtect$kernel32.dll
                                                                                                                            • API String ID: 3519776433-1817385118
                                                                                                                            • Opcode ID: e04c1c663b7986d7137b6b3082f198b0faff0eb3f2886fd61576c0eab88c9e65
                                                                                                                            • Instruction ID: 7dd80464bf91538b607d59b3f1fd4d4d353c8507154cab6e8507e319a6f64483
                                                                                                                            • Opcode Fuzzy Hash: e04c1c663b7986d7137b6b3082f198b0faff0eb3f2886fd61576c0eab88c9e65
                                                                                                                            • Instruction Fuzzy Hash: E011A272A00248AFDB01DBA4C801BEFB7B9EB05700F51487AF605E3281D77A5A01CB64
                                                                                                                            Function 007E9238 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 10libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,ExitProcess,007E9D56,00000000,007E9F5B), ref: 007E9242
                                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 007E9248
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                            • String ID: ExitProcess$kernel32.dll
                                                                                                                            • API String ID: 1646373207-4112012295
                                                                                                                            • Opcode ID: dce792e2e45b2118e5b5c76a9d29b09f0b2e6183cbb1c2d3e48d654cbf6b8ba7
                                                                                                                            • Instruction ID: b5be30c904d9d74bb80d725a855925430e24f7239fee57d97a71b1719dbe80c7
                                                                                                                            • Opcode Fuzzy Hash: dce792e2e45b2118e5b5c76a9d29b09f0b2e6183cbb1c2d3e48d654cbf6b8ba7
                                                                                                                            • Instruction Fuzzy Hash: 5CC04CF67C72C4658F0577732E0766B358D6949704340486AB3019AE56DD6C9440D298
                                                                                                                            Function 0583BE68 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNEL32(?,?,?,?,00000000,0583BED3), ref: 0583BEB4
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmp, Offset: 05690000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2912592330.0000000005690000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005691000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BD1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_5690000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID: VirtualProtect
                                                                                                                            • API String ID: 544645111-268857135
                                                                                                                            • Opcode ID: 8fc69d86d40826589a6008c6c8faa539535099225e0b2225aa2df9727e74e20c
                                                                                                                            • Instruction ID: de9a208e28d6e6eeccfbfd68a90689e0e88fb7a139aed033a44f7e70f264be19
                                                                                                                            • Opcode Fuzzy Hash: 8fc69d86d40826589a6008c6c8faa539535099225e0b2225aa2df9727e74e20c
                                                                                                                            • Instruction Fuzzy Hash: 80F03C7A614348AFCB00EFACD85A89A7BFDEB48210B518468FE44D3740D734AE04CB90
                                                                                                                            Function 007E62F0 Relevance: 3.2, APIs: 2, Instructions: 154memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00003000,?), ref: 007E631F
                                                                                                                            • GetSystemInfo.KERNEL32(?), ref: 007E6331
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocInfoSystemVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3440192736-0
                                                                                                                            • Opcode ID: 89a9f59359bb3fbaec5662b6a33a025e1c9d1aea44bb5d5268c8ddcd45ca7a00
                                                                                                                            • Instruction ID: c3b0f1e1b300b1af1e21708838bf393d448573e5f1d6bc0aa95c91d42a221c85
                                                                                                                            • Opcode Fuzzy Hash: 89a9f59359bb3fbaec5662b6a33a025e1c9d1aea44bb5d5268c8ddcd45ca7a00
                                                                                                                            • Instruction Fuzzy Hash: 9C615975E0125DAFCF40DFEAC885AEEBBF9BB18350F108415E515E7284D378AA818F64
                                                                                                                            Function 0040D378 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetUserDefaultUILanguage.KERNEL32 ref: 0040D423
                                                                                                                            • GetSystemDefaultUILanguage.KERNEL32 ref: 0040D44B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DefaultLanguage$SystemUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 384301227-0
                                                                                                                            • Opcode ID: a4ac03e75571fd549eeb2d23af14b5e7c3f6f09fb06d1919fec1ba4d434f6737
                                                                                                                            • Instruction ID: 144690602737783ba191e9b6cb0d065b61b9d279e7ac058649a8306dd94f0ab3
                                                                                                                            • Opcode Fuzzy Hash: a4ac03e75571fd549eeb2d23af14b5e7c3f6f09fb06d1919fec1ba4d434f6737
                                                                                                                            • Instruction Fuzzy Hash: 44310F70E002099BDB14EF95C881AAEB7B5EF48704F50457BE400B72D1DBB8AE49CA59
                                                                                                                            Function 0569E394 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetUserDefaultUILanguage.KERNEL32(00000000,0569E4AB,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0569E532,00000000,?,00000105), ref: 0569E43F
                                                                                                                            • GetSystemDefaultUILanguage.KERNEL32(00000000,0569E4AB,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0569E532,00000000,?,00000105), ref: 0569E467
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2912671216.0000000005691000.00000040.00001000.00020000.00000000.sdmp, Offset: 05690000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2912592330.0000000005690000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BD1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_5690000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: DefaultLanguage$SystemUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 384301227-0
                                                                                                                            • Opcode ID: d1d44d79415c44560aa51d57e8f02dd48d9ab0b85507b306849e39d6c5bbaf75
                                                                                                                            • Instruction ID: 4b1ed1f9fc0ae1367131daeea560c0d355c7e781131bfd20ed7a8c5d79a84223
                                                                                                                            • Opcode Fuzzy Hash: d1d44d79415c44560aa51d57e8f02dd48d9ab0b85507b306849e39d6c5bbaf75
                                                                                                                            • Instruction Fuzzy Hash: CC318D70B142199FDF28EB98C884AAEB7BDFF48700F504969D401A3750DB76AD81DB88
                                                                                                                            Function 0040D49C Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040D556,?,00400000,007EFC1C), ref: 0040D4D8
                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000002), ref: 0040D529
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileLibraryLoadModuleName
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1159719554-0
                                                                                                                            • Opcode ID: 94f7ea508b167837a01293ad7fddd0b012af4c27f04a00b0dde00af6e8a22edf
                                                                                                                            • Instruction ID: 7754670e6744272adeaa311b0205e7c1ff0e0d6959019dfb7efd3a6164e24722
                                                                                                                            • Opcode Fuzzy Hash: 94f7ea508b167837a01293ad7fddd0b012af4c27f04a00b0dde00af6e8a22edf
                                                                                                                            • Instruction Fuzzy Hash: 7A114F70E4431CABDB15EB94CC96BDE73B8DB08304F5140BBA508B72D1DA789F848E99
                                                                                                                            Function 0569E4B8 Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0569E572,?,00400000,05B8EC1C,?,0569D270,00400000,?,0000020A,00400000,05B8EC1C,0569D2B0), ref: 0569E4F4
                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0569E572,?,00400000,05B8EC1C,?,0569D270,00400000,?,0000020A), ref: 0569E545
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2912671216.0000000005691000.00000040.00001000.00020000.00000000.sdmp, Offset: 05690000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2912592330.0000000005690000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BD1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_5690000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FileLibraryLoadModuleName
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1159719554-0
                                                                                                                            • Opcode ID: 09365f52927d925e45b654410fdd9654212fcf3b8785bd542178251e8913b476
                                                                                                                            • Instruction ID: 295da5291238eedaefd0fac87a6f5412cfd2ca4515362de17d4d0b513e19e0e3
                                                                                                                            • Opcode Fuzzy Hash: 09365f52927d925e45b654410fdd9654212fcf3b8785bd542178251e8913b476
                                                                                                                            • Instruction Fuzzy Hash: CD119171B4021C9BDF18EB64CD89BDEB3BCEB14300F5140AEE408A7290EA715F84DA99
                                                                                                                            Function 05B78760 Relevance: 3.0, APIs: 2, Instructions: 12networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WSAStartup.WS2_32(00000101,?), ref: 05B78775
                                                                                                                            • GetLastError.KERNEL32(?,05B80087,00000000,05B80412), ref: 05B7877A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmp, Offset: 05690000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2912592330.0000000005690000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005691000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BD1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_5690000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLastStartup
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1235836516-0
                                                                                                                            • Opcode ID: dcf5aaab3248208900f18ca74d7d78a6ad6851bcc134172fd484edd26b7d3aaa
                                                                                                                            • Instruction ID: 342b7e7d70e992e6c82962339b5c339190b2113448c9b5eb4fe935ae77abcf9f
                                                                                                                            • Opcode Fuzzy Hash: dcf5aaab3248208900f18ca74d7d78a6ad6851bcc134172fd484edd26b7d3aaa
                                                                                                                            • Instruction Fuzzy Hash: 8DC01231A4120C56D610EA985C06999B25C8B44301F4001956E0CC2241F9B11E5046D6
                                                                                                                            Function 00409B14 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNEL32(?,007EEF1D,00409ADC,00000000,00000000,007EEF1D), ref: 00409B6E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateThread
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2422867632-0
                                                                                                                            • Opcode ID: 9bd5014a6119e64b95c4442c84cdec0d62472b1e576ae910b0ca7494d949331b
                                                                                                                            • Instruction ID: 07b5f95f323fc3c21b0e63af01482681ef64b132d96914439497dc6ce754a935
                                                                                                                            • Opcode Fuzzy Hash: 9bd5014a6119e64b95c4442c84cdec0d62472b1e576ae910b0ca7494d949331b
                                                                                                                            • Instruction Fuzzy Hash: 88017176605254AFC700DB9DD880B8BB7ECEB48360F108136F508EB392D6789D00C7A8
                                                                                                                            Function 05699D58 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNEL32(?,?,05699D20,00000000,?,?), ref: 05699DB2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2912671216.0000000005691000.00000040.00001000.00020000.00000000.sdmp, Offset: 05690000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2912592330.0000000005690000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BD1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_5690000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateThread
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2422867632-0
                                                                                                                            • Opcode ID: 0a6044900730bf2ea1d2a0386c973e43d95f1081ea136ce4dcb677c5bcd39f9f
                                                                                                                            • Instruction ID: fc0dbfcdbeb8330954c6bfcdc9ff2077dce42ae5871b587000c389f11365d629
                                                                                                                            • Opcode Fuzzy Hash: 0a6044900730bf2ea1d2a0386c973e43d95f1081ea136ce4dcb677c5bcd39f9f
                                                                                                                            • Instruction Fuzzy Hash: 4F018472705214AFCF04DA9CD884A5EBBECEB88350F00406AF508DB340DA70DD00C7A8
                                                                                                                            Function 00E90014 Relevance: 1.5, APIs: 1, Instructions: 45synchronizationCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000001,00E9006E), ref: 00E90086
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2909047164.0000000000E90000.00000040.00000400.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_e90000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateMutex
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1964310414-0
                                                                                                                            • Opcode ID: f2d17c6b5f0819a5e273fe34bfb57f4b12ce5a85ae436b21991bc8cb020b543f
                                                                                                                            • Instruction ID: e386d8ec914ad6820dd291ab03140c83d8cc724205f9acf140b40112cb25d0a5
                                                                                                                            • Opcode Fuzzy Hash: f2d17c6b5f0819a5e273fe34bfb57f4b12ce5a85ae436b21991bc8cb020b543f
                                                                                                                            • Instruction Fuzzy Hash: CCE0928145E3C05EDF1363348C2575A7F605F12304F8A68DBD088EB0E3D91D590996B7
                                                                                                                            Function 007E616C Relevance: 1.5, APIs: 1, Instructions: 38memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNEL32(00000000,?,00000000,?), ref: 007E61A2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 544645111-0
                                                                                                                            • Opcode ID: c4c7a1ec64a324dbe270e1901a24b1f3363cc1d31aadb7c30b10b7bb93cd1331
                                                                                                                            • Instruction ID: f5602c96b05c52cdfcf1dce2779633264920dcf10b6fa3472f2da2ac66a7b31f
                                                                                                                            • Opcode Fuzzy Hash: c4c7a1ec64a324dbe270e1901a24b1f3363cc1d31aadb7c30b10b7bb93cd1331
                                                                                                                            • Instruction Fuzzy Hash: CE01E4B5D0134CEBCB15CFE9C948BAEBBF8AB08314F10859AA524E3291D7789A44CB50
                                                                                                                            Function 007E7EC8 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetSystemInfo.KERNEL32(007FCF58,00000000,007E7F3B,?,?,?,?,?,007E9D51,00000000,007E9F5B), ref: 007E7F00
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: InfoSystem
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 31276548-0
                                                                                                                            • Opcode ID: 7b58f591c32ba62d35696932acf1d7be12a4a309b3a717f25240409b2c48b217
                                                                                                                            • Instruction ID: a514e5f8784d81e25c362462ec2bec4c81c55c95bf7798f7c528f7262753dc8a
                                                                                                                            • Opcode Fuzzy Hash: 7b58f591c32ba62d35696932acf1d7be12a4a309b3a717f25240409b2c48b217
                                                                                                                            • Instruction Fuzzy Hash: 12F0247120E3C89EE306AB36FC15B317FE8E34A764F1084AEF60442662DB7D0805D7A9
                                                                                                                            Function 007E937C Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • waveOutGetVolume.WINMM(00000000,007EEF1D), ref: 007E9388
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Volumewave
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4088794200-0
                                                                                                                            • Opcode ID: 84577bcf9aaf456419977f2eeacb4d905c59c110c6a99cc0a8fdf365e0f96c77
                                                                                                                            • Instruction ID: 1f5c21822ea5f80f780bb9bafa18f897e241ee3783bdd9b3ec825b57bf0143f7
                                                                                                                            • Opcode Fuzzy Hash: 84577bcf9aaf456419977f2eeacb4d905c59c110c6a99cc0a8fdf365e0f96c77
                                                                                                                            • Instruction Fuzzy Hash: F0F09A25E1064DE6CB10DFDA89002FCB3B5EF58310F0092AAE964EB3C0E6348B51D769
                                                                                                                            Function 0040C228 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameW.KERNEL32(00400000,?,0000020A), ref: 0040C246
                                                                                                                              • Part of subcall function 0040D49C: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040D556,?,00400000,007EFC1C), ref: 0040D4D8
                                                                                                                              • Part of subcall function 0040D49C: LoadLibraryExW.KERNEL32(00000000,00000000,00000002), ref: 0040D529
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileModuleName$LibraryLoad
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4113206344-0
                                                                                                                            • Opcode ID: a559c8dbe341fb8b7ed0a93d0f1677756894023c7fe04e0299a3f44a76cdd84b
                                                                                                                            • Instruction ID: ba044da96040afd60275194f994c39a6e3d3e52002c889589e7e8abd48b95cc5
                                                                                                                            • Opcode Fuzzy Hash: a559c8dbe341fb8b7ed0a93d0f1677756894023c7fe04e0299a3f44a76cdd84b
                                                                                                                            • Instruction Fuzzy Hash: 43E0C971E053109BCB10DFA8C8C5A477794AB08B54F044AA6AD28DF386D375D91487E5
                                                                                                                            Function 0569D244 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameW.KERNEL32(00400000,?,0000020A,00400000,05B8EC1C,0569D2B0,?,?,056A00C0), ref: 0569D262
                                                                                                                              • Part of subcall function 0569E4B8: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0569E572,?,00400000,05B8EC1C,?,0569D270,00400000,?,0000020A,00400000,05B8EC1C,0569D2B0), ref: 0569E4F4
                                                                                                                              • Part of subcall function 0569E4B8: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0569E572,?,00400000,05B8EC1C,?,0569D270,00400000,?,0000020A), ref: 0569E545
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2912671216.0000000005691000.00000040.00001000.00020000.00000000.sdmp, Offset: 05690000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2912592330.0000000005690000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BD1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_5690000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FileModuleName$LibraryLoad
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4113206344-0
                                                                                                                            • Opcode ID: 7c1ee64858cc89b131c1bcaaf4c5d23a408bec5d341bc7def07cd761b0403ce4
                                                                                                                            • Instruction ID: dd3015088f162785ccd6307492f0cded68f2c7cf1c8763f823bcfc2e34a22852
                                                                                                                            • Opcode Fuzzy Hash: 7c1ee64858cc89b131c1bcaaf4c5d23a408bec5d341bc7def07cd761b0403ce4
                                                                                                                            • Instruction Fuzzy Hash: 9CE0EDB1A043109BDF28DE68C8C4E5677E8AF18654F044665ED18DF346E371D910C7E1
                                                                                                                            Function 00E9007D Relevance: 1.5, APIs: 1, Instructions: 9synchronizationCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000001,00E9006E), ref: 00E90086
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2909047164.0000000000E90000.00000040.00000400.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_e90000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateMutex
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1964310414-0
                                                                                                                            • Opcode ID: 0dff6d6f7e52cc67786e85a33cde28c0eed7bbc3ddaf1dd8a5e93c6a9bbdc8ce
                                                                                                                            • Instruction ID: 4b92a433f18cd08e22f38f8de04b1b74ee374cc34af9e1d2a9b01ae781808577
                                                                                                                            • Opcode Fuzzy Hash: 0dff6d6f7e52cc67786e85a33cde28c0eed7bbc3ddaf1dd8a5e93c6a9bbdc8ce
                                                                                                                            • Instruction Fuzzy Hash: 35B012613A810060F610007D1C51B240104CF04700FA11003F208FC0CCC08ADB801036
                                                                                                                            Function 007EEE00 Relevance: 1.3, APIs: 1, Instructions: 75sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004104F0: GetModuleHandleW.KERNEL32(00000000,?,007EEE18), ref: 004104FC
                                                                                                                              • Part of subcall function 007E937C: waveOutGetVolume.WINMM(00000000,007EEF1D), ref: 007E9388
                                                                                                                              • Part of subcall function 007E93D8: CoInitialize.OLE32(00000000), ref: 007E93F2
                                                                                                                              • Part of subcall function 007E93D8: CoCreateInstance.COMBASE(007F68F0,00000000,00000001,007F6900,00000000), ref: 007E941C
                                                                                                                            • Sleep.KERNEL32(00000000,00000000,007EEF1D), ref: 007EEE87
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateHandleInitializeInstanceModuleSleepVolumewave
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3130883371-0
                                                                                                                            • Opcode ID: e4ff22478e1e532da1f1d1b2920a1aff3a3e917e7d970103fabf6fc2d86a0c0b
                                                                                                                            • Instruction ID: 00c27f648798e8fb7903962c8f1f860ff983bad646c2876e0a7dbe8d8762f060
                                                                                                                            • Opcode Fuzzy Hash: e4ff22478e1e532da1f1d1b2920a1aff3a3e917e7d970103fabf6fc2d86a0c0b
                                                                                                                            • Instruction Fuzzy Hash: E521E571602289CEEB50EB6B9D467ADF7F1EB4C314F50892AE604D27D2D73C5401CB65
                                                                                                                            Function 00405634 Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,?,00405C4B,FFFFFFDC,0040591E), ref: 0040564B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4275171209-0
                                                                                                                            • Opcode ID: 294dff03d6a04316d3557dc222ff1a98499e06d62fde620ed5e3be942bc5c473
                                                                                                                            • Instruction ID: 2fd1637c8a9e76a581e83fbc6107b96fd27cc1e5fee9dd73479bf31e7ab9bc2a
                                                                                                                            • Opcode Fuzzy Hash: 294dff03d6a04316d3557dc222ff1a98499e06d62fde620ed5e3be942bc5c473
                                                                                                                            • Instruction Fuzzy Hash: 7EF08CB2B043014FD7189F7C9D407567BE4E744354B12817EE909EB794D7B88801CB88
                                                                                                                            Function 056956B8 Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,?,05695CCF,?,05696274), ref: 056956CF
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2912671216.0000000005691000.00000040.00001000.00020000.00000000.sdmp, Offset: 05690000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2912592330.0000000005690000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BD1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_5690000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4275171209-0
                                                                                                                            • Opcode ID: 6025fce7da572c0328a3b4402ec97a7894ec6e85e14dafc76f5e06269f212e1f
                                                                                                                            • Instruction ID: dbf8dd7f9a88db4cfea346597b1594a5a692ed632d061cc8278d563a82c7211e
                                                                                                                            • Opcode Fuzzy Hash: 6025fce7da572c0328a3b4402ec97a7894ec6e85e14dafc76f5e06269f212e1f
                                                                                                                            • Instruction Fuzzy Hash: CEF06DB2B203014FD718DF78A9497016FE4A718350B10417EF91DEBB88DBB058028788

                                                                                                                            Non-executed Functions

                                                                                                                            Function 0040CBA8 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,00419FDC,?,?), ref: 0040CBC5
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040CBD6
                                                                                                                            • FindFirstFileW.KERNEL32(?,?,kernel32.dll,00419FDC,?,?), ref: 0040CCD6
                                                                                                                            • FindClose.KERNEL32(000000FF), ref: 0040CCE8
                                                                                                                            • lstrlenW.KERNEL32(?,000000FF), ref: 0040CCF4
                                                                                                                            • lstrlenW.KERNEL32(?,?,000000FF), ref: 0040CD39
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                                                            • String ID: GetLongPathNameW$\$kernel32.dll
                                                                                                                            • API String ID: 1930782624-3908791685
                                                                                                                            • Opcode ID: 0780fd1eb023d6c1f3aab4440b2ce0b042986587d360e664c8ffa89c3883650b
                                                                                                                            • Instruction ID: 70bc7995c4b8c1f727a8e6f74c0114f0dd9ae9748d3feff28ab1683db5cac293
                                                                                                                            • Opcode Fuzzy Hash: 0780fd1eb023d6c1f3aab4440b2ce0b042986587d360e664c8ffa89c3883650b
                                                                                                                            • Instruction Fuzzy Hash: 79417D31A00619DBDB10EBA8CCC5ADEB7B5AF44314F1446BA9508F72D1E77CAE448F89
                                                                                                                            Function 0569DBC4 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,0569DEFB,00000000,0569DFBC,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0569DFD9), ref: 0569DBE1
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0569DBF2
                                                                                                                            • FindFirstFileW.KERNEL32(?,?,kernel32.dll,?,?,?,?,0569DEFB,00000000,0569DFBC,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?), ref: 0569DCF2
                                                                                                                            • FindClose.KERNEL32(?,?,?,kernel32.dll,?,?,?,?,0569DEFB,00000000,0569DFBC,?,80000001,Software\Embarcadero\Locales,00000000,000F0019), ref: 0569DD04
                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,?,?,?,?,0569DEFB,00000000,0569DFBC,?,80000001,Software\Embarcadero\Locales,00000000), ref: 0569DD10
                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,?,?,?,?,0569DEFB,00000000,0569DFBC,?,80000001,Software\Embarcadero\Locales), ref: 0569DD55
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2912671216.0000000005691000.00000040.00001000.00020000.00000000.sdmp, Offset: 05690000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2912592330.0000000005690000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BD1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_5690000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                                                            • String ID: GetLongPathNameW$\$kernel32.dll
                                                                                                                            • API String ID: 1930782624-3908791685
                                                                                                                            • Opcode ID: 1f3cafe59903396cf4a470cec9d19387005912371cd13c20995d2f01f6af5e7a
                                                                                                                            • Instruction ID: ed8d7661fd9b67d1630385e4698de5ce8eaf015aa833643bd9c0b4e5e7c0e96e
                                                                                                                            • Opcode Fuzzy Hash: 1f3cafe59903396cf4a470cec9d19387005912371cd13c20995d2f01f6af5e7a
                                                                                                                            • Instruction Fuzzy Hash: 084191B1E006189BDF18EA94CC84BEEB3BDAF85310F1485B5D509E7254E7B4DE45CB84
                                                                                                                            Function 05B55034 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetVersionExW.KERNEL32(?,?,?,?,?,05B552B1), ref: 05B5505F
                                                                                                                            • GetVersionExW.KERNEL32(?,?,?,?,?,?,05B552B1), ref: 05B55089
                                                                                                                            • LoadLibraryW.KERNEL32(ntdll.dll,RtlGetVersion,00000000,05B551E9,?,?,?,?,?,?,05B552B1), ref: 05B550D6
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmp, Offset: 05690000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2912592330.0000000005690000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005691000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BD1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_5690000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Version$LibraryLoad
                                                                                                                            • String ID: RtlGetVersion$ntdll.dll
                                                                                                                            • API String ID: 192404683-1489217083
                                                                                                                            • Opcode ID: 9716f517594c4024830d2acdf007531aef9c99a6c736ffc42c57af673726f7e4
                                                                                                                            • Instruction ID: 1400b6f37c15043a305c0670a49e4616f961bbd6256949e413a3bb463b449e83
                                                                                                                            • Opcode Fuzzy Hash: 9716f517594c4024830d2acdf007531aef9c99a6c736ffc42c57af673726f7e4
                                                                                                                            • Instruction Fuzzy Hash: AC51C474A04208EFCB18DFA4C585AEDBBF5EF09311F6584E9E809A7350E730AE40DB54
                                                                                                                            Function 0040C74C Relevance: 4.6, APIs: 3, Instructions: 99COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsValidLocale.KERNEL32(?,00000002,00000000,0040C8B1,?,00419FDC,?,00000000,?,0040CAED,00000000,00000002,00000000,0040CB68,?,?), ref: 0040C7F6
                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,00000059,?,00000055,?,00000002,00000000,0040C8B1,?,00419FDC,?,00000000,?,0040CAED,00000000,00000002), ref: 0040C812
                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,0040C8B1,?,00419FDC,?,00000000), ref: 0040C823
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Locale$Info$Valid
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1826331170-0
                                                                                                                            • Opcode ID: ee691c7e5376fe0122a24d1db569e685cd32f018a0c7df29c3c22efe330fe297
                                                                                                                            • Instruction ID: 7c6fc71b2a559624a377d453c431fd8f12b315fcad97aa23c5554b7f2d535331
                                                                                                                            • Opcode Fuzzy Hash: ee691c7e5376fe0122a24d1db569e685cd32f018a0c7df29c3c22efe330fe297
                                                                                                                            • Instruction Fuzzy Hash: 44319E31900608EAEB20DBA5DCC1BDEB7B9EB48705F5081BBA508B76D0D7395E80CF19
                                                                                                                            Function 0569D768 Relevance: 4.6, APIs: 3, Instructions: 99COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsValidLocale.KERNEL32(?,00000002,00000000,0569D8CD,?,?,?,00000000), ref: 0569D812
                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,00000059,?,00000055,?,00000002,00000000,0569D8CD,?,?,?,00000000), ref: 0569D82E
                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,0569D8CD,?,?,?,00000000), ref: 0569D83F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2912671216.0000000005691000.00000040.00001000.00020000.00000000.sdmp, Offset: 05690000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2912592330.0000000005690000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BD1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_5690000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Locale$Info$Valid
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1826331170-0
                                                                                                                            • Opcode ID: d2939efa6eec1f68729d5d602d1ca6169b80ae2ee731340b4856a5f77177a2f0
                                                                                                                            • Instruction ID: d50a2fb31453ada3883923f0b4e01ab7c36e108e4fd4dcbdeb1c8398882b7c86
                                                                                                                            • Opcode Fuzzy Hash: d2939efa6eec1f68729d5d602d1ca6169b80ae2ee731340b4856a5f77177a2f0
                                                                                                                            • Instruction Fuzzy Hash: AB31AE30A04608ABDF28DB64DD85BEEB7BEFB44701F0004F9E509A7250D6316E81DE54
                                                                                                                            Function 0583C778 Relevance: 42.1, APIs: 12, Strings: 12, Instructions: 112libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryW.KERNEL32(user32.dll), ref: 0583C7ED
                                                                                                                            • LoadLibraryW.KERNEL32(ntdll.dll,user32.dll), ref: 0583C809
                                                                                                                            • LoadLibraryW.KERNEL32(advapi32.dll,ntdll.dll,user32.dll), ref: 0583C825
                                                                                                                            • LoadLibraryW.KERNEL32(shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 0583C841
                                                                                                                            • LoadLibraryW.KERNEL32(ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 0583C85D
                                                                                                                            • LoadLibraryW.KERNEL32(ole32.dll,ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 0583C879
                                                                                                                            • LoadLibraryW.KERNEL32(wininet.dll,ole32.dll,ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 0583C895
                                                                                                                            • LoadLibraryW.KERNEL32(wtsapi32.dll,wininet.dll,ole32.dll,ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 0583C8AE
                                                                                                                            • LoadLibraryW.KERNEL32(crypt32.dll,wtsapi32.dll,wininet.dll,ole32.dll,ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 0583C8C7
                                                                                                                            • LoadLibraryW.KERNEL32(PSAPI.dll,crypt32.dll,wtsapi32.dll,wininet.dll,ole32.dll,ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 0583C8E0
                                                                                                                            • LoadLibraryW.KERNEL32(gdi32.dll,PSAPI.dll,crypt32.dll,wtsapi32.dll,wininet.dll,ole32.dll,ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 0583C8F9
                                                                                                                            • LoadLibraryW.KERNEL32(Iphlpapi.dll,gdi32.dll,PSAPI.dll,crypt32.dll,wtsapi32.dll,wininet.dll,ole32.dll,ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 0583C912
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmp, Offset: 05690000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2912592330.0000000005690000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005691000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BD1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_5690000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad
                                                                                                                            • String ID: Iphlpapi.dll$PSAPI.dll$advapi32.dll$crypt32.dll$gdi32.dll$ntdll.dll$ole32.dll$shell32.dll$user32.dll$wininet.dll$ws2_32.dll$wtsapi32.dll
                                                                                                                            • API String ID: 1029625771-1098239973
                                                                                                                            • Opcode ID: 864ffc17ac5a522b12356e7e1cffbf8d5f1c6bdeb326acf09ade0fde64a797b2
                                                                                                                            • Instruction ID: d397181e972250796913dfc4b6b4f98f3e1921c569a02cc03ed60e01ace8c9ea
                                                                                                                            • Opcode Fuzzy Hash: 864ffc17ac5a522b12356e7e1cffbf8d5f1c6bdeb326acf09ade0fde64a797b2
                                                                                                                            • Instruction Fuzzy Hash: E041A379A1420CEEC740EFA8D64A65CBBF5EF09658B514469E845F3300EB786E00DFA1
                                                                                                                            Function 007B40E0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 107COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,007B4249), ref: 007B4107
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 007B4167
                                                                                                                            • GetLastError.KERNEL32 ref: 007B41AE
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 007B41C1
                                                                                                                            • GetLastError.KERNEL32 ref: 007B420B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: HandleModule$ErrorLast
                                                                                                                            • String ID: CloseHandle$CreateFileW$GetFileAttributesW$kernel32.dll${
                                                                                                                            • API String ID: 376044232-2642396515
                                                                                                                            • Opcode ID: c78aa9ca8cc6231b8a81011f9f9007123eacbd6fa6aca5be5d991471ef62fdcd
                                                                                                                            • Instruction ID: 70c39c79c02f1817e9240851158c08ff5255e28e1e66c8cbf9de5860453e42d1
                                                                                                                            • Opcode Fuzzy Hash: c78aa9ca8cc6231b8a81011f9f9007123eacbd6fa6aca5be5d991471ef62fdcd
                                                                                                                            • Instruction Fuzzy Hash: EE418D74D04348AADF04EBE5980A7EEBBB4FB45304F10857AF910B22D2D77C5A41EB66
                                                                                                                            Function 0569DA80 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnterCriticalSection.KERNEL32(05BCEC14,00000000,0569DB84,?,?,?,00000000,?,0569E44C,00000000,0569E4AB,?,?,00000000,00000000,00000000), ref: 0569DA9E
                                                                                                                            • LeaveCriticalSection.KERNEL32(05BCEC14,05BCEC14,00000000,0569DB84,?,?,?,00000000,?,0569E44C,00000000,0569E4AB,?,?,00000000,00000000), ref: 0569DAC2
                                                                                                                            • LeaveCriticalSection.KERNEL32(05BCEC14,05BCEC14,00000000,0569DB84,?,?,?,00000000,?,0569E44C,00000000,0569E4AB,?,?,00000000,00000000), ref: 0569DAD1
                                                                                                                            • IsValidLocale.KERNEL32(00000000,00000002,05BCEC14,05BCEC14,00000000,0569DB84,?,?,?,00000000,?,0569E44C,00000000,0569E4AB), ref: 0569DAE3
                                                                                                                            • EnterCriticalSection.KERNEL32(05BCEC14,00000000,00000002,05BCEC14,05BCEC14,00000000,0569DB84,?,?,?,00000000,?,0569E44C,00000000,0569E4AB), ref: 0569DB40
                                                                                                                            • LeaveCriticalSection.KERNEL32(05BCEC14,05BCEC14,00000000,00000002,05BCEC14,05BCEC14,00000000,0569DB84,?,?,?,00000000,?,0569E44C,00000000,0569E4AB), ref: 0569DB69
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2912671216.0000000005691000.00000040.00001000.00020000.00000000.sdmp, Offset: 05690000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2912592330.0000000005690000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BD1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_5690000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$Leave$Enter$LocaleValid
                                                                                                                            • String ID: en-GB,en,en-US,
                                                                                                                            • API String ID: 975949045-3021119265
                                                                                                                            • Opcode ID: 513cb9c0d4ac015020e8b919946f7b8f8247a3d5b6de27a6c73fd375915f2d1e
                                                                                                                            • Instruction ID: 77fc089deac4c395043004a576414ca7140bdf31ef44653c02303d610188f22d
                                                                                                                            • Opcode Fuzzy Hash: 513cb9c0d4ac015020e8b919946f7b8f8247a3d5b6de27a6c73fd375915f2d1e
                                                                                                                            • Instruction Fuzzy Hash: 7B21A2743043409BDF2EB7789959A2E79ADAF49A00F9044BDF0029B658DDB4EC41D3AF
                                                                                                                            Function 00408628 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 0040863D
                                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00408643
                                                                                                                            • GetLogicalProcessorInformation.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 00408656
                                                                                                                            • GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 0040865F
                                                                                                                            • GetLogicalProcessorInformation.KERNEL32(?,?,00000000,004086D6,?,00000000,?,GetLogicalProcessorInformation), ref: 0040868A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: InformationLogicalProcessor$AddressErrorHandleLastModuleProc
                                                                                                                            • String ID: @$GetLogicalProcessorInformation$kernel32.dll
                                                                                                                            • API String ID: 1184211438-79381301
                                                                                                                            • Opcode ID: 5c1f650784676188e58856916b63c0c3f38add80198dcced6c01d44bfd14551f
                                                                                                                            • Instruction ID: 3a5ca0c6ba0916f4b43a4d76bf6a17100578e13cec400e9c678c7b2076f3e09f
                                                                                                                            • Opcode Fuzzy Hash: 5c1f650784676188e58856916b63c0c3f38add80198dcced6c01d44bfd14551f
                                                                                                                            • Instruction Fuzzy Hash: 0B116D70D00208ABDB10EBA5CA05B6FB7F8EB44304F5184BFE454B72C1DA7E8A808E59
                                                                                                                            Function 056987A8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 056987BD
                                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 056987C3
                                                                                                                            • GetLogicalProcessorInformation.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 056987D6
                                                                                                                            • GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 056987DF
                                                                                                                            • GetLogicalProcessorInformation.KERNEL32(?,?,00000000,05698856,?,00000000,?,GetLogicalProcessorInformation), ref: 0569880A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2912671216.0000000005691000.00000040.00001000.00020000.00000000.sdmp, Offset: 05690000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2912592330.0000000005690000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BD1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_5690000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: InformationLogicalProcessor$AddressErrorHandleLastModuleProc
                                                                                                                            • String ID: @$GetLogicalProcessorInformation$kernel32.dll
                                                                                                                            • API String ID: 1184211438-79381301
                                                                                                                            • Opcode ID: ed4a948d88fcd9377a2520495680e2a4191a952b8c0802e8fe5c1192e13483cc
                                                                                                                            • Instruction ID: 2e258f7e67b6e499d4754249eda439eb1eac3910e5748202b458677144d55ff2
                                                                                                                            • Opcode Fuzzy Hash: ed4a948d88fcd9377a2520495680e2a4191a952b8c0802e8fe5c1192e13483cc
                                                                                                                            • Instruction Fuzzy Hash: 84119371E04308AEDF58EBE5DA08AEDB7BDEF42300F1084AEE815D7640D7748A40DB65
                                                                                                                            Function 0041053C Relevance: 13.8, APIs: 9, Instructions: 258COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004105F4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionRaise
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3997070919-0
                                                                                                                            • Opcode ID: 05fa29c61b795b2395a40131ba86ac733d2929ed3cdf9b74d2f1781b962d0199
                                                                                                                            • Instruction ID: a4e6360c13b5b9f3d2bc16358017cfc39c6430ae7aa0f72c77c68697e0b63a4c
                                                                                                                            • Opcode Fuzzy Hash: 05fa29c61b795b2395a40131ba86ac733d2929ed3cdf9b74d2f1781b962d0199
                                                                                                                            • Instruction Fuzzy Hash: AAA16175A013099FDB10DFA4D884BEEB7B5AF88310F14812AE515EB390D7B8A9C5CB58
                                                                                                                            Function 056A17B0 Relevance: 13.8, APIs: 9, Instructions: 258COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 056A1868
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2912671216.0000000005691000.00000040.00001000.00020000.00000000.sdmp, Offset: 05690000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2912592330.0000000005690000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BD1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_5690000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionRaise
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3997070919-0
                                                                                                                            • Opcode ID: 6c0c97f3496eceb401af1ea014d6e659aa78b4d046108a041c126e2cfdc4a5e0
                                                                                                                            • Instruction ID: 7a82a7a1fe0be7ddd7d635b991f889c5905186964e947edc1ebb69f97e8391bb
                                                                                                                            • Opcode Fuzzy Hash: 6c0c97f3496eceb401af1ea014d6e659aa78b4d046108a041c126e2cfdc4a5e0
                                                                                                                            • Instruction Fuzzy Hash: ECA15976E01309AFDB14DFA8D884BEEBBBABB4A310F144129E505A7384DB70AD45CF54
                                                                                                                            Function 004098B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 40fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,$~,00000000,?,0040996E,?,?,$~,?,00409A82,00406F47,00406F8E,00000002,?), ref: 004098E9
                                                                                                                            • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,$~,00000000,?,0040996E,?,?,$~,?,00409A82,00406F47,00406F8E,00000002), ref: 004098EF
                                                                                                                            • GetStdHandle.KERNEL32(000000F5,00000000,00000002,$~,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,$~,00000000,?,0040996E,?,?,$~), ref: 0040990A
                                                                                                                            • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,$~,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,$~,00000000,?,0040996E), ref: 00409910
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileHandleWrite
                                                                                                                            • String ID: $~$Error$Runtime error at 00000000
                                                                                                                            • API String ID: 3320372497-611976076
                                                                                                                            • Opcode ID: 773b21d0e1e235686b8c975b0367ba2c5725b1b30e329e26ed00eb3780160e28
                                                                                                                            • Instruction ID: 7a89ddf477c9e36db60ff24523b9176b1e887e2bb04061e57fb4fc8c084de822
                                                                                                                            • Opcode Fuzzy Hash: 773b21d0e1e235686b8c975b0367ba2c5725b1b30e329e26ed00eb3780160e28
                                                                                                                            • Instruction Fuzzy Hash: 2EF0FFA168A38478F62077615C47F2B270C9B04B14F80813FF510B82D3C6BC1880DB2E
                                                                                                                            Function 004088B0 Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00408D3C: GetCurrentThreadId.KERNEL32 ref: 00408D3F
                                                                                                                            • GetTickCount.KERNEL32 ref: 004088E7
                                                                                                                            • GetTickCount.KERNEL32 ref: 004088FF
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040892E
                                                                                                                            • GetTickCount.KERNEL32 ref: 00408959
                                                                                                                            • GetTickCount.KERNEL32 ref: 00408990
                                                                                                                            • GetTickCount.KERNEL32 ref: 004089BA
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00408A2A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CountTick$CurrentThread
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3968769311-0
                                                                                                                            • Opcode ID: 04fd666f83ea7920eae9c8d6ac9e75e716ad4726c29343ad6dc7362e2644cc0c
                                                                                                                            • Instruction ID: b02280414301e284f6cab43f2193b111e4bb8fc0ffdb0195ca7ae23dbc2a44bd
                                                                                                                            • Opcode Fuzzy Hash: 04fd666f83ea7920eae9c8d6ac9e75e716ad4726c29343ad6dc7362e2644cc0c
                                                                                                                            • Instruction Fuzzy Hash: E14171712083419ED721AE7CC68432FBAD1AF91354F15893FE4D4A77C1DE7888858B5B
                                                                                                                            Function 05698A30 Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 05698EBC: GetCurrentThreadId.KERNEL32 ref: 05698EBF
                                                                                                                            • GetTickCount.KERNEL32 ref: 05698A67
                                                                                                                            • GetTickCount.KERNEL32 ref: 05698A7F
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 05698AAE
                                                                                                                            • GetTickCount.KERNEL32 ref: 05698AD9
                                                                                                                            • GetTickCount.KERNEL32 ref: 05698B10
                                                                                                                            • GetTickCount.KERNEL32 ref: 05698B3A
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 05698BAA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2912671216.0000000005691000.00000040.00001000.00020000.00000000.sdmp, Offset: 05690000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2912592330.0000000005690000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BD1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_5690000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CountTick$CurrentThread
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3968769311-0
                                                                                                                            • Opcode ID: 278e5f78c344741c0cc418c9f3cf31d1a6c1d8879c9fbb7c76ab2090b9a08572
                                                                                                                            • Instruction ID: 07f8d85c2252b80d505799063d1254bab38617c058e298dabd8f6483b606ec4f
                                                                                                                            • Opcode Fuzzy Hash: 278e5f78c344741c0cc418c9f3cf31d1a6c1d8879c9fbb7c76ab2090b9a08572
                                                                                                                            • Instruction Fuzzy Hash: A641AC712083418EDB29EE7CC98432EBBDABF96250F08892DD4D987785EA759482C743
                                                                                                                            Function 05699AF4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,05699BB2,?,?,00000000,00000000,05699CC6,05699CE0,?,?,056A11E8), ref: 05699B2D
                                                                                                                            • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,05699BB2,?,?,00000000,00000000,05699CC6,05699CE0), ref: 05699B33
                                                                                                                            • GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,05699BB2,?,?,00000000), ref: 05699B4E
                                                                                                                            • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,05699BB2,?,?), ref: 05699B54
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2912671216.0000000005691000.00000040.00001000.00020000.00000000.sdmp, Offset: 05690000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2912592330.0000000005690000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BD1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_5690000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FileHandleWrite
                                                                                                                            • String ID: Error$Runtime error at 00000000
                                                                                                                            • API String ID: 3320372497-2970929446
                                                                                                                            • Opcode ID: 3f8b89bf38a1dddf9693f852d787c11dc8aa024e98d5a32c28f999f084e17028
                                                                                                                            • Instruction ID: f3deb55de2f04277acce0a06310c6a4aebf40be53e09b4e6db8ddc49516620a5
                                                                                                                            • Opcode Fuzzy Hash: 3f8b89bf38a1dddf9693f852d787c11dc8aa024e98d5a32c28f999f084e17028
                                                                                                                            • Instruction Fuzzy Hash: DFF046B07543007AEF18B3645C4BF3B3E5CAB99F10F00014DF2359A4C8DAF8A880D62A
                                                                                                                            Function 0583C700 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 10libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryW.KERNEL32(user32.dll,05B80073,00000000,05B80412), ref: 0583C705
                                                                                                                            • LoadLibraryW.KERNEL32(kernel32.dll,user32.dll,05B80073,00000000,05B80412), ref: 0583C714
                                                                                                                            • LoadLibraryW.KERNEL32(ntdll.dll,kernel32.dll,user32.dll,05B80073,00000000,05B80412), ref: 0583C723
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmp, Offset: 05690000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2912592330.0000000005690000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005691000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BD1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_5690000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad
                                                                                                                            • String ID: kernel32.dll$ntdll.dll$user32.dll
                                                                                                                            • API String ID: 1029625771-3818928520
                                                                                                                            • Opcode ID: 2867c83e67ec074ccc54c0a0de0cc863e5a44776eb094767d86d2bf0253c3461
                                                                                                                            • Instruction ID: 184f7d4a370163f00ae05d9d4818f4de6588ddb230cb865bd9fa907f98c63e5a
                                                                                                                            • Opcode Fuzzy Hash: 2867c83e67ec074ccc54c0a0de0cc863e5a44776eb094767d86d2bf0253c3461
                                                                                                                            • Instruction Fuzzy Hash: A9C002B6B61318AA9750BBA8560F42C7DD5EF41A107400419AD48F7308DF7C1C00AFE5
                                                                                                                            Function 007B4D80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,007B4E45), ref: 007B4DBB
                                                                                                                            • VirtualProtect.KERNEL32(00000000,00000005,00000040,00000001,kernel32.dll,00000000,007B4E45), ref: 007B4DED
                                                                                                                            • VirtualProtect.KERNEL32(00000000,00000005,00000001,00000001), ref: 007B4E20
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual$HandleModule
                                                                                                                            • String ID: VirtualProtect$kernel32.dll
                                                                                                                            • API String ID: 3519776433-1817385118
                                                                                                                            • Opcode ID: 777bf22d5265d8be7ee9487e6411f158a950ad289d5dcb62c2caa69a7fbc9b76
                                                                                                                            • Instruction ID: 6feec314314617b60e1c2fa0746624d18fb88d0f1d6c6f1f8ed6b67c6740e0fb
                                                                                                                            • Opcode Fuzzy Hash: 777bf22d5265d8be7ee9487e6411f158a950ad289d5dcb62c2caa69a7fbc9b76
                                                                                                                            • Instruction Fuzzy Hash: 6B213E71A00249AFDB01DFE8C885BEFBBB9FB09714F514479E601E3291D7799A00CB94
                                                                                                                            Function 00409948 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040997E
                                                                                                                            • FreeLibrary.KERNEL32(00400000,?,?,$~,?,00409A82,00406F47,00406F8E,00000002,?,00406FA7,?,?,?,?,007EEF1C), ref: 00409A1C
                                                                                                                            • ExitProcess.KERNEL32(00000000,?,?,$~,?,00409A82,00406F47,00406F8E,00000002,?,00406FA7,?,?,?,?,007EEF1C), ref: 00409A55
                                                                                                                              • Part of subcall function 004098B0: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,$~,00000000,?,0040996E,?,?,$~,?,00409A82,00406F47,00406F8E,00000002,?), ref: 004098E9
                                                                                                                              • Part of subcall function 004098B0: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,$~,00000000,?,0040996E,?,?,$~,?,00409A82,00406F47,00406F8E,00000002), ref: 004098EF
                                                                                                                              • Part of subcall function 004098B0: GetStdHandle.KERNEL32(000000F5,00000000,00000002,$~,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,$~,00000000,?,0040996E,?,?,$~), ref: 0040990A
                                                                                                                              • Part of subcall function 004098B0: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,$~,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,$~,00000000,?,0040996E), ref: 00409910
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                                                                                            • String ID: $~
                                                                                                                            • API String ID: 3490077880-1420499540
                                                                                                                            • Opcode ID: b42f7c6514fa2e4ba5d384be508622aee6d9700a1406f69b1d057fe348a384cb
                                                                                                                            • Instruction ID: 729552d4b205c4b6db1c40a69fda68c73a156e7e37d5ee8f3dce140ca8fc0210
                                                                                                                            • Opcode Fuzzy Hash: b42f7c6514fa2e4ba5d384be508622aee6d9700a1406f69b1d057fe348a384cb
                                                                                                                            • Instruction Fuzzy Hash: AA3169B0A002859BDB21AB7A888876B7690AF04318F14893FE545A63D3D77CDC84CB6D
                                                                                                                            Function 0040C948 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040C959
                                                                                                                            • SetThreadPreferredUILanguages.KERNEL32(00000004,?,000000FF), ref: 0040C9B7
                                                                                                                            • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040CA14
                                                                                                                            • SetThreadPreferredUILanguages.KERNEL32(00000008,00000000,?), ref: 0040CA47
                                                                                                                              • Part of subcall function 0040C904: GetThreadPreferredUILanguages.KERNEL32(00000038,0040C9C5,00000000,00000000,?,00000000,?,?,0040C9C5), ref: 0040C91B
                                                                                                                              • Part of subcall function 0040C904: GetThreadPreferredUILanguages.KERNEL32(00000038,0040C9C5,00000000,00000000,?,?,0040C9C5), ref: 0040C938
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$LanguagesPreferred$Language
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2255706666-0
                                                                                                                            • Opcode ID: 8ef4da217b9d90f3f72582c7eda1050deeca6c1b49fe9d879124390108d6185f
                                                                                                                            • Instruction ID: 60c78255c2fae95a361181b35778ad0afcc5332dc1bf7423088e953ece34cb01
                                                                                                                            • Opcode Fuzzy Hash: 8ef4da217b9d90f3f72582c7eda1050deeca6c1b49fe9d879124390108d6185f
                                                                                                                            • Instruction Fuzzy Hash: C9312D71A0021EDBDB10DBA9C885BAEB3F4EF04314F10827AE551F7291DB789A05CB95
                                                                                                                            Function 0569D964 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetThreadUILanguage.KERNEL32(?,00000000), ref: 0569D975
                                                                                                                            • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0569D9D3
                                                                                                                            • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0569DA30
                                                                                                                            • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0569DA63
                                                                                                                              • Part of subcall function 0569D920: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0569D9E1), ref: 0569D937
                                                                                                                              • Part of subcall function 0569D920: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0569D9E1), ref: 0569D954
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2912671216.0000000005691000.00000040.00001000.00020000.00000000.sdmp, Offset: 05690000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2912592330.0000000005690000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.00000000056A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BD1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2912671216.0000000005BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_5690000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$LanguagesPreferred$Language
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2255706666-0
                                                                                                                            • Opcode ID: 5354d923488a281cd924fe08551a9b1cb88998e5245d592a5e2cb1e2f1aae51b
                                                                                                                            • Instruction ID: fc5f665412204406b2ea51fac20b5d75e5101f6c5f719aed547e0f4bef9c0e87
                                                                                                                            • Opcode Fuzzy Hash: 5354d923488a281cd924fe08551a9b1cb88998e5245d592a5e2cb1e2f1aae51b
                                                                                                                            • Instruction Fuzzy Hash: 6F316B31A0421E9BDF14EFE8D888AAEB7BDFF08304F004179E555E7280EB74AA05CB55
                                                                                                                            Function 004094C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • UnhandledExceptionFilter.KERNEL32(00000006), ref: 004094DF
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.2907592077.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000008.00000002.2907592077.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                                            • String ID: pnB$xoB
                                                                                                                            • API String ID: 3192549508-1858878467
                                                                                                                            • Opcode ID: 0a79f63b1534adbb0e29de0ece138e19c4857cbc34462d57ef1bbdd42fa654d9
                                                                                                                            • Instruction ID: f9005ca40e833597cfde3972eed18ca8d48f2f06ad6e454d3b76b5059e9afc12
                                                                                                                            • Opcode Fuzzy Hash: 0a79f63b1534adbb0e29de0ece138e19c4857cbc34462d57ef1bbdd42fa654d9
                                                                                                                            • Instruction Fuzzy Hash: 9831043520C2019AD7249E28D884A777795AB85320F24827BE501BB7D7C63DDC87EB2F

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:63%
                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                            Signature Coverage:0%
                                                                                                                            Total number of Nodes:5
                                                                                                                            Total number of Limit Nodes:1
                                                                                                                            execution_graph 33 13a0288 35 13a02a8 33->35 34 13a039c 35->34 36 13a0328 CreateProcessW 35->36 37 13a0390 36->37

                                                                                                                            Callgraph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            • Opacity -> Relevance
                                                                                                                            • Disassembly available
                                                                                                                            callgraph 0 Function_013A03EA 3 Function_013A03A1 0->3 1 Function_013A0288 1->0 2 Function_013A03CE 1->2

                                                                                                                            Executed Functions

                                                                                                                            Function 013A0288 Relevance: 1.6, APIs: 1, Instructions: 93processCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.2909188216.00000000013A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_13a0000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateProcess
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 963392458-0
                                                                                                                            • Opcode ID: 0c71d2973f944374372f147b41bfe7397934179d63ab54547777d3409d6c1be1
                                                                                                                            • Instruction ID: 38611f551d40a395df4214a80ddb1e87d64bd2017bf1e24ff8bf76f73b2cf313
                                                                                                                            • Opcode Fuzzy Hash: 0c71d2973f944374372f147b41bfe7397934179d63ab54547777d3409d6c1be1
                                                                                                                            • Instruction Fuzzy Hash: 06318130208F894FD785EB6888A875AFBE1FBE9304F94465EE499C32A1DF74D844C752

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:0.8%
                                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                                            Signature Coverage:0%
                                                                                                                            Total number of Nodes:97
                                                                                                                            Total number of Limit Nodes:10
                                                                                                                            execution_graph 14680 24b6a7f 14681 24b6a88 14680->14681 14689 24b6b09 14680->14689 14690 24b1161 14681->14690 14683 24b6a98 CreateFileW 14684 24b6ab6 14683->14684 14683->14689 14685 24b1161 LoadLibraryA 14684->14685 14686 24b6ac8 14685->14686 14687 24b1161 LoadLibraryA 14686->14687 14688 24b6adf CloseHandle 14687->14688 14688->14689 14691 24b119b 14690->14691 14692 24b118c 14690->14692 14691->14683 14692->14691 14693 24b1213 LoadLibraryA 14692->14693 14694 24b1230 14693->14694 14694->14683 14694->14691 14695 24c1387 14698 24c13a1 CreateRemoteThread 14695->14698 14699 24c13de 14698->14699 14700 24b3c75 lstrcpyW lstrcpyW lstrcpyW lstrlenW 14701 24b3cc8 14700->14701 14702 24b3cd2 lstrcpyW lstrcpy 14701->14702 14703 24b3d06 14702->14703 14704 24b3d3d 14703->14704 14706 24c1050 14703->14706 14707 24c1073 14706->14707 14712 24c1084 14706->14712 14720 24c0400 14707->14720 14709 24c107d 14747 24c0c30 14709->14747 14711 24c1153 14711->14704 14712->14711 14760 24c0da0 14712->14760 14714 24c10e8 14714->14711 14766 24c0e30 14714->14766 14716 24c112c 14716->14711 14717 24c0400 3 API calls 14716->14717 14718 24c114c 14717->14718 14719 24c0c30 VirtualAlloc 14718->14719 14719->14711 14721 24c0417 14720->14721 14722 24c0412 14720->14722 14724 24c0465 14721->14724 14772 24c0830 14721->14772 14777 24c0810 GetPEB 14722->14777 14724->14709 14727 24c0c30 VirtualAlloc 14728 24c049a 14727->14728 14728->14724 14729 24c0c30 VirtualAlloc 14728->14729 14730 24c0507 14729->14730 14731 24c0c30 VirtualAlloc 14730->14731 14732 24c0522 14731->14732 14733 24c0c30 VirtualAlloc 14732->14733 14734 24c053d 14733->14734 14735 24c0c30 VirtualAlloc 14734->14735 14736 24c0558 14735->14736 14736->14724 14737 24c0830 2 API calls 14736->14737 14738 24c06f8 14737->14738 14778 24c0890 14738->14778 14743 24c0ec0 VirtualAlloc 14744 24c07c3 14743->14744 14745 24c0ec0 VirtualAlloc 14744->14745 14746 24c07ed 14745->14746 14746->14709 14748 24c0ec0 VirtualAlloc 14747->14748 14749 24c0c52 14748->14749 14750 24c0ec0 VirtualAlloc 14749->14750 14751 24c0c77 14750->14751 14752 24c0ec0 VirtualAlloc 14751->14752 14754 24c0ca3 14752->14754 14753 24c0ec0 VirtualAlloc 14753->14754 14754->14753 14755 24c0d2d 14754->14755 14759 24c0d81 14754->14759 14756 24c0ec0 VirtualAlloc 14755->14756 14757 24c0d55 14756->14757 14758 24c0ec0 VirtualAlloc 14757->14758 14758->14759 14759->14712 14761 24c0db0 14760->14761 14763 24c0dc1 14760->14763 14762 24c0400 3 API calls 14761->14762 14764 24c0dba 14762->14764 14763->14714 14765 24c0c30 VirtualAlloc 14764->14765 14765->14763 14767 24c0e40 14766->14767 14771 24c0e51 14766->14771 14768 24c0400 3 API calls 14767->14768 14769 24c0e4a 14768->14769 14770 24c0c30 VirtualAlloc 14769->14770 14770->14771 14771->14716 14773 24c0890 2 API calls 14772->14773 14774 24c083f 14773->14774 14775 24c047f 14774->14775 14776 24c0ec0 VirtualAlloc 14774->14776 14775->14727 14776->14775 14777->14721 14790 24c0990 14778->14790 14781 24c0ec0 VirtualAlloc 14782 24c08c0 14781->14782 14783 24c0ec0 VirtualAlloc 14782->14783 14786 24c08f3 14783->14786 14784 24c0757 14787 24c0ec0 14784->14787 14785 24c0ec0 VirtualAlloc 14785->14786 14786->14784 14786->14785 14788 24c077e 14787->14788 14789 24c0fa7 VirtualAlloc 14787->14789 14788->14743 14789->14788 14791 24c0a2f VirtualAlloc 14790->14791 14792 24c089f 14790->14792 14793 24c0ec0 VirtualAlloc 14791->14793 14792->14781 14793->14792

                                                                                                                            Executed Functions

                                                                                                                            Function 024C0EC0 Relevance: 60.1, APIs: 1, Strings: 39, Instructions: 105memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 0 24c0ec0-24c0fa5 1 24c0fe9-24c1048 0->1 2 24c0fa7-24c0fc4 VirtualAlloc 0->2 3 24c0fcf-24c0fd3 2->3 3->1 5 24c0fd5-24c0fe7 3->5 5->3
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,00000036,00003000,00000040), ref: 024C0FB2
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.2733709549.00000000024B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_24b1000_bumbguard.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID: "$"$"$"$"$#$3$3$3$3$3$3$6$D$D$D$D$D$H$H$H$H$U$U$U$V$W$^$_$f$f$f$h$h$j$j$w$w$w
                                                                                                                            • API String ID: 4275171209-2237795235
                                                                                                                            • Opcode ID: b15f43db865f23353c32985a50de4fd52892e1c4c4d0d4874ef081e8f231406b
                                                                                                                            • Instruction ID: 37eeb4920c072482184dc80d92552295592e9db42771725eda0da94b0cd0b69c
                                                                                                                            • Opcode Fuzzy Hash: b15f43db865f23353c32985a50de4fd52892e1c4c4d0d4874ef081e8f231406b
                                                                                                                            • Instruction Fuzzy Hash: A6515B60D083C9DEDB16CBACD45879DBFB16B1A318F084689D4947B3C2C3BA4619C77A
                                                                                                                            Function 024C0990 Relevance: 34.6, APIs: 1, Strings: 22, Instructions: 74memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 7 24c0990-24c0a2d 8 24c0a2f-24c0a5a VirtualAlloc call 24c0ec0 7->8 9 24c0a62-24c0a99 7->9 11 24c0a5f 8->11 11->9
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,00000024,00003000,00000040), ref: 024C0A3A
                                                                                                                              • Part of subcall function 024C0EC0: VirtualAlloc.KERNELBASE(00000000,00000036,00003000,00000040), ref: 024C0FB2
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.2733709549.00000000024B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_24b1000_bumbguard.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID: "$"$"$#$%$3$3$3$3$D$D$D$H$H$H$`$e$g$h$h$j$j
                                                                                                                            • API String ID: 4275171209-1009948329
                                                                                                                            • Opcode ID: 754ebd187ca31bed2e8ee58db15baabb6cb5896af69671e5e6c3cd0ceed8fffb
                                                                                                                            • Instruction ID: febad32cba925d4bd336ccdd9b2738e7cde24c81c6596e1d85e263a9d1153d7a
                                                                                                                            • Opcode Fuzzy Hash: 754ebd187ca31bed2e8ee58db15baabb6cb5896af69671e5e6c3cd0ceed8fffb
                                                                                                                            • Instruction Fuzzy Hash: EA412960D493C9DDEB16C7A8D45979EBFF55B2630CF0881C8D5846B2C2C2BA0719C7B6
                                                                                                                            Function 024B6A7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 70 24b6a7f-24b6a82 71 24b6a88-24b6ab4 call 24b1161 CreateFileW 70->71 72 24b6b17 70->72 71->72 75 24b6ab6-24b6b07 call 24b1161 * 2 CloseHandle 71->75 75->72 81 24b6b09-24b6b0f 75->81 81->72
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNELBASE(C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exe,80000000,00000001,00000000,00000003,00000080,00000000), ref: 024B6AAF
                                                                                                                              • Part of subcall function 024B1161: LoadLibraryA.KERNEL32(NTDLL,?), ref: 024B1229
                                                                                                                            • CloseHandle.KERNELBASE(00000000), ref: 024B6AE0
                                                                                                                            Strings
                                                                                                                            • C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exe, xrefs: 024B6AAA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.2733709549.00000000024B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_24b1000_bumbguard.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCreateFileHandleLibraryLoad
                                                                                                                            • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exe
                                                                                                                            • API String ID: 2506845977-1228876714
                                                                                                                            • Opcode ID: 21316e6b13ed619614c0402f82905eb8fa8b6cee283c9c273ffe1634125883b6
                                                                                                                            • Instruction ID: 91501cead5046e027b3a50513de65b70e5906417610ce3917d9deae458557f21
                                                                                                                            • Opcode Fuzzy Hash: 21316e6b13ed619614c0402f82905eb8fa8b6cee283c9c273ffe1634125883b6
                                                                                                                            • Instruction Fuzzy Hash: 19012131B91114BFEB5B9724CC92FA93362FFC4B04F160669F118EF1E1CE70A9218A14
                                                                                                                            Function 024C1387 Relevance: 1.5, APIs: 1, Instructions: 43threadinjectionCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 82 24c1387-24c139f 83 24c13a4-24c13ac 82->83 84 24c13a1 82->84 85 24c13ae-24c13af 83->85 86 24c13c4-24c13d9 CreateRemoteThread call 24c13de 83->86 84->83 88 24c13b3-24c13b6 85->88 88->86 89 24c13b8-24c13c2 88->89 89->88
                                                                                                                            APIs
                                                                                                                            • CreateRemoteThread.KERNELBASE ref: 024C13C8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.2733709549.00000000024B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_24b1000_bumbguard.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateRemoteThread
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4286614544-0
                                                                                                                            • Opcode ID: 3e8305159a71e640bfe16a740774c4df1d6b7a33e869004c862a1cff4d2e687a
                                                                                                                            • Instruction ID: c00d11172636a7f431a1ea769d8a6324e19646a5f93b69f616d5cfd8d9b89042
                                                                                                                            • Opcode Fuzzy Hash: 3e8305159a71e640bfe16a740774c4df1d6b7a33e869004c862a1cff4d2e687a
                                                                                                                            • Instruction Fuzzy Hash: 62F06D31F18D0D9F9F51EAACE6149EDBBB2FF54318B21421AE40CE3194DB71E5218B80

                                                                                                                            Non-executed Functions

                                                                                                                            Function 024B3C75 Relevance: 13.5, APIs: 6, Strings: 3, Instructions: 43stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • lstrcpyW.KERNEL32(024DC4EB,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exe), ref: 024B3C85
                                                                                                                            • lstrcpyW.KERNEL32(024DC6F7,Gbumps Inc), ref: 024B3C95
                                                                                                                            • lstrcpyW.KERNEL32(024DC727,C:\Users\user\AppData\Local\Gbumps Inc\bumbguard.exe), ref: 024B3CA5
                                                                                                                            • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Gbumps Inc\bumbguard.exe), ref: 024B3CB0
                                                                                                                            • lstrcpyW.KERNEL32(024DC92F,024D32CC,024D6F9A,024D32CC), ref: 024B3CDC
                                                                                                                            • lstrcpy.KERNEL32(024DC98F,024D6F9A), ref: 024B3CEC
                                                                                                                            Strings
                                                                                                                            • C:\Users\user\AppData\Local\Gbumps Inc\bumbguard.exe, xrefs: 024B3C9B, 024B3CAB
                                                                                                                            • C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exe, xrefs: 024B3C7B
                                                                                                                            • Gbumps Inc, xrefs: 024B3C8B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.2733709549.00000000024B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_24b1000_bumbguard.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrcpy$lstrlen
                                                                                                                            • String ID: C:\Users\user\AppData\Local\Gbumps Inc\bumbguard.exe$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exe$Gbumps Inc
                                                                                                                            • API String ID: 367037083-1607325275
                                                                                                                            • Opcode ID: b53f3eb684b82fdc9545f9e0082648fe4ba75f7c7ae984c05670fd7a3fa99504
                                                                                                                            • Instruction ID: 0164416fc007b3b1ef6fa5054a796eb5c6c889f984cd7c595fe00a95375efa4b
                                                                                                                            • Opcode Fuzzy Hash: b53f3eb684b82fdc9545f9e0082648fe4ba75f7c7ae984c05670fd7a3fa99504
                                                                                                                            • Instruction Fuzzy Hash: 77011A357C0B617BF6513BB18D66F897B996F49F07F61148BBA57A4044CAE0A0108E22
                                                                                                                            Function 024B40DF Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 136libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNEL32(?,33656C4F,00000032,00004E20), ref: 024B40F7
                                                                                                                            • LoadLibraryA.KERNEL32(?,6C656853,2E32336C,006C6C64,?,72436F43,65746165,74736E49,65636E61,00000000,?,6E496F43,61697469,657A696C,00000000,33656C4F), ref: 024B4195
                                                                                                                              • Part of subcall function 024B1161: LoadLibraryA.KERNEL32(NTDLL,?), ref: 024B1229
                                                                                                                            • LoadLibraryA.KERNEL32(?,776C6873,2E697061,006C6C64,?,6C656853,2E32336C,006C6C64,?,72436F43,65746165,74736E49,65636E61,00000000,?,6E496F43), ref: 024B4216
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.2733709549.00000000024B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_24b1000_bumbguard.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad
                                                                                                                            • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bumbguard.exe$bumbguard.exe
                                                                                                                            • API String ID: 1029625771-2511130895
                                                                                                                            • Opcode ID: 21ba195e1d5eeb03e63d18096fc6f9738d1592dea1dbacc1ab9f44cff6c29dc0
                                                                                                                            • Instruction ID: 38722fcdf36ad2f42b9acf18b9a09f6497633d32f7b8856a409f3fd416286cc7
                                                                                                                            • Opcode Fuzzy Hash: 21ba195e1d5eeb03e63d18096fc6f9738d1592dea1dbacc1ab9f44cff6c29dc0
                                                                                                                            • Instruction Fuzzy Hash: 6141F134B81200BBFB166F60EC45F6A3B22FF40F05F124D2DFA04E9284DF6159729A64
                                                                                                                            Function 024B3FF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNEL32(024D6F9A,024D6F9A,00002710,024D32CC), ref: 024B402E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.2733709549.00000000024B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_24b1000_bumbguard.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad
                                                                                                                            • String ID: C:\Users\user\AppData\Local\Gbumps Inc\bumbguard.exe$bumbguard.exe
                                                                                                                            • API String ID: 1029625771-2378045078
                                                                                                                            • Opcode ID: e28a6c225827f04b806ac9887868408f18bcf7bc5e715eb5ea0aa82f6628b7d3
                                                                                                                            • Instruction ID: a8df0ba961a95ed2937351df9b285ddcf3ffdb05607b6dd05192fe97df76bb29
                                                                                                                            • Opcode Fuzzy Hash: e28a6c225827f04b806ac9887868408f18bcf7bc5e715eb5ea0aa82f6628b7d3
                                                                                                                            • Instruction Fuzzy Hash: D411C224A80610BAFB133BB19C62FAA3B469FC5F19F12085FF94DB5145DE8208614D73
                                                                                                                            Function 024B3FF3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNEL32(024D6F9A,024D6F9A,00002710,024D32CC), ref: 024B402E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.2733709549.00000000024B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_24b1000_bumbguard.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad
                                                                                                                            • String ID: C:\Users\user\AppData\Local\Gbumps Inc\bumbguard.exe$bumbguard.exe
                                                                                                                            • API String ID: 1029625771-2378045078
                                                                                                                            • Opcode ID: 800db4addcb91e0fec42d5557623cc379666d09b08ba93492414edf5c5e9cdbc
                                                                                                                            • Instruction ID: 080b20f7dcb11048a18c786bc29fea12587df9767cd761fba2b8623afc3a937a
                                                                                                                            • Opcode Fuzzy Hash: 800db4addcb91e0fec42d5557623cc379666d09b08ba93492414edf5c5e9cdbc
                                                                                                                            • Instruction Fuzzy Hash: 6E11E124B80610BEFB133BB19C62FAA3B469FC6F19F12045FF90DB5185DE8208214D72

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:22.3%
                                                                                                                            Dynamic/Decrypted Code Coverage:21.1%
                                                                                                                            Signature Coverage:0%
                                                                                                                            Total number of Nodes:2000
                                                                                                                            Total number of Limit Nodes:29
                                                                                                                            execution_graph 8607 2ff007d CreateMutexA 8959 40ee08 8961 40ee10 8959->8961 8960 40ee5d 8961->8960 8965 40c270 8961->8965 8963 40ee4c LoadStringW 8970 409ddc 8963->8970 8966 40c29d 8965->8966 8967 40c27e 8965->8967 8966->8963 8967->8966 8975 40c228 8967->8975 8971 409ba8 11 API calls 8970->8971 8972 409dec 8971->8972 8973 409c78 11 API calls 8972->8973 8974 409e06 8973->8974 8974->8960 8976 40c254 8975->8976 8977 40c238 GetModuleFileNameW 8975->8977 8976->8963 8979 40d49c GetModuleFileNameW 8977->8979 8980 40d4ea 8979->8980 8989 40d378 8980->8989 8982 40d516 8983 40d530 8982->8983 8985 40d528 LoadLibraryExW 8982->8985 9015 409cb4 8983->9015 8985->8983 8990 40d399 8989->8990 8991 409c54 11 API calls 8990->8991 8992 40d3b6 8991->8992 8993 40d421 8992->8993 9023 40a07c 8992->9023 8994 409cb4 11 API calls 8993->8994 8996 40d48e 8994->8996 8996->8982 8997 40d3fc 9027 40d0b4 8997->9027 9002 40d423 GetUserDefaultUILanguage 9047 40ca64 RtlEnterCriticalSection 9002->9047 9003 40d414 9035 40d1e0 9003->9035 9007 40d1e0 13 API calls 9008 40d43d 9007->9008 9009 40d465 9008->9009 9010 40d44b GetSystemDefaultUILanguage 9008->9010 9009->8993 9072 40d2ac 9009->9072 9012 40ca64 28 API calls 9010->9012 9013 40d458 9012->9013 9014 40d1e0 13 API calls 9013->9014 9014->9009 9017 409cba 9015->9017 9016 409ce0 9019 409c54 9016->9019 9017->9016 9018 406e74 11 API calls 9017->9018 9018->9017 9020 409c75 9019->9020 9021 409c5a 9019->9021 9020->8976 9021->9020 9022 406e74 11 API calls 9021->9022 9022->9020 9025 40a080 9023->9025 9024 40a0a4 9024->8997 9090 40aaf8 9024->9090 9025->9024 9094 406e74 9025->9094 9028 40d0d6 9027->9028 9029 40d0e8 9027->9029 9143 40cd98 9028->9143 9033 409c54 11 API calls 9029->9033 9031 40d0e0 9169 40d118 9031->9169 9034 40d10a 9033->9034 9034->9002 9034->9003 9036 40d1fe 9035->9036 9037 409c54 11 API calls 9036->9037 9040 40d21b 9037->9040 9038 40d279 9039 409c54 11 API calls 9038->9039 9041 40d280 9039->9041 9040->9038 9040->9041 9044 40aaf8 11 API calls 9040->9044 9197 40a988 9040->9197 9212 40d174 9040->9212 9042 409cb4 11 API calls 9041->9042 9043 40d29a 9042->9043 9043->8993 9044->9040 9048 40cab0 RtlLeaveCriticalSection 9047->9048 9049 40ca90 9047->9049 9050 409c54 11 API calls 9048->9050 9051 40caa1 RtlLeaveCriticalSection 9049->9051 9052 40cac1 IsValidLocale 9050->9052 9053 40cb52 9051->9053 9054 40cad0 9052->9054 9055 40cb1f RtlEnterCriticalSection 9052->9055 9056 409c54 11 API calls 9053->9056 9058 40cae4 9054->9058 9059 40cad9 9054->9059 9057 40cb37 9055->9057 9060 40cb67 9056->9060 9066 40cb48 RtlLeaveCriticalSection 9057->9066 9249 40c74c 9058->9249 9230 40c948 GetThreadUILanguage 9059->9230 9060->9007 9065 40caf7 9067 40cb08 GetSystemDefaultUILanguage 9065->9067 9261 40a930 9065->9261 9066->9053 9069 40c74c 14 API calls 9067->9069 9070 40cb15 9069->9070 9071 40a930 11 API calls 9070->9071 9071->9055 9326 409d38 9072->9326 9075 40d2fc 9076 40a988 11 API calls 9075->9076 9077 40d309 9076->9077 9078 40d174 13 API calls 9077->9078 9081 40d310 9078->9081 9079 40d349 9080 409cb4 11 API calls 9079->9080 9082 40d363 9080->9082 9081->9079 9084 40a988 11 API calls 9081->9084 9083 409c54 11 API calls 9082->9083 9085 40d36b 9083->9085 9086 40d337 9084->9086 9085->8993 9087 40d174 13 API calls 9086->9087 9088 40d33e 9087->9088 9088->9079 9089 409c54 11 API calls 9088->9089 9089->9079 9091 40ab03 9090->9091 9092 409ddc 11 API calls 9091->9092 9093 40ab39 9092->9093 9093->8997 9095 406e82 9094->9095 9096 406e78 9094->9096 9095->9024 9096->9095 9099 406f48 9096->9099 9100 406f5a 9099->9100 9102 406f6d 9100->9102 9105 40ff84 9100->9105 9113 406f3c 9102->9113 9106 40ff93 9105->9106 9107 40ffb9 TlsGetValue 9105->9107 9106->9102 9108 40ffc3 9107->9108 9109 40ff9e 9107->9109 9108->9102 9116 40ff40 9109->9116 9112 40ffb2 9112->9102 9130 409a78 9113->9130 9118 40ff46 9116->9118 9117 40ff74 TlsGetValue 9117->9112 9118->9117 9119 40ff5f 9118->9119 9126 409a84 9118->9126 9129 40ff2c LocalAlloc 9119->9129 9122 40ff66 9123 40ff76 TlsSetValue 9122->9123 9124 40ff6a 9122->9124 9123->9117 9125 409a84 10 API calls 9124->9125 9125->9117 9127 409a78 11 API calls 9126->9127 9128 409a9c 9127->9128 9128->9119 9129->9122 9133 409948 9130->9133 9134 409964 9133->9134 9135 40996e 9133->9135 9137 4098b0 GetStdHandle WriteFile GetStdHandle WriteFile 9134->9137 9136 40997e GetCurrentThreadId 9135->9136 9138 40998b 9135->9138 9136->9138 9137->9135 9139 406efc 8 API calls 9138->9139 9140 409a1b FreeLibrary 9138->9140 9141 409a43 ExitProcess 9138->9141 9139->9138 9140->9138 9144 40cdaf 9143->9144 9145 40cdc3 GetModuleFileNameW 9144->9145 9146 40cdd8 9144->9146 9145->9146 9147 40ce00 RegOpenKeyExW 9146->9147 9148 40cfa7 9146->9148 9150 40cec1 9147->9150 9151 40ce27 RegOpenKeyExW 9147->9151 9149 409c54 11 API calls 9148->9149 9153 40cfbc 9149->9153 9175 40cba8 GetModuleHandleW 9150->9175 9151->9150 9154 40ce45 RegOpenKeyExW 9151->9154 9153->9031 9154->9150 9156 40ce63 RegOpenKeyExW 9154->9156 9155 40cedf RegQueryValueExW 9157 40cf30 RegQueryValueExW 9155->9157 9158 40cefd 9155->9158 9156->9150 9159 40ce81 RegOpenKeyExW 9156->9159 9161 40cf2e 9157->9161 9162 40cf4c 9157->9162 9187 406e58 9158->9187 9159->9150 9163 40ce9f RegOpenKeyExW 9159->9163 9166 40cf96 RegCloseKey 9161->9166 9168 406e74 11 API calls 9161->9168 9165 406e58 11 API calls 9162->9165 9163->9148 9163->9150 9164 40cf05 RegQueryValueExW 9164->9161 9167 40cf54 RegQueryValueExW 9165->9167 9166->9031 9167->9161 9168->9166 9170 40d130 9169->9170 9171 40d126 9169->9171 9173 40d14d 9170->9173 9174 406e58 11 API calls 9170->9174 9172 406e74 11 API calls 9171->9172 9172->9170 9173->9029 9174->9173 9176 40cbd0 GetProcAddress 9175->9176 9177 40cbe1 9175->9177 9176->9177 9178 40cbf7 9177->9178 9185 40cc43 9177->9185 9193 40cb84 9177->9193 9178->9155 9181 40cb84 CharNextW 9181->9185 9182 40cb84 CharNextW 9182->9185 9183 40ccc8 FindFirstFileW 9183->9178 9184 40cce4 FindClose lstrlenW 9183->9184 9184->9178 9184->9185 9185->9178 9185->9182 9185->9183 9186 40cd32 lstrlenW 9185->9186 9186->9185 9188 406e6f 9187->9188 9190 406e5c 9187->9190 9188->9164 9189 406e66 9189->9164 9190->9189 9191 406f48 11 API calls 9190->9191 9192 406fa7 9191->9192 9192->9164 9194 40cb92 9193->9194 9195 40cba0 9194->9195 9196 40cb8a CharNextW 9194->9196 9195->9178 9195->9181 9196->9194 9198 40a9fa 9197->9198 9199 40a98c 9197->9199 9200 40a034 9199->9200 9201 40a994 9199->9201 9206 40a048 9200->9206 9219 409ba8 9200->9219 9201->9198 9202 40a9a3 9201->9202 9224 40a034 9201->9224 9202->9198 9207 409ba8 11 API calls 9202->9207 9203 40a078 9203->9040 9206->9203 9208 406e74 11 API calls 9206->9208 9209 40a9c4 9207->9209 9208->9203 9210 40a034 11 API calls 9209->9210 9211 40a9f6 9210->9211 9211->9040 9213 40d189 9212->9213 9214 40d1a6 FindFirstFileW 9213->9214 9215 40d1b6 FindClose 9214->9215 9216 40d1bc 9214->9216 9215->9216 9217 409c54 11 API calls 9216->9217 9218 40d1d1 9217->9218 9218->9040 9220 409be0 9219->9220 9221 409bac 9219->9221 9220->9206 9221->9220 9222 406e58 11 API calls 9221->9222 9223 409bbb 9222->9223 9223->9206 9225 40a038 9224->9225 9228 40a048 9224->9228 9227 409ba8 11 API calls 9225->9227 9225->9228 9226 40a078 9226->9202 9227->9228 9228->9226 9229 406e74 11 API calls 9228->9229 9229->9226 9231 40c964 9230->9231 9232 40c9bd 9230->9232 9275 40c904 GetThreadPreferredUILanguages 9231->9275 9234 40c904 13 API calls 9232->9234 9241 40c9c5 9234->9241 9236 40ca06 9237 40ca5c 9236->9237 9238 40ca0c SetThreadPreferredUILanguages 9236->9238 9237->9055 9240 40c904 13 API calls 9238->9240 9245 40ca22 9240->9245 9241->9236 9242 406e74 11 API calls 9241->9242 9242->9236 9243 40ca3d SetThreadPreferredUILanguages 9244 40ca4d 9243->9244 9246 406e74 11 API calls 9244->9246 9245->9243 9245->9244 9247 40ca54 9246->9247 9248 406e74 11 API calls 9247->9248 9248->9237 9250 409c54 11 API calls 9249->9250 9251 40c787 9250->9251 9259 40c7dd 9251->9259 9280 40c66c 9251->9280 9252 40c7f0 IsValidLocale 9253 40c893 9252->9253 9255 40c803 GetLocaleInfoW GetLocaleInfoW 9252->9255 9254 409cb4 11 API calls 9253->9254 9256 40c8b0 GetSystemDefaultUILanguage 9254->9256 9258 40c83e 9255->9258 9256->9055 9256->9065 9293 40aa10 9258->9293 9259->9252 9259->9253 9262 40a934 9261->9262 9265 40a97f 9261->9265 9263 40a034 9262->9263 9264 40a93e 9262->9264 9270 409ba8 11 API calls 9263->9270 9272 40a048 9263->9272 9264->9265 9267 40a974 9264->9267 9268 40a959 9264->9268 9265->9067 9266 40a078 9266->9067 9269 40a8b0 11 API calls 9267->9269 9271 40a8b0 11 API calls 9268->9271 9274 40a95e 9269->9274 9270->9272 9271->9274 9272->9266 9273 406e74 11 API calls 9272->9273 9273->9266 9274->9067 9276 40c925 9275->9276 9277 40c93e SetThreadPreferredUILanguages 9275->9277 9278 406e58 11 API calls 9276->9278 9277->9232 9279 40c92e GetThreadPreferredUILanguages 9278->9279 9279->9277 9281 40c692 9280->9281 9282 40a07c 11 API calls 9281->9282 9283 40c714 9281->9283 9284 40c6be 9282->9284 9285 409cb4 11 API calls 9283->9285 9286 409c54 11 API calls 9284->9286 9287 40c72e 9285->9287 9289 40c6c5 9286->9289 9287->9259 9288 40aa10 11 API calls 9288->9289 9289->9283 9289->9288 9291 40aaf8 11 API calls 9289->9291 9292 40a07c 11 API calls 9289->9292 9302 40c600 9289->9302 9291->9289 9292->9289 9294 40aa26 9293->9294 9295 40aaab 9294->9295 9296 40aa71 9294->9296 9297 40aa53 9294->9297 9295->9295 9299 409ba8 11 API calls 9296->9299 9306 40a8b0 9297->9306 9300 40aa61 9299->9300 9300->9295 9301 40a034 11 API calls 9300->9301 9301->9295 9303 40c610 9302->9303 9304 409c54 11 API calls 9303->9304 9305 40c65b 9304->9305 9305->9289 9309 40a8bd 9306->9309 9311 40a907 9306->9311 9307 409c78 11 API calls 9310 40a8f8 9307->9310 9308 409ba8 11 API calls 9308->9311 9312 40a8fb 9309->9312 9313 40a8d5 9309->9313 9310->9300 9311->9307 9312->9308 9317 406e8c 9313->9317 9315 40a8dd 9315->9310 9322 409c78 9315->9322 9318 406e92 9317->9318 9318->9315 9319 406f48 11 API calls 9318->9319 9320 406ea4 9318->9320 9321 406fa7 9319->9321 9320->9315 9321->9315 9323 409c99 9322->9323 9324 409c7e 9322->9324 9323->9310 9324->9323 9325 406e74 11 API calls 9324->9325 9325->9323 9327 409d3c GetUserDefaultUILanguage GetLocaleInfoW 9326->9327 9327->9075 9484 405ecc 9485 405f64 9484->9485 9486 405edc 9484->9486 9487 405804 9485->9487 9488 405f6d 9485->9488 9489 405f20 9486->9489 9490 405ee9 9486->9490 9491 4061df 9487->9491 9496 405907 9487->9496 9497 405828 VirtualQuery 9487->9497 9492 405f85 9488->9492 9503 406094 9488->9503 9493 405950 10 API calls 9489->9493 9494 405ef4 9490->9494 9498 405950 10 API calls 9490->9498 9500 405fa8 9492->9500 9505 40606c 9492->9505 9517 405f8c 9492->9517 9513 405f37 9493->9513 9495 4060f8 9499 405950 10 API calls 9495->9499 9502 406111 9495->9502 9501 405950 10 API calls 9496->9501 9526 4058ba 9496->9526 9509 405861 9497->9509 9510 4058cf 9497->9510 9511 405f01 9498->9511 9504 4061a8 9499->9504 9515 405fe8 Sleep 9500->9515 9500->9517 9508 40591e 9501->9508 9503->9495 9503->9502 9514 4060d0 Sleep 9503->9514 9504->9502 9527 405cd4 10 API calls 9504->9527 9507 405950 10 API calls 9505->9507 9524 406075 9507->9524 9508->9526 9530 405cd4 10 API calls 9508->9530 9509->9510 9516 40588e VirtualAlloc 9509->9516 9534 405950 9510->9534 9518 405cd4 10 API calls 9511->9518 9523 405f19 9511->9523 9519 405cd4 10 API calls 9513->9519 9525 405f5d 9513->9525 9514->9495 9520 4060ea Sleep 9514->9520 9515->9517 9521 406000 Sleep 9515->9521 9516->9510 9522 4058a4 VirtualAlloc 9516->9522 9518->9523 9519->9525 9520->9503 9521->9500 9522->9510 9522->9526 9528 405cd4 10 API calls 9524->9528 9532 40608d 9524->9532 9529 4061cc 9527->9529 9528->9532 9530->9526 9531 4058d6 9531->9526 9558 405cd4 9531->9558 9535 405bb0 9534->9535 9536 405968 9534->9536 9537 405cc8 9535->9537 9538 405b74 9535->9538 9539 40597a 9536->9539 9548 405a05 Sleep 9536->9548 9541 405cd1 9537->9541 9542 4056fc VirtualAlloc 9537->9542 9540 405bce 9538->9540 9546 405b8e Sleep 9538->9546 9543 405989 9539->9543 9550 405a68 9539->9550 9552 405a49 Sleep 9539->9552 9553 405634 VirtualAlloc 9540->9553 9556 405bec 9540->9556 9541->9531 9544 405727 9542->9544 9549 405737 9542->9549 9543->9531 9578 4056b0 9544->9578 9546->9540 9547 405ba4 Sleep 9546->9547 9547->9538 9548->9539 9551 405a1b Sleep 9548->9551 9549->9531 9557 405a74 9550->9557 9583 405634 9550->9583 9551->9536 9552->9550 9555 405a5f Sleep 9552->9555 9553->9556 9555->9539 9556->9531 9557->9531 9559 405ce9 9558->9559 9560 405dcc 9558->9560 9561 405cef 9559->9561 9566 405d66 Sleep 9559->9566 9560->9561 9562 405760 9560->9562 9563 405cf8 9561->9563 9567 405daa Sleep 9561->9567 9573 405de1 9561->9573 9564 405ec6 9562->9564 9565 4056b0 2 API calls 9562->9565 9563->9526 9564->9526 9568 405771 9565->9568 9566->9561 9569 405d80 Sleep 9566->9569 9570 405dc0 Sleep 9567->9570 9567->9573 9571 4057a1 9568->9571 9572 405787 VirtualFree 9568->9572 9569->9559 9570->9561 9574 405798 9571->9574 9575 4057aa VirtualQuery VirtualFree 9571->9575 9572->9574 9576 405e60 VirtualFree 9573->9576 9577 405e04 9573->9577 9574->9526 9575->9571 9575->9574 9576->9526 9577->9526 9579 4056f8 9578->9579 9580 4056b9 9578->9580 9579->9549 9580->9579 9581 4056c4 Sleep 9580->9581 9581->9579 9582 4056de Sleep 9581->9582 9582->9580 9587 4055c8 9583->9587 9585 40563d VirtualAlloc 9586 405654 9585->9586 9586->9557 9588 405568 9587->9588 9588->9585 8608 5b28760 WSAStartup GetLastError 9328 57eeae4 9333 565007c 9328->9333 9330 57eeb04 9338 5649558 9330->9338 9334 5650084 9333->9334 9334->9334 9335 56500d1 9334->9335 9344 564d28c 9334->9344 9335->9330 9337 56500c0 LoadStringW 9337->9335 9339 564955c 9338->9339 9341 5649566 9338->9341 9340 5649cc8 11 API calls 9339->9340 9340->9341 9343 56495a4 9341->9343 9481 5646fd4 9341->9481 9345 564d2b9 9344->9345 9346 564d29a 9344->9346 9345->9337 9346->9345 9349 564d244 9346->9349 9350 564d254 GetModuleFileNameW 9349->9350 9351 564d270 9349->9351 9353 564e4b8 GetModuleFileNameW 9350->9353 9351->9337 9354 564e506 9353->9354 9359 564e394 9354->9359 9356 564e532 9357 564e54c 9356->9357 9358 564e544 LoadLibraryExW 9356->9358 9357->9351 9358->9357 9363 564e3b5 9359->9363 9360 564e43d 9360->9356 9362 564e42a 9364 564e430 9362->9364 9365 564e43f GetUserDefaultUILanguage 9362->9365 9363->9360 9377 564e0d0 9363->9377 9366 564e1fc 2 API calls 9364->9366 9381 564da80 EnterCriticalSection 9365->9381 9366->9360 9368 564e44c 9401 564e1fc 9368->9401 9370 564e459 9371 564e481 9370->9371 9372 564e467 GetSystemDefaultUILanguage 9370->9372 9371->9360 9405 564e2c8 9371->9405 9374 564da80 17 API calls 9372->9374 9375 564e474 9374->9375 9376 564e1fc 2 API calls 9375->9376 9376->9371 9378 564e0f2 9377->9378 9380 564e0fc 9377->9380 9413 564ddb4 9378->9413 9380->9362 9382 564dacc LeaveCriticalSection 9381->9382 9383 564daac 9381->9383 9450 5649e98 9382->9450 9385 564dabd LeaveCriticalSection 9383->9385 9387 564db6e 9385->9387 9386 564dadd IsValidLocale 9388 564daec 9386->9388 9389 564db3b EnterCriticalSection 9386->9389 9387->9368 9391 564daf5 9388->9391 9392 564db00 9388->9392 9390 564db53 9389->9390 9397 564db64 LeaveCriticalSection 9390->9397 9452 564d964 GetThreadUILanguage 9391->9452 9465 564d768 9392->9465 9395 564dafe 9395->9389 9396 564db09 GetSystemDefaultUILanguage 9396->9389 9398 564db13 9396->9398 9397->9387 9399 564db24 GetSystemDefaultUILanguage 9398->9399 9400 564d768 3 API calls 9399->9400 9400->9395 9403 564e21a 9401->9403 9402 564e295 9402->9370 9403->9402 9474 564e190 9403->9474 9479 5649f7c 9405->9479 9408 564e318 9409 564e190 2 API calls 9408->9409 9410 564e32c 9409->9410 9411 564e35a 9410->9411 9412 564e190 2 API calls 9410->9412 9411->9360 9412->9411 9414 564ddcb 9413->9414 9415 564dddf GetModuleFileNameW 9414->9415 9416 564ddf4 9414->9416 9415->9416 9417 564dfc3 9416->9417 9418 564de1c RegOpenKeyExW 9416->9418 9417->9380 9419 564de43 RegOpenKeyExW 9418->9419 9420 564dedd 9418->9420 9419->9420 9421 564de61 RegOpenKeyExW 9419->9421 9434 564dbc4 GetModuleHandleW 9420->9434 9421->9420 9423 564de7f RegOpenKeyExW 9421->9423 9423->9420 9425 564de9d RegOpenKeyExW 9423->9425 9424 564defb RegQueryValueExW 9426 564df4c RegQueryValueExW 9424->9426 9427 564df19 9424->9427 9425->9420 9429 564debb RegOpenKeyExW 9425->9429 9428 564df68 9426->9428 9433 564df4a 9426->9433 9431 564df21 RegQueryValueExW 9427->9431 9432 564df70 RegQueryValueExW 9428->9432 9429->9417 9429->9420 9430 564dfb2 RegCloseKey 9430->9380 9431->9433 9432->9433 9433->9430 9435 564dbec GetProcAddress 9434->9435 9436 564dbfd 9434->9436 9435->9436 9440 564dc13 9436->9440 9442 564dc5f 9436->9442 9446 564dba0 9436->9446 9439 564dba0 CharNextW 9439->9442 9440->9424 9441 564dba0 CharNextW 9441->9442 9442->9440 9442->9441 9443 564dce4 FindFirstFileW 9442->9443 9445 564dd4e lstrlenW 9442->9445 9443->9440 9444 564dd00 FindClose lstrlenW 9443->9444 9444->9440 9444->9442 9445->9442 9447 564dbae 9446->9447 9448 564dbbc 9447->9448 9449 564dba6 CharNextW 9447->9449 9448->9439 9448->9440 9449->9447 9451 5649e9e 9450->9451 9451->9386 9453 564d980 9452->9453 9454 564d9d9 9452->9454 9470 564d920 GetThreadPreferredUILanguages 9453->9470 9456 564d920 2 API calls 9454->9456 9460 564d9e1 9456->9460 9458 564da28 SetThreadPreferredUILanguages 9461 564d920 2 API calls 9458->9461 9460->9458 9464 564da69 9460->9464 9463 564da3e 9461->9463 9462 564da59 SetThreadPreferredUILanguages 9462->9464 9463->9462 9463->9464 9464->9395 9466 564d7a3 9465->9466 9467 564d80c IsValidLocale 9466->9467 9469 564d85a 9466->9469 9468 564d81f GetLocaleInfoW GetLocaleInfoW 9467->9468 9467->9469 9468->9469 9469->9396 9471 564d941 9470->9471 9472 564d95a SetThreadPreferredUILanguages 9470->9472 9473 564d94a GetThreadPreferredUILanguages 9471->9473 9472->9454 9473->9472 9475 564e1a5 9474->9475 9476 564e1c2 FindFirstFileW 9475->9476 9477 564e1d2 FindClose 9476->9477 9478 564e1d8 9476->9478 9477->9478 9478->9403 9480 5649f80 GetUserDefaultUILanguage GetLocaleInfoW 9479->9480 9480->9408 9482 56511f8 11 API calls 9481->9482 9483 5646fd9 9482->9483 9483->9343 8682 5b04a54 LoadLibraryA GetProcAddress 8687 564cd60 8682->8687 8684 5b04aa7 8690 5b048fc 8684->8690 8693 564cab8 8687->8693 8689 564cd6a 8689->8684 8920 5b04894 8690->8920 8694 564caf6 8693->8694 8698 564cadb 8693->8698 8695 564cb64 8694->8695 8697 564cc31 8694->8697 8703 564cbcb 8695->8703 8704 564ca74 8695->8704 8697->8703 8721 564c100 8697->8721 8698->8689 8699 564cab8 32 API calls 8699->8703 8701 564cb7c 8701->8703 8714 564bfd8 8701->8714 8703->8698 8703->8699 8725 56511f8 8704->8725 8706 564ca7d 8707 564ca85 8706->8707 8708 564ca93 8706->8708 8709 56511f8 11 API calls 8707->8709 8710 56511f8 11 API calls 8708->8710 8713 564ca8a 8709->8713 8711 564caa1 8710->8711 8712 56511f8 11 API calls 8711->8712 8712->8713 8713->8701 8715 564bff4 8714->8715 8716 564c038 8714->8716 8715->8716 8719 564c072 8715->8719 8720 564c0a1 8715->8720 8716->8703 8717 564bfd8 32 API calls 8717->8719 8719->8716 8719->8717 8720->8716 8768 564bcfc 8720->8768 8722 564c111 8721->8722 8723 564c109 8721->8723 8722->8703 8896 564bec0 8723->8896 8726 5651207 8725->8726 8727 565122d TlsGetValue 8725->8727 8726->8706 8728 5651237 8727->8728 8729 5651212 8727->8729 8728->8706 8733 56511b4 8729->8733 8732 5651226 8732->8706 8735 56511ba 8733->8735 8734 56511d3 8746 56511a0 LocalAlloc 8734->8746 8735->8734 8742 56511e8 TlsGetValue 8735->8742 8743 5649cc8 8735->8743 8738 56511da 8739 56511de 8738->8739 8740 56511ea TlsSetValue 8738->8740 8741 5649cc8 10 API calls 8739->8741 8740->8742 8741->8742 8742->8732 8747 5649cbc 8743->8747 8746->8738 8750 5649b8c 8747->8750 8751 5649ba8 8750->8751 8752 5649bb2 8750->8752 8760 5649af4 8751->8760 8753 5649bc2 GetCurrentThreadId 8752->8753 8756 5649bcf 8752->8756 8753->8756 8755 5646fa0 8 API calls 8755->8756 8756->8755 8757 5649c5f FreeLibrary 8756->8757 8758 5649c87 ExitProcess 8756->8758 8757->8756 8761 5649afe GetStdHandle WriteFile 8760->8761 8762 5649b5b 8760->8762 8766 564a91c 8761->8766 8762->8752 8765 5649b4b GetStdHandle WriteFile 8765->8752 8767 564a922 8766->8767 8767->8765 8769 564be9b 8768->8769 8772 564bd1f 8768->8772 8769->8720 8770 564bfd8 32 API calls 8770->8772 8771 564bcfc 32 API calls 8771->8772 8772->8769 8772->8770 8772->8771 8775 564f908 8772->8775 8781 564f8dc 8772->8781 8776 564f91a 8775->8776 8777 564f8dc 14 API calls 8776->8777 8778 564f92f 8777->8778 8785 564f870 8778->8785 8780 564f946 8780->8772 8782 564f8e7 8781->8782 8783 564f901 8781->8783 8885 564f8a8 8782->8885 8783->8772 8786 564f8a3 8785->8786 8787 564f87b 8785->8787 8786->8780 8789 564f4b0 8787->8789 8790 564f4d4 8789->8790 8791 564f4cc 8789->8791 8811 564f1f0 8790->8811 8801 564f34c 8791->8801 8794 564f4fc 8800 564f53f 8794->8800 8815 564f2b8 8794->8815 8826 564f258 8800->8826 8802 564f365 8801->8802 8803 564f3f9 8801->8803 8804 564f376 8802->8804 8830 56488d4 8802->8830 8803->8790 8834 5648a30 8804->8834 8807 564f3d4 8852 5648bc8 8807->8852 8810 564f3a5 8810->8807 8849 564f1dc 8810->8849 8812 564f203 8811->8812 8813 564f1f9 8811->8813 8812->8794 8814 5648a30 13 API calls 8813->8814 8814->8812 8816 564f2c0 8815->8816 8817 564f2c9 8816->8817 8881 564ed88 8816->8881 8819 564f06c 8817->8819 8820 564f086 8819->8820 8821 564f08f 8820->8821 8823 564f0a9 8820->8823 8822 564cd60 32 API calls 8821->8822 8825 564f0a4 8822->8825 8824 564cd60 32 API calls 8823->8824 8823->8825 8824->8825 8825->8800 8827 564f261 8826->8827 8828 564f268 8826->8828 8829 5648bc8 2 API calls 8827->8829 8828->8786 8829->8828 8831 56488dd 8830->8831 8832 56488e2 8830->8832 8857 56487a8 GetModuleHandleW GetProcAddress 8831->8857 8832->8804 8842 5648a3e 8834->8842 8836 5648a8c 8836->8810 8837 5648a67 GetTickCount 8837->8842 8838 5648ad9 GetTickCount 8838->8836 8838->8842 8839 5648b10 GetTickCount 8875 5648c28 8839->8875 8840 5648a7f GetTickCount 8840->8836 8840->8842 8842->8836 8842->8837 8842->8838 8842->8839 8842->8840 8843 5648aae GetCurrentThreadId 8842->8843 8863 5648ebc GetCurrentThreadId 8842->8863 8868 56486ec 8842->8868 8843->8836 8845 5648b3a GetTickCount 8846 5648b20 8845->8846 8846->8839 8846->8845 8847 5648ba4 8846->8847 8847->8836 8848 5648baa GetCurrentThreadId 8847->8848 8848->8836 8850 56488d4 5 API calls 8849->8850 8851 564f1e4 8850->8851 8851->8810 8879 56488bc GetCurrentThreadId 8852->8879 8854 5648bd3 8854->8854 8855 5648c28 Sleep 8854->8855 8856 5648bff 8854->8856 8855->8856 8856->8803 8858 56487d0 GetLogicalProcessorInformation 8857->8858 8862 5648818 8857->8862 8859 56487df GetLastError 8858->8859 8858->8862 8860 56487e9 8859->8860 8859->8862 8861 56487f1 GetLogicalProcessorInformation 8860->8861 8861->8862 8862->8832 8864 5648ed0 8863->8864 8865 5648ec9 8863->8865 8866 5648ef7 8864->8866 8867 5648ee4 GetCurrentThreadId 8864->8867 8865->8842 8866->8842 8867->8866 8870 56486f7 8868->8870 8869 5648745 8869->8842 8870->8869 8871 5648726 8870->8871 8872 564871d Sleep 8870->8872 8873 5648735 Sleep 8871->8873 8874 564873e SwitchToThread 8871->8874 8872->8869 8873->8869 8874->8869 8876 5648c81 8875->8876 8877 5648c3a 8875->8877 8876->8846 8877->8876 8878 5648c68 Sleep 8877->8878 8878->8877 8880 56488c9 8879->8880 8880->8854 8882 564ed93 8881->8882 8883 56488d4 5 API calls 8882->8883 8884 564ed9a 8883->8884 8884->8817 8886 564f8ac 8885->8886 8887 564f8b9 8885->8887 8889 564f588 8886->8889 8887->8783 8890 564f634 8889->8890 8891 564f5a8 8889->8891 8890->8887 8892 564f1f0 13 API calls 8891->8892 8893 564f5d0 8892->8893 8894 564f258 2 API calls 8893->8894 8895 564f60f 8894->8895 8895->8887 8897 564bed5 8896->8897 8903 564bef2 8896->8903 8898 564bf26 8897->8898 8899 564beda 8897->8899 8898->8903 8906 564a2ec 8898->8906 8901 564bf65 8899->8901 8902 564bee9 8899->8902 8899->8903 8901->8903 8904 564bec0 32 API calls 8901->8904 8902->8903 8913 564bb54 8902->8913 8903->8722 8904->8901 8907 564a2f0 8906->8907 8908 564a313 8906->8908 8909 5649e78 8907->8909 8912 564a303 SysReAllocStringLen 8907->8912 8908->8898 8910 5649ef4 8909->8910 8911 5649ee6 SysFreeString 8909->8911 8910->8898 8911->8910 8912->8908 8912->8909 8914 564bce3 8913->8914 8915 564bb79 8913->8915 8914->8902 8915->8914 8916 564f908 32 API calls 8915->8916 8917 564a2ec 2 API calls 8915->8917 8918 564bec0 32 API calls 8915->8918 8919 564bb54 32 API calls 8915->8919 8916->8915 8917->8915 8918->8915 8919->8915 8925 57ebe68 8920->8925 8922 5b048e9 8923 5b048b7 8923->8922 8924 57ebe68 14 API calls 8923->8924 8924->8922 8926 57ebe8e 8925->8926 8931 57ec778 8926->8931 8928 57ebea0 8929 57ebebd 8928->8929 8930 57ebea4 VirtualProtect 8928->8930 8929->8923 8930->8929 8932 57ec78f 8931->8932 8933 57ec924 8932->8933 8934 57ec83c LoadLibraryW 8932->8934 8935 57ec8db LoadLibraryW 8932->8935 8936 57ec858 LoadLibraryW 8932->8936 8937 57ec874 LoadLibraryW 8932->8937 8938 57ec8f4 LoadLibraryW 8932->8938 8939 57ec890 LoadLibraryW 8932->8939 8940 57ec90d LoadLibraryW 8932->8940 8941 57ec7e8 LoadLibraryW 8932->8941 8942 57ec8a9 LoadLibraryW 8932->8942 8943 57ec804 LoadLibraryW 8932->8943 8944 57ec8c2 LoadLibraryW 8932->8944 8945 57ec820 LoadLibraryW 8932->8945 8946 57ec92c 8933->8946 8949 57ec94a 8933->8949 8934->8933 8935->8933 8936->8933 8937->8933 8938->8933 8939->8933 8940->8933 8941->8933 8942->8933 8943->8933 8944->8933 8945->8933 8950 57eca90 8946->8950 8948 57ec937 8948->8949 8949->8928 8953 57ecaac 8950->8953 8951 57ecbc8 8951->8948 8952 57ecba3 LoadLibraryW 8952->8953 8953->8951 8953->8952 8609 5645f50 8610 5645f60 8609->8610 8611 5645fe8 8609->8611 8612 5645fa4 8610->8612 8613 5645f6d 8610->8613 8614 5645ff1 8611->8614 8615 5645888 8611->8615 8616 56459d4 10 API calls 8612->8616 8617 5645f78 8613->8617 8622 56459d4 10 API calls 8613->8622 8619 5646009 8614->8619 8631 5646118 8614->8631 8618 5646263 8615->8618 8620 56458ac VirtualQuery 8615->8620 8621 564598b 8615->8621 8626 5645fbb 8616->8626 8625 564602c 8619->8625 8628 56460f0 8619->8628 8634 5646010 8619->8634 8635 5645953 8620->8635 8641 56458e5 8620->8641 8630 56459d4 10 API calls 8621->8630 8645 564593e 8621->8645 8627 5645f85 8622->8627 8623 564617c 8624 56459d4 10 API calls 8623->8624 8632 5646195 8623->8632 8624->8632 8625->8634 8637 564606c Sleep 8625->8637 8633 56459d4 10 API calls 8628->8633 8630->8645 8631->8623 8631->8632 8636 5646154 Sleep 8631->8636 8644 56460f9 8633->8644 8646 56459d4 8635->8646 8636->8623 8639 564616e Sleep 8636->8639 8637->8634 8640 5646084 Sleep 8637->8640 8639->8631 8640->8625 8641->8635 8642 5645912 VirtualAlloc 8641->8642 8642->8635 8643 5645928 VirtualAlloc 8642->8643 8643->8635 8643->8645 8647 5645c34 8646->8647 8648 56459ec 8646->8648 8649 5645d4c 8647->8649 8650 5645bf8 8647->8650 8657 56459fe 8648->8657 8663 5645a89 Sleep 8648->8663 8651 5645d55 8649->8651 8652 5645780 VirtualAlloc 8649->8652 8659 5645c12 Sleep 8650->8659 8661 5645c52 8650->8661 8651->8645 8654 56457db 8652->8654 8655 56457ab 8652->8655 8653 5645a0d 8653->8645 8654->8645 8671 5645734 8655->8671 8657->8653 8658 5645aec 8657->8658 8665 5645acd Sleep 8657->8665 8670 5645af8 8658->8670 8676 56456b8 8658->8676 8659->8661 8662 5645c28 Sleep 8659->8662 8666 56456b8 VirtualAlloc 8661->8666 8667 5645c70 8661->8667 8662->8650 8663->8657 8664 5645a9f Sleep 8663->8664 8664->8648 8665->8658 8669 5645ae3 Sleep 8665->8669 8666->8667 8667->8645 8669->8657 8670->8645 8672 564577c 8671->8672 8673 564573d 8671->8673 8672->8654 8673->8672 8674 5645748 Sleep 8673->8674 8674->8672 8675 5645762 Sleep 8674->8675 8675->8673 8680 564564c 8676->8680 8678 56456c1 VirtualAlloc 8679 56456d8 8678->8679 8679->8670 8681 56455ec 8680->8681 8681->8678 11506 2ff004a 11507 2ff0053 11506->11507 11509 2ff007d CreateMutexA 11507->11509 8954 5b3d444 8957 5651764 GetModuleHandleW 8954->8957 8956 5b3d454 8958 565179f 8957->8958 8958->8956 9589 7eee00 9612 4104f0 GetModuleHandleW 9589->9612 9591 7eee18 9614 7e937c waveOutGetVolume 9591->9614 9594 7eef02 9595 409cb4 11 API calls 9594->9595 9597 7eef1c 9595->9597 9598 7eee3b 9598->9594 9599 7eee97 9598->9599 9600 7eee79 Sleep 9598->9600 9599->9594 9622 7e9724 9599->9622 9600->9599 9600->9600 9602 7eeeac 9602->9594 9639 7e9978 GetTickCount64 9602->9639 9604 7eeec0 9604->9594 9641 7e9998 SystemParametersInfoW 9604->9641 9608 7eeed7 9608->9594 9664 409b14 9608->9664 9613 41052b 9612->9613 9613->9591 9615 7e9391 9614->9615 9615->9594 9616 7e93d8 CoInitialize 9615->9616 9728 40d6fc 9616->9728 9619 7e9425 9619->9598 9620 7e94b6 CoUninitialize 9620->9598 9620->9619 9621 7e9436 9621->9619 9621->9620 9623 409c54 11 API calls 9622->9623 9624 7e9769 9623->9624 9730 40a744 9624->9730 9627 40a930 11 API calls 9628 7e9786 9627->9628 9733 42187c 9628->9733 9632 7e97aa 9757 729ee4 9632->9757 9634 7e983a 9634->9602 9636 7e97b6 9636->9634 9637 7e9824 9636->9637 9761 41f8e8 9636->9761 9638 40aaf8 11 API calls 9637->9638 9638->9634 9640 7e998d 9639->9640 9640->9604 9642 7e99c2 9641->9642 9642->9594 9643 7e99f0 9642->9643 9644 729ee4 60 API calls 9643->9644 9645 7e9a32 GetSystemInfo 9644->9645 9646 42187c 80 API calls 9645->9646 9647 7e9a6a 9646->9647 9648 42187c 80 API calls 9647->9648 9649 7e9a92 GetLogicalProcessorInformation GetLastError 9648->9649 9651 7e9ab7 9649->9651 9656 7e9ae2 9649->9656 9652 40be80 34 API calls 9651->9652 9653 7e9ace GetLogicalProcessorInformation 9652->9653 9654 7e9b33 9653->9654 9653->9656 9655 42187c 80 API calls 9654->9655 9659 7e9b60 9655->9659 9657 409cb4 11 API calls 9656->9657 9658 7e9bc1 9657->9658 9660 409c54 11 API calls 9658->9660 9659->9608 9661 7e9bc9 9660->9661 9662 40bfa4 27 API calls 9661->9662 9663 7e9bd7 9662->9663 9663->9608 9665 409b3f 9664->9665 9667 409b31 CreateThread 9664->9667 9666 406e58 11 API calls 9665->9666 9666->9667 9669 409b80 9667->9669 9670 409b79 9667->9670 10198 409adc 9667->10198 9672 7e9d18 9669->9672 9671 406e74 11 API calls 9670->9671 9671->9669 10202 7e7ec8 9672->10202 9674 7e9d51 10207 7e9238 GetModuleHandleW GetProcAddress 9674->10207 9679 7e9d8a 10216 7b5354 9679->10216 9681 7e9df3 GetModuleHandleW 9682 7e9e10 9681->9682 10330 7b3fd8 9682->10330 9683 7e9da4 9683->9681 9685 72bdb8 57 API calls 9683->9685 9687 7e9dc5 9685->9687 10257 7e29c0 9687->10257 9693 409c54 11 API calls 9696 7e9f28 9693->9696 9699 409c9c SysFreeString 9696->9699 9700 7e9f30 9699->9700 9703 409cb4 11 API calls 9700->9703 9702 4071b8 13 API calls 9704 7e9e62 9702->9704 9705 7e9f3d 9703->9705 10349 421318 9704->10349 9707 409c78 11 API calls 9705->9707 9708 7e9f45 9707->9708 9709 409c54 11 API calls 9708->9709 9710 7e9f4d 9709->9710 9713 409cb4 11 API calls 9710->9713 9711 7e9ea9 9715 40a930 11 API calls 9711->9715 9712 7e9e6d 9712->9711 9717 40aaf8 11 API calls 9712->9717 9714 7e9f5a 9713->9714 9714->9594 9716 7e9eb9 9715->9716 9718 4071b8 13 API calls 9716->9718 9717->9711 9719 7e9ec3 9718->9719 9720 40a988 11 API calls 9719->9720 9722 7e9ed5 9720->9722 9721 7e9ef0 9724 40a988 11 API calls 9721->9724 9722->9721 9723 40a930 11 API calls 9722->9723 9723->9721 9725 7e9efe 9724->9725 10353 7b40e0 GetModuleHandleW 9725->10353 9727 7e9f11 9727->9693 9729 40d702 CoCreateInstance 9728->9729 9729->9619 9729->9621 9731 409ddc 11 API calls 9730->9731 9732 40a751 9731->9732 9732->9627 9771 4218a4 9733->9771 9736 7e9508 9737 7e9511 9736->9737 9737->9737 9738 409c54 11 API calls 9737->9738 9739 7e9548 9738->9739 9740 7e9565 CreatePipe 9739->9740 9741 7e9597 GetStdHandle 9740->9741 9742 7e9592 9740->9742 9744 40a988 11 API calls 9741->9744 9826 428598 GetLastError 9742->9826 9745 7e95e5 9744->9745 9746 7e95f0 CreateProcessW 9745->9746 9747 7e95fc 9746->9747 9748 7e9601 CloseHandle CloseHandle 9746->9748 9750 428598 83 API calls 9747->9750 9816 72d1ac 9748->9816 9750->9748 9751 7e9643 ReadFile 9752 7e9668 9751->9752 9753 7e961f 9751->9753 9822 72d2fc 9752->9822 9753->9751 9753->9752 9829 72bdb8 9753->9829 9756 7e9673 9756->9632 9758 729eea 9757->9758 10189 727838 9758->10189 9760 729eff 9760->9636 9762 41f8fb 9761->9762 9763 41f92f 9762->9763 9768 41f923 9762->9768 9764 41f947 9763->9764 9767 41f950 9763->9767 9765 409c54 11 API calls 9764->9765 9766 41f92d 9765->9766 9766->9636 10195 42b678 9767->10195 9770 40a034 11 API calls 9768->9770 9770->9766 9774 4218d4 9771->9774 9775 4218dd 9774->9775 9777 42193d 9775->9777 9787 4217f4 9775->9787 9778 4219b0 9777->9778 9785 42195a 9777->9785 9779 409ddc 11 API calls 9778->9779 9780 42189c 9779->9780 9780->9736 9781 4219a4 9783 40a8b0 11 API calls 9781->9783 9782 409c54 11 API calls 9782->9785 9783->9780 9784 40a8b0 11 API calls 9784->9785 9785->9781 9785->9782 9785->9784 9786 4217f4 80 API calls 9785->9786 9786->9785 9790 421c0c 9787->9790 9795 421c5f 9790->9795 9797 421c66 9790->9797 9791 409cb4 11 API calls 9792 4225b0 9791->9792 9793 409c54 11 API calls 9792->9793 9794 42180d 9793->9794 9794->9777 9796 421778 80 API calls 9795->9796 9795->9797 9798 40a744 11 API calls 9795->9798 9801 4204b8 34 API calls 9795->9801 9802 420158 9795->9802 9809 4201c4 9795->9809 9796->9795 9797->9791 9798->9795 9801->9795 9803 420172 9802->9803 9804 420162 9802->9804 9806 41fd4c 11 API calls 9803->9806 9812 41fd4c 9804->9812 9808 42017d 9806->9808 9807 42016f 9807->9795 9808->9795 9810 41fd4c 11 API calls 9809->9810 9811 4201d5 9810->9811 9811->9795 9813 41fd5e 9812->9813 9814 40a8b0 11 API calls 9813->9814 9815 41fdd8 9814->9815 9815->9807 9817 72d1b2 9816->9817 9838 42bcfc 9817->9838 9819 72d1c3 9842 72d064 9819->9842 9821 72d1d1 9821->9753 9823 72d308 9822->9823 10127 42d1d8 9823->10127 9825 72d317 9825->9756 10171 4285a8 9826->10171 9830 72bdd5 9829->9830 9831 42644c 57 API calls 9830->9831 9836 72bdf2 9830->9836 9833 72bded 9831->9833 9832 72be2d 9832->9751 9834 409314 11 API calls 9833->9834 9834->9836 9835 42644c 57 API calls 9835->9836 9836->9832 9836->9835 9837 409314 11 API calls 9836->9837 9837->9836 9839 42bd1c 9838->9839 9840 42bd05 GetACP 9838->9840 9839->9819 9850 42d49c 9840->9850 9843 72d076 9842->9843 9879 42c764 9843->9879 9847 72d0cc 9889 40bfa4 9847->9889 9851 42d4a8 9850->9851 9852 42d4c2 9851->9852 9853 42d4b8 GetACP 9851->9853 9854 42d4c5 GetCPInfo 9852->9854 9853->9854 9855 42d4e2 9854->9855 9857 42d4f9 9854->9857 9860 42644c 9855->9860 9857->9839 9858 42d4f4 9864 409314 9858->9864 9861 426453 9860->9861 9870 40ee08 9861->9870 9863 42646b 9863->9858 9865 409322 9864->9865 9866 409318 9864->9866 9869 409360 9865->9869 9876 406f30 9865->9876 9867 409a84 11 API calls 9866->9867 9867->9865 9872 40ee10 9870->9872 9871 40ee5d 9871->9863 9872->9871 9873 40c270 56 API calls 9872->9873 9874 40ee4c LoadStringW 9873->9874 9875 409ddc 11 API calls 9874->9875 9875->9871 9877 40ff84 11 API calls 9876->9877 9878 406f35 9877->9878 9878->9869 9880 42c77b 9879->9880 9895 40be80 9880->9895 9884 42c7d3 9885 72cf2c 9884->9885 9886 72cf38 9885->9886 9887 40bfe8 27 API calls 9886->9887 9888 72cf60 9887->9888 9888->9847 9890 40bfaa 9889->9890 9893 40bfe4 9889->9893 9890->9893 9894 40bfdb 9890->9894 10074 40aec4 9890->10074 9891 406e74 11 API calls 9891->9893 9893->9821 9894->9891 9928 40bbd8 9895->9928 9898 42c7f8 9899 42c840 9898->9899 9900 42c81c 9898->9900 9902 42c869 9899->9902 9907 42644c 57 API calls 9899->9907 10064 42651c 9900->10064 9904 42c896 9902->9904 9908 42651c 80 API calls 9902->9908 9905 42c8be 9904->9905 9909 42651c 80 API calls 9904->9909 9913 42c8f5 9905->9913 9917 42651c 80 API calls 9905->9917 9906 409314 11 API calls 9906->9899 9910 42c864 9907->9910 9911 42c891 9908->9911 9912 42c8b9 9909->9912 9914 409314 11 API calls 9910->9914 9915 409314 11 API calls 9911->9915 9916 409314 11 API calls 9912->9916 9919 42651c 80 API calls 9913->9919 9923 42c931 9913->9923 9914->9902 9915->9904 9916->9905 9918 42c8f0 9917->9918 9920 409314 11 API calls 9918->9920 9921 42c92c 9919->9921 9920->9913 9922 409314 11 API calls 9921->9922 9922->9923 9924 42644c 57 API calls 9923->9924 9925 42c96b 9923->9925 9926 42c966 9924->9926 9925->9884 9927 409314 11 API calls 9926->9927 9927->9925 9929 40bbfb 9928->9929 9934 40bc16 9928->9934 9930 40bc06 9929->9930 9961 406f94 9929->9961 9932 40bfa4 27 API calls 9930->9932 9933 40bc11 9932->9933 9933->9898 9935 40bc64 9934->9935 9936 406f94 11 API calls 9934->9936 9937 40bc72 9935->9937 9939 406f94 11 API calls 9935->9939 9936->9935 9938 40bc84 9937->9938 9940 40bd51 9937->9940 9941 40bc94 9938->9941 9942 40bd3f 9938->9942 9939->9937 9945 406e58 11 API calls 9940->9945 9964 40bb94 9941->9964 9944 406e8c 11 API calls 9942->9944 9950 40bd12 9944->9950 9946 40bd58 9945->9946 9953 40bd99 9946->9953 9983 40b6b8 9946->9983 9948 40bca0 9952 406e58 11 API calls 9948->9952 9949 40bd14 9951 406e8c 11 API calls 9949->9951 9950->9933 9954 40bbd8 34 API calls 9950->9954 9951->9950 9957 40bcb7 9952->9957 9956 40bfa4 27 API calls 9953->9956 9954->9950 9956->9950 9957->9950 9974 40b590 9957->9974 9959 40bceb 9960 406e74 11 API calls 9959->9960 9960->9950 9962 406f48 11 API calls 9961->9962 9963 406fa7 9962->9963 9963->9930 9965 40ff84 11 API calls 9964->9965 9966 40bb9d 9965->9966 9967 40bba5 9966->9967 9969 40bbb3 9966->9969 9968 40ff84 11 API calls 9967->9968 9970 40bbaa 9968->9970 9971 40ff84 11 API calls 9969->9971 9970->9948 9970->9949 9972 40bbc1 9971->9972 9973 40ff84 11 API calls 9972->9973 9973->9970 9975 40b5ac 9974->9975 9977 40b5f0 9974->9977 9976 40b682 9975->9976 9975->9977 9978 40b659 9975->9978 9979 40b62a 9975->9979 9980 406f94 11 API calls 9976->9980 9977->9959 9978->9977 9987 40b2b4 9978->9987 9979->9977 9981 40b590 34 API calls 9979->9981 9980->9977 9981->9979 9984 40b6c1 9983->9984 9985 40b6c9 9983->9985 10009 40b478 9984->10009 9985->9953 9988 40b453 9987->9988 9989 40b2d7 9987->9989 9988->9978 9989->9988 9990 406f94 11 API calls 9989->9990 9991 40b2b4 34 API calls 9989->9991 9992 40b590 34 API calls 9989->9992 9995 40e8ec 9989->9995 10003 40e8c0 9989->10003 9990->9989 9991->9989 9992->9989 9996 40e8fe 9995->9996 9997 40e8c0 25 API calls 9996->9997 9998 40e913 9997->9998 9999 408180 11 API calls 9998->9999 10000 40e922 9999->10000 10001 40e854 34 API calls 10000->10001 10002 40e92a 10001->10002 10002->9989 10004 40e8e5 10003->10004 10005 40e8cb 10003->10005 10004->9989 10006 408180 11 API calls 10005->10006 10007 40e8d8 10006->10007 10008 40e88c 25 API calls 10007->10008 10008->10004 10010 40b48d 10009->10010 10014 40b4bc 10009->10014 10011 40b492 10010->10011 10016 40b4de 10010->10016 10013 40b497 10011->10013 10020 40b4f5 10011->10020 10018 40b509 10013->10018 10019 40b49c 10013->10019 10027 40b4d9 10014->10027 10031 40a0d0 10014->10031 10016->10027 10037 40a0a8 10016->10037 10017 40a034 11 API calls 10017->10020 10018->10027 10044 40b0f4 10018->10044 10021 40b4a1 10019->10021 10022 40b51d 10019->10022 10020->10017 10020->10027 10024 40b540 10021->10024 10025 40b4aa 10021->10025 10022->10027 10028 40b478 34 API calls 10022->10028 10024->10027 10049 40b10c 10024->10049 10025->10014 10025->10027 10029 40b571 10025->10029 10027->9985 10028->10022 10029->10027 10060 40bfe8 10029->10060 10032 40a0d4 10031->10032 10035 40a0e8 10031->10035 10034 409be8 11 API calls 10032->10034 10032->10035 10033 40a116 10033->10014 10034->10035 10035->10033 10036 406e74 11 API calls 10035->10036 10036->10033 10038 40a0ac 10037->10038 10039 40a0cf 10037->10039 10040 40a0bf SysReAllocStringLen 10038->10040 10043 409c34 10038->10043 10039->10016 10040->10039 10040->10043 10041 409cb0 10041->10016 10042 409ca2 SysFreeString 10042->10041 10043->10041 10043->10042 10045 40b104 10044->10045 10046 40b0fd 10044->10046 10047 406f94 11 API calls 10045->10047 10046->10018 10048 40b10b 10047->10048 10048->10018 10050 40b29b 10049->10050 10055 40b131 10049->10055 10050->10024 10051 40e8ec 34 API calls 10051->10055 10052 40a0d0 11 API calls 10052->10055 10053 40a0a8 SysFreeString SysReAllocStringLen 10053->10055 10054 40a034 11 API calls 10054->10055 10055->10050 10055->10051 10055->10052 10055->10053 10055->10054 10056 40b0f4 11 API calls 10055->10056 10057 40b478 34 API calls 10055->10057 10058 40b10c 34 API calls 10055->10058 10059 40bfe8 27 API calls 10055->10059 10056->10055 10057->10055 10058->10055 10059->10055 10061 40bfec 10060->10061 10062 40bfa4 27 API calls 10061->10062 10063 40c015 10061->10063 10062->10063 10063->10029 10065 42652a 10064->10065 10066 40ee08 57 API calls 10065->10066 10067 426554 10066->10067 10068 42187c 80 API calls 10067->10068 10069 426562 10068->10069 10070 40a034 11 API calls 10069->10070 10071 42656d 10070->10071 10072 409cb4 11 API calls 10071->10072 10073 426587 10072->10073 10073->9906 10075 40aecd 10074->10075 10101 40af0a 10074->10101 10076 40aee2 10075->10076 10077 40af0f 10075->10077 10078 40aee6 10076->10078 10079 40af49 10076->10079 10080 40af20 10077->10080 10081 40af16 10077->10081 10083 40aeea 10078->10083 10084 40af2c 10078->10084 10085 40af50 10079->10085 10086 40af57 10079->10086 10105 409ce4 10080->10105 10087 409c78 11 API calls 10081->10087 10091 40af60 10083->10091 10092 40aeee 10083->10092 10089 40af33 10084->10089 10090 40af3d 10084->10090 10093 409c54 11 API calls 10085->10093 10088 409cb4 11 API calls 10086->10088 10087->10101 10088->10101 10109 409c9c 10089->10109 10112 409d14 10090->10112 10091->10101 10116 40aeac 10091->10116 10097 40aef2 10092->10097 10102 40af6f 10092->10102 10093->10101 10098 40af8d 10097->10098 10100 40aefa 10097->10100 10098->10101 10121 40ae4c 10098->10121 10099 40aec4 27 API calls 10099->10102 10100->10101 10104 40bfa4 27 API calls 10100->10104 10101->9894 10102->10099 10102->10101 10104->10100 10107 409cea 10105->10107 10106 409d10 10106->10101 10107->10106 10108 406e74 11 API calls 10107->10108 10108->10107 10110 409cb0 10109->10110 10111 409ca2 SysFreeString 10109->10111 10110->10101 10111->10110 10113 409d1a 10112->10113 10114 409d20 SysFreeString 10113->10114 10115 409d32 10113->10115 10114->10113 10115->10101 10117 40aebc 10116->10117 10119 40aeb5 10116->10119 10118 406f94 11 API calls 10117->10118 10120 40aec3 10118->10120 10119->10091 10120->10091 10122 40ae62 10121->10122 10123 40ae7f 10121->10123 10122->10123 10124 40ae81 10122->10124 10125 40aec4 27 API calls 10122->10125 10123->10098 10124->10123 10126 40e8c0 25 API calls 10124->10126 10125->10122 10126->10124 10129 42d1f5 10127->10129 10128 42d219 10130 42d241 10128->10130 10133 42651c 80 API calls 10128->10133 10129->10128 10132 42644c 57 API calls 10129->10132 10131 42d269 10130->10131 10134 42651c 80 API calls 10130->10134 10139 42d29e 10131->10139 10142 42651c 80 API calls 10131->10142 10135 42d214 10132->10135 10136 42d23c 10133->10136 10138 42d264 10134->10138 10140 409314 11 API calls 10135->10140 10137 409314 11 API calls 10136->10137 10137->10130 10141 409314 11 API calls 10138->10141 10153 42ca88 10139->10153 10140->10128 10141->10131 10144 42d299 10142->10144 10147 409314 11 API calls 10144->10147 10146 42d2cd 10148 40a8b0 11 API calls 10146->10148 10147->10139 10152 42d2d7 10148->10152 10149 42644c 57 API calls 10150 42d2c8 10149->10150 10151 409314 11 API calls 10150->10151 10151->10146 10152->9825 10154 42cab4 10153->10154 10155 42ca99 10153->10155 10156 42cae1 10154->10156 10158 42651c 80 API calls 10154->10158 10155->10154 10157 42644c 57 API calls 10155->10157 10161 42651c 80 API calls 10156->10161 10163 42cb09 10156->10163 10159 42caaf 10157->10159 10160 42cadc 10158->10160 10165 409314 11 API calls 10159->10165 10166 409314 11 API calls 10160->10166 10162 42cb04 10161->10162 10167 409314 11 API calls 10162->10167 10164 42cb3f 10163->10164 10168 42651c 80 API calls 10163->10168 10164->10146 10164->10149 10165->10154 10166->10156 10167->10163 10169 42cb3a 10168->10169 10170 409314 11 API calls 10169->10170 10170->10164 10172 42860b 10171->10172 10173 4285cb 10171->10173 10175 42644c 57 API calls 10172->10175 10183 424dd8 10173->10183 10176 428607 10175->10176 10179 409314 11 API calls 10176->10179 10177 4285de 10178 42651c 80 API calls 10177->10178 10178->10176 10180 428629 10179->10180 10181 409c54 11 API calls 10180->10181 10182 4285a4 10181->10182 10182->9741 10184 424de9 10183->10184 10185 424def FormatMessageW 10183->10185 10184->10185 10186 424e11 10185->10186 10187 409ddc 11 API calls 10186->10187 10188 424e37 LocalFree 10187->10188 10188->10177 10190 72783e 10189->10190 10191 42bcfc 60 API calls 10190->10191 10192 727858 10191->10192 10193 40a034 11 API calls 10192->10193 10194 727868 10193->10194 10194->9760 10196 40aaf8 11 API calls 10195->10196 10197 42b694 10196->10197 10197->9766 10199 409ae4 10198->10199 10200 406e74 11 API calls 10199->10200 10201 409b02 10200->10201 10203 7e7ed7 10202->10203 10206 7e7f1b 10202->10206 10370 7e2d08 10203->10370 10206->9674 10392 7e7dc0 10207->10392 10209 7e9259 ExitProcess 10210 42ea48 10209->10210 10211 42ea51 10210->10211 10212 40a0d0 11 API calls 10211->10212 10213 42ea60 10212->10213 10214 409c54 11 API calls 10213->10214 10215 42ea93 VirtualAlloc 10214->10215 10215->9679 10647 409d48 10216->10647 10219 7b53b5 10220 7b3fd8 11 API calls 10219->10220 10221 7b53be CryptAcquireContextA 10220->10221 10222 7b55d2 10221->10222 10223 7b53e0 LoadLibraryW 10221->10223 10225 409ce4 11 API calls 10222->10225 10224 7b53fd 10223->10224 10227 7b3fd8 11 API calls 10224->10227 10226 7b55ec 10225->10226 10228 409c78 11 API calls 10226->10228 10229 7b5406 CryptCreateHash 10227->10229 10230 7b55f4 10228->10230 10231 7b559b LoadLibraryW 10229->10231 10232 7b542a LoadLibraryW 10229->10232 10230->9683 10233 7b55b8 10231->10233 10234 7b5447 10232->10234 10235 7b3fd8 11 API calls 10233->10235 10236 7b3fd8 11 API calls 10234->10236 10237 7b55c1 CryptReleaseContext 10235->10237 10238 7b5450 CryptHashData 10236->10238 10237->10222 10240 7b5488 LoadLibraryW 10238->10240 10241 7b5566 LoadLibraryW 10238->10241 10242 7b54a5 10240->10242 10243 7b5583 10241->10243 10244 7b3fd8 11 API calls 10242->10244 10245 7b3fd8 11 API calls 10243->10245 10246 7b54ae CryptDeriveKey 10244->10246 10247 7b558c CryptDestroyHash 10245->10247 10246->10241 10248 7b54d4 LoadLibraryW 10246->10248 10247->10231 10249 7b54f9 10248->10249 10250 7b3fd8 11 API calls 10249->10250 10251 7b5502 CryptDecrypt 10250->10251 10252 7b5531 LoadLibraryW 10251->10252 10253 7b5525 10251->10253 10254 7b554e 10252->10254 10253->10252 10255 7b3fd8 11 API calls 10254->10255 10256 7b5557 CryptDestroyKey 10255->10256 10256->10241 10258 7e29e0 10257->10258 10259 409c54 11 API calls 10258->10259 10260 7e2a26 10259->10260 10649 7c9d78 10260->10649 10262 7e2a40 10653 7c9eec 10262->10653 10265 40ae4c 27 API calls 10266 7e2a78 10265->10266 10666 7cb248 10266->10666 10270 7e2a93 10702 7c8758 10270->10702 10335 7b3ff1 10330->10335 10331 409c78 11 API calls 10332 7b40c7 10331->10332 10333 409c78 11 API calls 10332->10333 10334 7b40cf 10333->10334 10334->9727 10336 4071b8 10334->10336 10335->10331 10337 409c54 11 API calls 10336->10337 10338 4071cc 10337->10338 10339 4071d0 GetModuleFileNameW 10338->10339 10340 4071ee GetCommandLineW 10338->10340 10341 409ddc 11 API calls 10339->10341 10344 4071f5 10340->10344 10342 4071ec 10341->10342 10345 4211a4 10342->10345 10344->10342 11132 4070fc 10344->11132 10346 4211b8 10345->10346 10347 42b678 11 API calls 10346->10347 10348 4211c9 10347->10348 10348->9702 10350 42132c 10349->10350 11136 42b648 10350->11136 10354 7b411f 10353->10354 10355 7b3fd8 11 API calls 10354->10355 10356 7b4128 10355->10356 10357 7b420b GetLastError 10356->10357 10358 7b4149 10356->10358 10369 7b4159 10357->10369 10359 7b4162 GetModuleHandleW 10358->10359 10358->10369 10361 7b417f 10359->10361 10360 409ce4 11 API calls 10362 7b4248 10360->10362 10363 7b3fd8 11 API calls 10361->10363 10362->9727 10364 7b4188 10363->10364 10365 7b41ab GetLastError 10364->10365 10366 7b41bc GetModuleHandleW 10365->10366 10365->10369 10367 7b41d9 10366->10367 10368 7b3fd8 11 API calls 10367->10368 10368->10369 10369->10360 10371 7e2d47 10370->10371 10377 7e2dbf 10371->10377 10378 7e2c98 10371->10378 10372 409cb4 11 API calls 10374 7e2e0c GetSystemInfo 10372->10374 10374->10206 10375 7e2d57 10382 7e2c3c 10375->10382 10377->10372 10379 7e2cb4 10378->10379 10380 7e2c3c 11 API calls 10379->10380 10381 7e2ccd 10379->10381 10380->10381 10381->10375 10383 7e2c57 10382->10383 10387 7e2c73 10383->10387 10388 426318 10383->10388 10385 7e2c6e 10386 409314 11 API calls 10385->10386 10386->10387 10387->10377 10389 42631f 10388->10389 10390 40a034 11 API calls 10389->10390 10391 426337 10390->10391 10391->10385 10397 7e76b0 10392->10397 10394 7e7dde 10401 7e7d24 10394->10401 10396 7e7e01 10396->10209 10398 7e76ba 10397->10398 10399 7e7716 10398->10399 10421 7e7e50 10398->10421 10399->10394 10402 7e7d4c 10401->10402 10403 7e7d39 10401->10403 10405 7e7d65 10402->10405 10406 426318 11 API calls 10402->10406 10404 426318 11 API calls 10403->10404 10408 7e7d47 10404->10408 10483 7e77d8 10405->10483 10409 7e7d60 10406->10409 10411 409314 11 API calls 10408->10411 10412 409314 11 API calls 10409->10412 10410 7e7d70 10413 7e7da2 10410->10413 10490 7e788c 10410->10490 10411->10402 10412->10405 10525 7e7c1c 10413->10525 10419 7e7d91 10499 7e798c 10419->10499 10428 408728 10421->10428 10429 408731 10428->10429 10430 408738 10428->10430 10431 406f94 11 API calls 10429->10431 10432 408b28 10430->10432 10431->10430 10433 408b30 10432->10433 10434 408b71 10433->10434 10453 408754 10433->10453 10438 4088b0 10434->10438 10436 408b46 10436->10434 10437 406e74 11 API calls 10436->10437 10437->10434 10446 4088be 10438->10446 10440 40890c 10440->10399 10441 4088e7 GetTickCount 10441->10446 10442 408959 GetTickCount 10442->10440 10442->10446 10443 408990 GetTickCount 10479 408aa8 10443->10479 10444 4088ff GetTickCount 10444->10440 10444->10446 10446->10440 10446->10441 10446->10442 10446->10443 10446->10444 10447 40892e GetCurrentThreadId 10446->10447 10467 408d3c GetCurrentThreadId 10446->10467 10472 40856c 10446->10472 10447->10440 10449 4089ba GetTickCount 10450 4089a0 10449->10450 10450->10443 10450->10449 10451 408a24 10450->10451 10451->10440 10452 408a2a GetCurrentThreadId 10451->10452 10452->10440 10454 40875d 10453->10454 10456 408762 10453->10456 10457 408628 GetModuleHandleW GetProcAddress 10454->10457 10456->10436 10458 408650 GetLogicalProcessorInformation 10457->10458 10459 4086a5 10457->10459 10458->10459 10460 40865f GetLastError 10458->10460 10459->10456 10460->10459 10461 408669 10460->10461 10462 406e58 11 API calls 10461->10462 10463 408671 GetLogicalProcessorInformation 10462->10463 10464 408698 10463->10464 10464->10459 10465 406e74 11 API calls 10464->10465 10466 4086d5 10465->10466 10466->10456 10468 408d50 10467->10468 10469 408d49 10467->10469 10470 408d77 10468->10470 10471 408d64 GetCurrentThreadId 10468->10471 10469->10446 10470->10446 10471->10470 10473 408577 10472->10473 10474 4085c5 10473->10474 10475 4085a6 10473->10475 10476 40859d Sleep 10473->10476 10474->10446 10477 4085b5 Sleep 10475->10477 10478 4085be SwitchToThread 10475->10478 10476->10474 10477->10474 10478->10474 10480 408b01 10479->10480 10481 408aba 10479->10481 10480->10450 10481->10480 10482 408ae8 Sleep 10481->10482 10482->10481 10484 7e788c 11 API calls 10483->10484 10485 7e781a 10484->10485 10539 7e6284 10485->10539 10487 7e7831 10488 7e6284 11 API calls 10487->10488 10489 7e7851 10487->10489 10488->10489 10489->10410 10491 7e6284 11 API calls 10490->10491 10492 7e78d6 10491->10492 10493 7e78f0 10492->10493 10494 7e788c 11 API calls 10492->10494 10495 7e78fc 10493->10495 10494->10493 10496 7e790f 10495->10496 10497 7e7949 10496->10497 10566 7e6880 10496->10566 10497->10419 10500 7e79ca 10499->10500 10572 7e64bc 10500->10572 10502 7e7a65 10505 426318 11 API calls 10502->10505 10510 7e7a7e 10502->10510 10503 426318 11 API calls 10506 7e79df 10503->10506 10504 7e6284 11 API calls 10504->10506 10507 7e7a79 10505->10507 10506->10502 10506->10503 10506->10504 10509 409314 11 API calls 10506->10509 10508 409314 11 API calls 10507->10508 10508->10510 10509->10506 10575 7e757c 10510->10575 10512 7e7b20 10582 7e616c 10512->10582 10514 7e7b7d 10586 7e650c 10514->10586 10515 7e7b35 10515->10514 10516 7e650c 11 API calls 10515->10516 10516->10514 10519 7e616c VirtualProtect 10520 7e7bb8 10519->10520 10521 7e616c VirtualProtect 10520->10521 10522 7e7bca 10521->10522 10523 7e616c VirtualProtect 10522->10523 10524 7e7be7 10523->10524 10524->10413 10526 7e7c3e 10525->10526 10527 7e7c51 10525->10527 10528 426318 11 API calls 10526->10528 10531 7e650c 11 API calls 10527->10531 10529 7e7c4c 10528->10529 10530 409314 11 API calls 10529->10530 10530->10527 10532 7e7cb6 10531->10532 10533 7e650c 11 API calls 10532->10533 10534 7e7cdf 10533->10534 10535 7e650c 11 API calls 10534->10535 10536 7e7cfe 10535->10536 10537 7e616c VirtualProtect 10536->10537 10538 7e7d19 10537->10538 10538->10396 10540 7e6296 10539->10540 10543 7e5d18 10540->10543 10542 7e62a8 10542->10487 10552 7e2ed0 10543->10552 10546 7e2ed0 11 API calls 10547 7e5d3f 10546->10547 10548 7e2ed0 11 API calls 10547->10548 10549 7e5d52 10547->10549 10548->10549 10550 7e5e50 10549->10550 10551 7e2ed0 11 API calls 10549->10551 10550->10542 10551->10550 10553 40a07c 11 API calls 10552->10553 10554 7e2eff 10553->10554 10555 7e2f05 10554->10555 10557 7e2f4c 10554->10557 10559 7e2f36 10554->10559 10556 409c54 11 API calls 10555->10556 10558 7e2f7c 10556->10558 10560 409c54 11 API calls 10557->10560 10558->10546 10558->10547 10561 40a07c 11 API calls 10559->10561 10562 7e2f4a 10560->10562 10561->10562 10563 426318 11 API calls 10562->10563 10564 7e2f62 10563->10564 10565 409314 11 API calls 10564->10565 10565->10555 10567 7e68a6 10566->10567 10571 7e68b9 10566->10571 10568 426318 11 API calls 10567->10568 10569 7e68b4 10568->10569 10570 409314 11 API calls 10569->10570 10570->10571 10571->10497 10613 7e62f0 10572->10613 10579 7e75ab 10575->10579 10576 7e769d 10576->10512 10577 7e6284 11 API calls 10577->10579 10579->10576 10579->10577 10617 7e70f4 10579->10617 10626 7e73b0 10579->10626 10630 7e6b54 10579->10630 10583 7e6186 10582->10583 10584 7e61ac 10582->10584 10583->10584 10585 7e6192 VirtualProtect 10583->10585 10584->10515 10585->10584 10587 7e655a 10586->10587 10588 7e6594 10586->10588 10587->10588 10589 7e662b 10587->10589 10590 7e66fb 10587->10590 10591 7e65e6 10587->10591 10592 7e6665 10587->10592 10593 7e6581 10587->10593 10588->10519 10589->10588 10598 426318 11 API calls 10589->10598 10595 426318 11 API calls 10590->10595 10591->10588 10597 426318 11 API calls 10591->10597 10596 426318 11 API calls 10592->10596 10594 426318 11 API calls 10593->10594 10599 7e658f 10594->10599 10600 7e6709 10595->10600 10601 7e6673 10596->10601 10602 7e65fa 10597->10602 10603 7e663f 10598->10603 10604 409314 11 API calls 10599->10604 10605 409314 11 API calls 10600->10605 10606 409314 11 API calls 10601->10606 10607 409314 11 API calls 10602->10607 10608 409314 11 API calls 10603->10608 10604->10588 10605->10588 10609 7e6678 10606->10609 10607->10588 10608->10588 10609->10588 10610 426318 11 API calls 10609->10610 10611 7e668c 10610->10611 10612 409314 11 API calls 10611->10612 10612->10588 10614 7e632d GetSystemInfo 10613->10614 10615 7e6310 VirtualAlloc 10613->10615 10616 7e6354 10614->10616 10615->10616 10616->10506 10618 7e7118 10617->10618 10619 7e719d 10618->10619 10620 7e7266 10618->10620 10621 7e7180 10618->10621 10619->10579 10622 426318 11 API calls 10620->10622 10621->10619 10643 409aa0 10621->10643 10624 7e7274 10622->10624 10625 409314 11 API calls 10624->10625 10625->10619 10627 7e73d3 10626->10627 10628 7e650c 11 API calls 10627->10628 10629 7e73f1 10628->10629 10629->10579 10631 406e58 11 API calls 10630->10631 10632 7e6b74 10631->10632 10633 7e6bc7 10632->10633 10639 7e6f14 10632->10639 10636 7e6d7c 10633->10636 10637 7e6bd7 10633->10637 10634 406e74 11 API calls 10635 7e70af 10634->10635 10635->10579 10640 7e6c6b 10636->10640 10641 7e650c 11 API calls 10636->10641 10638 7e650c 11 API calls 10637->10638 10637->10640 10638->10640 10639->10640 10642 7e650c 11 API calls 10639->10642 10640->10634 10641->10640 10642->10640 10644 409ab8 10643->10644 10645 409acd 10643->10645 10644->10619 10646 406f48 11 API calls 10645->10646 10646->10644 10648 409d4c LoadLibraryW 10647->10648 10648->10219 10650 7c9d82 10649->10650 10739 7ce280 10650->10739 10652 7c9da6 10652->10262 10779 7c9fc0 10653->10779 10655 7c9f06 10656 42644c 57 API calls 10655->10656 10661 7c9f23 10655->10661 10657 7c9f1e 10656->10657 10658 409314 11 API calls 10657->10658 10658->10661 10659 7c9f8c 10659->10265 10660 7c9f51 10660->10659 10823 7c8afc 10660->10823 10661->10660 10663 42644c 57 API calls 10661->10663 10664 7c9f4c 10663->10664 10665 409314 11 API calls 10664->10665 10665->10660 10667 7cb277 10666->10667 10668 7cb2c6 10667->10668 10669 42644c 57 API calls 10667->10669 10670 42644c 57 API calls 10668->10670 10672 7cb2f1 10668->10672 10671 7cb2c1 10669->10671 10673 7cb2ec 10670->10673 10675 409314 11 API calls 10671->10675 10674 40bfa4 27 API calls 10672->10674 10676 409314 11 API calls 10673->10676 10677 7cb30a 10674->10677 10675->10668 10676->10672 10678 40ae4c 27 API calls 10677->10678 10679 7cb35a 10678->10679 10680 7a36c4 57 API calls 10679->10680 10681 7cb368 10680->10681 10682 40b10c 34 API calls 10681->10682 10683 7cb388 10682->10683 10684 40ae4c 27 API calls 10683->10684 10685 7cb3be 10684->10685 10686 7c8894 10685->10686 10687 7c88b1 10686->10687 10688 7c88df 10687->10688 10689 42644c 57 API calls 10687->10689 10690 40ae4c 27 API calls 10688->10690 10691 7c88da 10689->10691 10692 7c8904 10690->10692 10693 409314 11 API calls 10691->10693 10694 7a36c4 57 API calls 10692->10694 10693->10688 10695 7c8912 10694->10695 10696 40b10c 34 API calls 10695->10696 10697 7c8932 10696->10697 10947 7c840c 10697->10947 10700 40ae4c 27 API calls 10701 7c895b 10700->10701 10701->10270 10703 7c8775 10702->10703 10704 7c87a3 10703->10704 10706 42644c 57 API calls 10703->10706 10705 40ae4c 27 API calls 10704->10705 10708 7c87c8 10705->10708 10707 7c879e 10706->10707 10709 409314 11 API calls 10707->10709 10710 7a36c4 57 API calls 10708->10710 10709->10704 10711 7c87d6 10710->10711 10712 40b10c 34 API calls 10711->10712 10713 7c87f6 10712->10713 10714 40b10c 34 API calls 10713->10714 10715 7c8807 10714->10715 10716 40ae4c 27 API calls 10715->10716 10717 7c8822 10716->10717 10718 7c69f0 10717->10718 10719 7c6a0c 10718->10719 10720 7c6a78 10719->10720 10970 7c7654 10719->10970 10722 40ae4c 27 API calls 10720->10722 10724 7c6ab9 10722->10724 10726 40ae4c 27 API calls 10724->10726 10725 40b10c 34 API calls 10727 7c6a6d 10725->10727 10728 7c6ac7 10726->10728 10982 7c7888 10727->10982 10730 72bf08 10728->10730 10731 72bf2f 10730->10731 10732 40be80 34 API calls 10731->10732 10737 72bf8d 10732->10737 10733 72bfe6 10734 40bfa4 27 API calls 10733->10734 10737->10733 11027 72af90 10737->11027 11030 72be34 10737->11030 10740 7ce28f 10739->10740 10745 7d2054 10740->10745 10742 7ce2b8 10748 7ce304 10742->10748 10744 7ce2c5 10744->10652 10752 7a2edc 10745->10752 10747 7d2072 10747->10742 10749 7ce314 10748->10749 10750 7d2054 11 API calls 10749->10750 10751 7ce38d 10749->10751 10750->10751 10751->10744 10753 7a2f16 10752->10753 10754 7a2ee5 10752->10754 10755 7a2f1a 10753->10755 10756 7a2f1e 10753->10756 10757 7a2f14 10754->10757 10764 7a1de8 10754->10764 10758 7a2f29 10755->10758 10759 7a2f1c 10755->10759 10767 7a24a0 10756->10767 10757->10747 10773 7a24d4 10758->10773 10763 406f94 11 API calls 10759->10763 10763->10757 10765 406e58 11 API calls 10764->10765 10766 7a1df8 10765->10766 10766->10757 10768 7a24b0 10767->10768 10769 7a24a5 10767->10769 10768->10757 10770 7a24b6 10769->10770 10771 7a1de8 11 API calls 10769->10771 10770->10757 10772 7a24d2 10771->10772 10772->10757 10774 7a24e4 10773->10774 10775 7a24d9 10773->10775 10774->10757 10776 7a24ea 10775->10776 10777 7a1de8 11 API calls 10775->10777 10776->10757 10778 7a2506 10777->10778 10778->10757 10781 7c9fe8 10779->10781 10780 7ca540 10871 7a515c 10780->10871 10781->10780 10783 7ca05d 10781->10783 10793 7ca29c 10781->10793 10785 40ae4c 27 API calls 10783->10785 10784 7ca568 10784->10655 10786 7ca090 10785->10786 10845 7a36c4 10786->10845 10789 40b10c 34 API calls 10790 7ca0c1 10789->10790 10791 40b10c 34 API calls 10790->10791 10792 7ca0d5 10791->10792 10795 40ae4c 27 API calls 10792->10795 10794 7ca3bd 10793->10794 10851 7c6e88 10793->10851 10796 40be80 34 API calls 10794->10796 10800 7ca455 10794->10800 10797 7ca0f3 10795->10797 10796->10800 10797->10655 10799 7ca380 10854 7c7a70 10799->10854 10863 7c7b34 10800->10863 10808 7ca3a7 10810 7c7a70 73 API calls 10808->10810 10809 7c7af0 57 API calls 10811 7ca4c2 10809->10811 10810->10794 10812 7c7af0 57 API calls 10811->10812 10813 7ca4d6 10812->10813 10814 7c7af0 57 API calls 10813->10814 10815 7ca4ea 10814->10815 10816 7c7b34 57 API calls 10815->10816 10817 7ca4fd 10816->10817 10818 7c7b34 57 API calls 10817->10818 10819 7ca510 10818->10819 10820 7c7af0 57 API calls 10819->10820 10821 7ca524 10820->10821 10821->10780 10822 7c7a70 73 API calls 10821->10822 10822->10780 10824 7c8b17 10823->10824 10825 7a515c 80 API calls 10824->10825 10826 7c8b39 10825->10826 10827 7c8df9 10826->10827 10900 7c972c 10826->10900 10830 40ae4c 27 API calls 10827->10830 10831 7c8e14 10830->10831 10831->10659 10832 42644c 57 API calls 10833 7c8b72 10832->10833 10834 409314 11 API calls 10833->10834 10835 7c8b77 10834->10835 10842 7c8b9d 10835->10842 10913 7c9abc 10835->10913 10837 42644c 57 API calls 10837->10842 10838 7c79e8 57 API calls 10838->10842 10839 409314 11 API calls 10839->10842 10840 7c7a2c 57 API calls 10840->10842 10841 40be80 34 API calls 10841->10842 10842->10827 10842->10837 10842->10838 10842->10839 10842->10840 10842->10841 10844 7c796c 73 API calls 10842->10844 10919 7a50a4 10842->10919 10844->10842 10846 7a36cc 10845->10846 10847 7a36ea 10846->10847 10848 42644c 57 API calls 10846->10848 10847->10789 10849 7a36e5 10848->10849 10850 409314 11 API calls 10849->10850 10850->10847 10852 40be80 34 API calls 10851->10852 10853 7c6ea9 10852->10853 10853->10799 10855 7c7a88 10854->10855 10856 7c7ac1 10855->10856 10857 42644c 57 API calls 10855->10857 10858 40bfa4 27 API calls 10856->10858 10857->10856 10859 7c7ae1 10858->10859 10860 7c6f0c 10859->10860 10861 40be80 34 API calls 10860->10861 10862 7c6f2d 10861->10862 10862->10808 10864 7c7b52 10863->10864 10865 7c7b6c 10864->10865 10866 42644c 57 API calls 10864->10866 10867 7c7af0 10865->10867 10866->10865 10868 7c7b0f 10867->10868 10869 7c7b29 10868->10869 10870 42644c 57 API calls 10868->10870 10869->10809 10870->10869 10876 7a76dc 10871->10876 10877 7a76e7 10876->10877 10881 7a76fe 10876->10881 10878 42644c 57 API calls 10877->10878 10879 7a76f9 10878->10879 10882 409314 11 API calls 10879->10882 10880 7a771d 10884 7a5168 10880->10884 10889 7a5824 10880->10889 10881->10880 10883 7a7530 34 API calls 10881->10883 10882->10881 10883->10880 10886 7a7530 10884->10886 10887 40bbd8 34 API calls 10886->10887 10888 7a5171 10887->10888 10888->10784 10890 7a583c 10889->10890 10891 42644c 57 API calls 10890->10891 10893 7a586e 10890->10893 10892 7a5869 10891->10892 10894 409314 11 API calls 10892->10894 10895 7a59e8 10893->10895 10896 406e58 11 API calls 10893->10896 10897 7a58bf 10893->10897 10894->10893 10895->10884 10896->10897 10898 406e74 11 API calls 10897->10898 10899 7a59c0 10897->10899 10898->10899 10899->10884 10901 7c9756 10900->10901 10902 40be80 34 API calls 10901->10902 10905 7c979b 10902->10905 10903 40bfa4 27 API calls 10904 7c8b5c 10903->10904 10904->10832 10904->10835 10907 7c9950 10905->10907 10912 7c99d2 10905->10912 10924 7c796c 10905->10924 10908 7c99ef 10907->10908 10910 7c9971 10907->10910 10909 40bfa4 27 API calls 10908->10909 10909->10912 10911 40be80 34 API calls 10910->10911 10911->10912 10912->10903 10915 7c9af1 10913->10915 10914 40be80 34 API calls 10917 7c9b2e 10914->10917 10915->10914 10916 40bfa4 27 API calls 10918 7c9bb4 10916->10918 10917->10916 10918->10842 10930 7a62a8 10919->10930 10921 7a50bb 10922 40b6b8 34 API calls 10921->10922 10923 7a50e6 10922->10923 10923->10842 10925 7c7983 10924->10925 10926 7c79b9 10925->10926 10928 42644c 57 API calls 10925->10928 10927 40bfa4 27 API calls 10926->10927 10929 7c79d9 10927->10929 10928->10926 10929->10905 10931 7a62b8 10930->10931 10932 7a62cb 10931->10932 10933 7a62c1 10931->10933 10935 7a62d4 10932->10935 10944 42630c 10932->10944 10938 7a6268 10933->10938 10935->10921 10940 7a627c 10938->10940 10939 7a6287 10942 7a7530 34 API calls 10939->10942 10940->10939 10941 42630c 11 API calls 10940->10941 10941->10940 10943 7a62a4 10942->10943 10943->10921 10945 409314 11 API calls 10944->10945 10946 426316 10945->10946 10946->10935 10948 7c8429 10947->10948 10949 7c844f 10948->10949 10950 7c8440 10948->10950 10951 42d0c8 59 API calls 10949->10951 10960 42d0c8 10950->10960 10953 7c844a 10951->10953 10954 42d1d8 80 API calls 10953->10954 10955 7c84a4 10954->10955 10956 40a034 11 API calls 10955->10956 10957 7c84af 10956->10957 10958 409c54 11 API calls 10957->10958 10959 7c84c4 10958->10959 10959->10700 10961 42d0e2 10960->10961 10963 42d0d2 10960->10963 10961->10953 10962 42d0e0 10962->10953 10963->10962 10966 42d7b4 10963->10966 10965 42d115 10965->10953 10967 42d7ba 10966->10967 10968 42d49c 59 API calls 10967->10968 10969 42d7d8 10968->10969 10969->10965 10971 40bfa4 27 API calls 10970->10971 10972 7c768c 10971->10972 10973 7c7713 10972->10973 10981 40b10c 34 API calls 10972->10981 10992 40beb0 10972->10992 11000 7c791c 10972->11000 11004 7c6f98 10972->11004 10974 40ae4c 27 API calls 10973->10974 10976 7c772e 10974->10976 10977 40bfa4 27 API calls 10976->10977 10979 7c6a5c 10977->10979 10979->10725 10981->10972 10993 40bf79 10992->10993 10996 40bed0 10992->10996 10994 40bfa4 27 API calls 10993->10994 10995 40bf96 10994->10995 10995->10972 10996->10993 10997 406e58 11 API calls 10996->10997 10998 40bf3b 10997->10998 10998->10993 10999 40b6b8 34 API calls 10998->10999 10999->10993 11001 7c7933 11000->11001 11002 40be80 34 API calls 11001->11002 11003 7c795c 11002->11003 11003->10972 11005 7c6fb7 11004->11005 11006 426318 11 API calls 11005->11006 11008 7c6fe0 11005->11008 11007 7c6fdb 11006->11007 11009 409314 11 API calls 11007->11009 11010 40be80 34 API calls 11008->11010 11009->11008 11011 7c7022 11010->11011 11012 7c709d 11011->11012 11013 426318 11 API calls 11011->11013 11012->10972 11014 7c7098 11013->11014 11015 409314 11 API calls 11014->11015 11015->11012 11033 72af9c 11027->11033 11042 72be40 11030->11042 11043 72be63 11042->11043 11134 407104 11132->11134 11133 40a8b0 11 API calls 11135 40716b 11133->11135 11134->11133 11135->10344 11137 42b65c 11136->11137 11138 40aaf8 11 API calls 11137->11138 11139 42133a 11138->11139 11139->9712

                                                                                                                            Executed Functions

                                                                                                                            Function 007B5354 Relevance: 44.0, APIs: 16, Strings: 9, Instructions: 202libraryencryptionCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • LoadLibraryW.KERNEL32(advapi32.dll,00000000,007B55F5), ref: 007B539D
                                                                                                                            • CryptAcquireContextA.ADVAPI32(00000004,00000000,00000000,00000018,F0000000,advapi32.dll,00000000,007B55F5), ref: 007B53D2
                                                                                                                            • LoadLibraryW.KERNEL32(advapi32.dll), ref: 007B53E5
                                                                                                                            • CryptCreateHash.ADVAPI32(00000004,00008003,00000000,00000000,002CCA80,advapi32.dll), ref: 007B541C
                                                                                                                            • LoadLibraryW.KERNEL32(advapi32.dll), ref: 007B542F
                                                                                                                            • CryptHashData.ADVAPI32(002CCA80,00000000,00000000,00000000,advapi32.dll), ref: 007B547A
                                                                                                                            • LoadLibraryW.KERNEL32(advapi32.dll), ref: 007B548D
                                                                                                                            • CryptDeriveKey.ADVAPI32(00000004,00006610,002CCA80,00000000,00001000,advapi32.dll), ref: 007B54C6
                                                                                                                            • LoadLibraryW.KERNEL32(advapi32.dll), ref: 007B54E1
                                                                                                                            • CryptDecrypt.ADVAPI32(00001000,00000000,000000FF,00000000,?,00000000,advapi32.dll), ref: 007B551B
                                                                                                                            • LoadLibraryW.KERNEL32(advapi32.dll), ref: 007B5536
                                                                                                                            • CryptDestroyKey.ADVAPI32(00001000,advapi32.dll), ref: 007B5560
                                                                                                                            • LoadLibraryW.KERNEL32(advapi32.dll), ref: 007B556B
                                                                                                                            • CryptDestroyHash.ADVAPI32(002CCA80,advapi32.dll), ref: 007B5595
                                                                                                                            • LoadLibraryW.KERNEL32(advapi32.dll), ref: 007B55A0
                                                                                                                            • CryptReleaseContext.ADVAPI32(00000004,00000000,advapi32.dll), ref: 007B55CC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CryptLibraryLoad$Hash$ContextDestroy$AcquireCreateDataDecryptDeriveRelease
                                                                                                                            • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptHashData$CryptReleaseContext$advapi32.dll
                                                                                                                            • API String ID: 356472661-3162055376
                                                                                                                            • Opcode ID: fec46e047e9ddfbb83fe1a6393d567993411663d334542dbc158f3109344dd6e
                                                                                                                            • Instruction ID: 47a17ac59eb57dbe9d34b909bc6e916c90a8f8a8bd0d4f90a573f526ac9ac154
                                                                                                                            • Opcode Fuzzy Hash: fec46e047e9ddfbb83fe1a6393d567993411663d334542dbc158f3109344dd6e
                                                                                                                            • Instruction Fuzzy Hash: BF710F71E0020CAFDB11EFE5D985BEEB7B9EB08704F54812AF504F7291DA78A901CB65
                                                                                                                            Function 007E9508 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 128processfilepipeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • CreatePipe.KERNEL32(?,?,00000000,00000000,00000000,007E96CC,?,00000000,007E96EF), ref: 007E9589
                                                                                                                            • GetStdHandle.KERNEL32(000000F6,00000000,007E96BB,?,?,?,00000000,00000000,00000000,007E96CC,?,00000000,007E96EF), ref: 007E95B3
                                                                                                                            • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08000000,00000000,00000000,00000044,?,000000F6,00000000,007E96BB,?,?,?), ref: 007E95F3
                                                                                                                            • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,000000FF,08000000,00000000,00000000,00000044,?,000000F6,00000000,007E96BB,?,?), ref: 007E9605
                                                                                                                            • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,000000FF,08000000,00000000,00000000,00000044,?,000000F6,00000000,007E96BB), ref: 007E960E
                                                                                                                            • ReadFile.KERNEL32(?,?,00002000,?,00000000,00000000,007E9689,?,?,?,00000000,00000000,00000000,00000000,000000FF,08000000), ref: 007E9659
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Handle$CloseCreate$FilePipeProcessRead
                                                                                                                            • String ID: <p$D$cmd.exe /C
                                                                                                                            • API String ID: 4083379186-4185180293
                                                                                                                            • Opcode ID: 42343ff3d35f8c2b3a18e0bda502392547dc06e527fe378d4099dc0fefe20691
                                                                                                                            • Instruction ID: aea3c24c8656945c2a6e50c6d6569f138bee8bd9435b15d3ee1a623a0e3af2da
                                                                                                                            • Opcode Fuzzy Hash: 42343ff3d35f8c2b3a18e0bda502392547dc06e527fe378d4099dc0fefe20691
                                                                                                                            • Instruction Fuzzy Hash: 3D415CB1A00248AFDB10DFA5CC46BEEB7B8EB09704F514566FA04E7291E738A950CB65
                                                                                                                            Function 05B04A54 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,NtQueryVirtualMemory), ref: 05B04A73
                                                                                                                            • GetProcAddress.KERNEL32(00000000,ntdll.dll), ref: 05B04A79
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2801166151.0000000005659000.00000040.00001000.00020000.00000000.sdmp, Offset: 05640000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2801111895.0000000005640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005641000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_5640000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                            • String ID: NtQueryVirtualMemory$ntdll.dll
                                                                                                                            • API String ID: 2574300362-2623246514
                                                                                                                            • Opcode ID: 772ddd63a3bb01bb51ed45e89fcc4396b0ebcd1de89c42bfc586617a68b01369
                                                                                                                            • Instruction ID: 0aa30406e005f14d4d06cb20f8da144fec3b2f63e4fadb6068e1044591923b41
                                                                                                                            • Opcode Fuzzy Hash: 772ddd63a3bb01bb51ed45e89fcc4396b0ebcd1de89c42bfc586617a68b01369
                                                                                                                            • Instruction Fuzzy Hash: DD018B35B142488FDB00EFE4E842A6A7FA2E744314F11A1E4E8145B380EA72B900CF89
                                                                                                                            Function 007B4F2C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,NtQueryVirtualMemory), ref: 007B4F4B
                                                                                                                            • GetProcAddress.KERNEL32(00000000,ntdll.dll), ref: 007B4F51
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                            • String ID: NtQueryVirtualMemory$ntdll.dll
                                                                                                                            • API String ID: 2574300362-2623246514
                                                                                                                            • Opcode ID: 66ebbfa2784b3ac5fbb9ab1e3a713bf9959c7c3717c5e925c5b7f31504a21437
                                                                                                                            • Instruction ID: f17778a7c0ed964feba1de9a29f05c9ee118eaa7513c5c1b1aaaad5e909bb89e
                                                                                                                            • Opcode Fuzzy Hash: 66ebbfa2784b3ac5fbb9ab1e3a713bf9959c7c3717c5e925c5b7f31504a21437
                                                                                                                            • Instruction Fuzzy Hash: 04F08171A042889FD701DB68ED02BBA37A5A701304F51817AE920673E2D6BE6D04CB4D
                                                                                                                            Function 0564E2C8 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0564E388,?,?), ref: 0564E2FA
                                                                                                                            • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0564E388,?,?), ref: 0564E303
                                                                                                                              • Part of subcall function 0564E190: FindFirstFileW.KERNEL32(00000000,?,00000000,0564E1EE,?,00000001), ref: 0564E1C3
                                                                                                                              • Part of subcall function 0564E190: FindClose.KERNEL32(00000000,00000000,?,00000000,0564E1EE,?,00000001), ref: 0564E1D3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2801166151.0000000005641000.00000040.00001000.00020000.00000000.sdmp, Offset: 05640000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2801111895.0000000005640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_5640000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3216391948-0
                                                                                                                            • Opcode ID: 1054f9f712d1ebf4883873519b2166af4629ee08ba791d9a9c98cff3222e52f5
                                                                                                                            • Instruction ID: 93b161dd8c11165c211d60ff17094ca199596e57ffcd1fb9a6ff225d51feddd1
                                                                                                                            • Opcode Fuzzy Hash: 1054f9f712d1ebf4883873519b2166af4629ee08ba791d9a9c98cff3222e52f5
                                                                                                                            • Instruction Fuzzy Hash: E8115E70B44209ABDF01EFA8C985AAEB7B9FF48700F504479A505E7350EB359E05CE6A
                                                                                                                            Function 0040D2AC Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040D36C,?,00000000), ref: 0040D2DE
                                                                                                                            • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040D36C,?,00000000), ref: 0040D2E7
                                                                                                                              • Part of subcall function 0040D174: FindFirstFileW.KERNEL32(00000000,?,00000000,0040D1D2,?,00000001), ref: 0040D1A7
                                                                                                                              • Part of subcall function 0040D174: FindClose.KERNEL32(00000000,00000000,?,00000000,0040D1D2,?,00000001), ref: 0040D1B7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3216391948-0
                                                                                                                            • Opcode ID: 8171befa399776394855f7772752bf61937ae0edf01eb9956f216c50ffbe8403
                                                                                                                            • Instruction ID: 5bee3d7389c6acc46d28f30a4437a6c5884315750edb49e093e002628e217075
                                                                                                                            • Opcode Fuzzy Hash: 8171befa399776394855f7772752bf61937ae0edf01eb9956f216c50ffbe8403
                                                                                                                            • Instruction Fuzzy Hash: E7113670E042099BDB04EBD6C842AAEB3B8EF45304F50447BB904B73D2D7785E089B6A
                                                                                                                            Function 0564E190 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,0564E1EE,?,00000001), ref: 0564E1C3
                                                                                                                            • FindClose.KERNEL32(00000000,00000000,?,00000000,0564E1EE,?,00000001), ref: 0564E1D3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2801166151.0000000005641000.00000040.00001000.00020000.00000000.sdmp, Offset: 05640000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2801111895.0000000005640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_5640000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2295610775-0
                                                                                                                            • Opcode ID: 746a7d2c7c912494da3844557da6c132c47749344485c5db3c73d9477a5ff7cc
                                                                                                                            • Instruction ID: 195b82ca74035f6676be0f717261d71418b3880c1e74c719a7aa8382d4ecf68d
                                                                                                                            • Opcode Fuzzy Hash: 746a7d2c7c912494da3844557da6c132c47749344485c5db3c73d9477a5ff7cc
                                                                                                                            • Instruction Fuzzy Hash: 0DF0EC31A80608AFCB50FBB8CC4588EB3ACFB09210B9005B4B814E3A90EB359E00ED19
                                                                                                                            Function 0040D174 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,0040D1D2,?,00000001), ref: 0040D1A7
                                                                                                                            • FindClose.KERNEL32(00000000,00000000,?,00000000,0040D1D2,?,00000001), ref: 0040D1B7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2295610775-0
                                                                                                                            • Opcode ID: fe91577be7694345b3bd61ae064f8131bb2564a11eb294cbc6706a48d2411828
                                                                                                                            • Instruction ID: 192523cf65dfd34f1bc7ea18d8bc0f8208b7c2a571063501f4a3b4ccb64d2d8e
                                                                                                                            • Opcode Fuzzy Hash: fe91577be7694345b3bd61ae064f8131bb2564a11eb294cbc6706a48d2411828
                                                                                                                            • Instruction Fuzzy Hash: 15F0BE30900604AEC710FBB5CC5298EB7FCEB45320BA005B6B800F31D2EB389E18995C
                                                                                                                            Function 007B5008 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 210memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNEL32(?,?,00003000,00000004,00000000,007B52AF), ref: 007B5068
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,00003000,00000004,00000000,007B52AF), ref: 007B5086
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00003000,00000004,00000000,007B52AF), ref: 007B509D
                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,kernel32.dll,?,?,00003000,00000004,00000000,007B52AF), ref: 007B50C8
                                                                                                                            • GetProcessHeap.KERNEL32(00000008,0000001C,ntdll.dll,kernel32.dll,?,?,00003000,00000004,00000000,007B52AF), ref: 007B50F2
                                                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 007B50F9
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 007B510D
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 007B5157
                                                                                                                            • GetNativeSystemInfo.KERNEL32(?,kernel32.dll), ref: 007B5181
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 007B51A2
                                                                                                                              • Part of subcall function 007B4320: VirtualAlloc.KERNEL32(?,00000000,00001000,00000004,00000000,007B4494), ref: 007B43A7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocHandleModuleVirtual$Heap$AllocateInfoNativeProcessSystem
                                                                                                                            • String ID: GetNativeSystemInfo$GetProcessHeap$RtlAllocateHeap$VirtualFree$kernel32.dll$ntdll.dll
                                                                                                                            • API String ID: 3588257604-3383334672
                                                                                                                            • Opcode ID: 5252a676d7cf67b3433c0d4f0307cf49fa20c743a513d3c0947a1f3d5c15c59c
                                                                                                                            • Instruction ID: 5a2516d524bd7c5ddbea5265d8c0d5986cf8ec3fc2fcd87e6724b89241428392
                                                                                                                            • Opcode Fuzzy Hash: 5252a676d7cf67b3433c0d4f0307cf49fa20c743a513d3c0947a1f3d5c15c59c
                                                                                                                            • Instruction Fuzzy Hash: 3991D7B4A006089FDB01EFE8C945BEEB7F4BF09304F1085A5E904AB396D779AE45CB54
                                                                                                                            Function 0564DDB4 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0564DFD9,?,?), ref: 0564DDED
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0564DFD9,?,?), ref: 0564DE36
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0564DFD9,?,?), ref: 0564DE58
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0564DE76
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0564DE94
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0564DEB2
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0564DED0
                                                                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0564DFBC,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0564DFD9), ref: 0564DF10
                                                                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0564DFBC,?,80000001), ref: 0564DF3B
                                                                                                                            • RegCloseKey.ADVAPI32(?,0564DFC3,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0564DFBC,?,80000001,Software\Embarcadero\Locales), ref: 0564DFB6
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2801166151.0000000005641000.00000040.00001000.00020000.00000000.sdmp, Offset: 05640000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2801111895.0000000005640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_5640000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Open$QueryValue$CloseFileModuleName
                                                                                                                            • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
                                                                                                                            • API String ID: 2701450724-3496071916
                                                                                                                            • Opcode ID: 694f44b912d28a8df663468a81a983003017478533483d671b6067dccb43d8a7
                                                                                                                            • Instruction ID: 007d67f21bce1dbe32fdfca3870343e4424a9e75587154de3a7bda435271cda0
                                                                                                                            • Opcode Fuzzy Hash: 694f44b912d28a8df663468a81a983003017478533483d671b6067dccb43d8a7
                                                                                                                            • Instruction Fuzzy Hash: CA515375F40208BFEB60EAE4CC45FEEB3BCEB18B04F504466BA15E6680D6709A40DF59
                                                                                                                            Function 0040CD98 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000105), ref: 0040CDD1
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?), ref: 0040CE1A
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?), ref: 0040CE3C
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?), ref: 0040CE5A
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040CE78
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040CE96
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040CEB4
                                                                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040CFA0,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?), ref: 0040CEF4
                                                                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040CFA0,?,80000001), ref: 0040CF1F
                                                                                                                            • RegCloseKey.ADVAPI32(?,0040CFA7,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040CFA0,?,80000001,Software\Embarcadero\Locales), ref: 0040CF9A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Open$QueryValue$CloseFileModuleName
                                                                                                                            • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
                                                                                                                            • API String ID: 2701450724-3496071916
                                                                                                                            • Opcode ID: 46e66a179eb4bbe26a1e050c71660e13605297553b314f6af2c01b25ea4ae4ed
                                                                                                                            • Instruction ID: 31d9fc0e4a97f6cdb70b22023e3312d363e3fc5f4fbd7394f3dccabe31c86c42
                                                                                                                            • Opcode Fuzzy Hash: 46e66a179eb4bbe26a1e050c71660e13605297553b314f6af2c01b25ea4ae4ed
                                                                                                                            • Instruction Fuzzy Hash: C8517575A40609BEEB10EB91CC82FAFB3BCEB08704F60417BB614F61C2D67899059B59
                                                                                                                            Function 007B4A04 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 168libraryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 184 7b4a04-7b4a44 call 7b42dc 187 7b4a4f-7b4a57 184->187 188 7b4a46-7b4a4a 184->188 190 7b4a5a-7b4a93 GetModuleHandleW call 40a2dc call 7b3fd8 IsBadReadPtr 187->190 189 7b4bf9-7b4c13 call 409ce4 188->189 190->189 197 7b4a99-7b4aa0 190->197 197->189 198 7b4aa6-7b4abc LoadLibraryA 197->198 199 7b4abe-7b4ac2 198->199 200 7b4ac7-7b4b06 call 40be80 198->200 199->189 203 7b4b08-7b4b1f 200->203 204 7b4b24-7b4b3c 200->204 205 7b4bab-7b4bb1 203->205 204->205 206 7b4b3e-7b4b4f 205->206 207 7b4bb3-7b4bb7 205->207 210 7b4b51-7b4b73 GetProcAddress 206->210 211 7b4b75-7b4b93 GetProcAddress 206->211 208 7b4bb9-7b4bee GetModuleHandleW call 40a2dc call 7b3fd8 207->208 209 7b4bf0-7b4bf4 207->209 208->189 209->190 213 7b4b95-7b4b9b 210->213 211->213 215 7b4b9d-7b4ba1 213->215 216 7b4ba3-7b4ba7 213->216 215->207 216->205
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,007B4C14), ref: 007B4A5F
                                                                                                                            • IsBadReadPtr.KERNEL32(?,00000014), ref: 007B4A8B
                                                                                                                            • LoadLibraryA.KERNEL32(00000004), ref: 007B4AB0
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: HandleLibraryLoadModuleRead
                                                                                                                            • String ID: FreeLibrary$IsBadReadPtr$kernel32.dll$l?{
                                                                                                                            • API String ID: 451321832-101461405
                                                                                                                            • Opcode ID: 971622f1188d7a1cb5bfba1f7b5d6b2348bcffe93499f32e63adb521971de2b6
                                                                                                                            • Instruction ID: 9dcba612fda944ade1e3116f5c822e680645cf716477f5e54a39763873799cd9
                                                                                                                            • Opcode Fuzzy Hash: 971622f1188d7a1cb5bfba1f7b5d6b2348bcffe93499f32e63adb521971de2b6
                                                                                                                            • Instruction Fuzzy Hash: 9A71D3B5A00209DFCB01CF98C885BEEBBF4FB09314F148465E915AB392D338E981CB65
                                                                                                                            Function 007E99F0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 160COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetSystemInfo.KERNEL32(?,00000000,007E9B8C,?,00000000,007E9B9D,?,00000000,007E9BD8), ref: 007E9A47
                                                                                                                            • GetLogicalProcessorInformation.KERNEL32(00000000,00000000,?,00000000,007E9B9D,?,00000000,007E9BD8), ref: 007E9AA8
                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,?,00000000,007E9B9D,?,00000000,007E9BD8), ref: 007E9AAD
                                                                                                                            • GetLogicalProcessorInformation.KERNEL32(007EEF1D,00000000), ref: 007E9AD9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: InformationLogicalProcessor$ErrorInfoLastSystem
                                                                                                                            • String ID: Failed to get logical processor information.$Logical Processor Count: %d$Number of Processors: %d$Processor Architecture: %d$J@
                                                                                                                            • API String ID: 1544102426-2207478826
                                                                                                                            • Opcode ID: 2339d6626d47ba9474be9e537d151d467eb5dc226133e7cccffbeb2a53744075
                                                                                                                            • Instruction ID: fbe9dfa0372ccc05cfa483fef58cdc88ef828daadaa5b9f9fd618da614c26959
                                                                                                                            • Opcode Fuzzy Hash: 2339d6626d47ba9474be9e537d151d467eb5dc226133e7cccffbeb2a53744075
                                                                                                                            • Instruction Fuzzy Hash: 34514EB5A041489FDB04DFA5D88199EBBF5EF4C304F60847AE501E7351EB38AE06CB65
                                                                                                                            Function 0040CA64 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • RtlEnterCriticalSection.NTDLL(007F9C14), ref: 0040CA82
                                                                                                                            • RtlLeaveCriticalSection.NTDLL(007F9C14), ref: 0040CAA6
                                                                                                                            • RtlLeaveCriticalSection.NTDLL(007F9C14), ref: 0040CAB5
                                                                                                                            • IsValidLocale.KERNEL32(00000000,00000002,00000000,0040CB68,?,?,00000000,00000000,?,0040D430), ref: 0040CAC7
                                                                                                                            • RtlEnterCriticalSection.NTDLL(007F9C14), ref: 0040CB24
                                                                                                                            • RtlLeaveCriticalSection.NTDLL(007F9C14), ref: 0040CB4D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$Leave$Enter$LocaleValid
                                                                                                                            • String ID: en-GB,en,en-US,
                                                                                                                            • API String ID: 975949045-3021119265
                                                                                                                            • Opcode ID: a027c81bc5b0b1ba8908dffc366947824cc29904f552f568dd959eb62179dc25
                                                                                                                            • Instruction ID: 5ba4059f85e3b8fad3d5969036239b0fe54acfcf38ec489f4ad6e162a7c7b5eb
                                                                                                                            • Opcode Fuzzy Hash: a027c81bc5b0b1ba8908dffc366947824cc29904f552f568dd959eb62179dc25
                                                                                                                            • Instruction Fuzzy Hash: 4F216260700604DAD711B7B6989376A32E49B84754BA0853BB200B73D2DABC9D80CABE
                                                                                                                            Function 007B4320 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 120memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 313 7b4320-7b4365 call 7b42a0 316 7b436b-7b436f 313->316 317 7b447a 313->317 318 7b4376-7b437d 316->318 319 7b447e-7b4493 call 409c78 317->319 320 7b4383-7b4390 318->320 321 7b4412-7b4436 VirtualAlloc 318->321 325 7b440c-7b4410 320->325 326 7b4392-7b43b3 VirtualAlloc 320->326 323 7b4438-7b443c 321->323 324 7b443e-7b446a call 7b5330 321->324 323->319 328 7b446e-7b4474 324->328 325->328 330 7b43be-7b4406 GetModuleHandleW call 40a2dc call 7b3fd8 RtlZeroMemory 326->330 331 7b43b5-7b43b9 326->331 328->317 328->318 330->325 331->319
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNEL32(?,00000000,00001000,00000004,00000000,007B4494), ref: 007B43A7
                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,?,00000000,00001000,00000004,00000000,007B4494), ref: 007B43D8
                                                                                                                            • RtlZeroMemory.NTDLL(00000000,00000000), ref: 007B4406
                                                                                                                            • VirtualAlloc.KERNEL32(?,00000000,00001000,00000004,00000000,007B4494), ref: 007B442A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual$HandleMemoryModuleZero
                                                                                                                            • String ID: ($RtlZeroMemory$ntdll.dll
                                                                                                                            • API String ID: 3603811010-1796206821
                                                                                                                            • Opcode ID: 491883d5a52b37a4f23481437eede2406cdcc3989a8c28b3e6a852f1c2f6c987
                                                                                                                            • Instruction ID: 01a23bcc3d4f996a8320fe89851c3d399baee136aba276ddcaaf7be31d1fd522
                                                                                                                            • Opcode Fuzzy Hash: 491883d5a52b37a4f23481437eede2406cdcc3989a8c28b3e6a852f1c2f6c987
                                                                                                                            • Instruction Fuzzy Hash: 0C518B75E002589FCB40DFA8C985BEEB7F4FB08314F2581AAE504B7352D379AD518B64
                                                                                                                            Function 00405CD4 Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 337 405cd4-405ce3 338 405ce9-405ced 337->338 339 405dcc-405dcf 337->339 340 405d50-405d59 338->340 341 405cef-405cf6 338->341 342 405dd5-405ddf 339->342 343 405ebc-405ec0 339->343 340->341 350 405d5b-405d64 340->350 344 405d24-405d26 341->344 345 405cf8-405d03 341->345 346 405d90-405d9d 342->346 347 405de1-405ded 342->347 348 405760-405785 call 4056b0 343->348 349 405ec6-405ecb 343->349 357 405d28-405d39 344->357 358 405d3b 344->358 353 405d05-405d0a 345->353 354 405d0c-405d21 345->354 346->347 351 405d9f-405da8 346->351 355 405e24-405e32 347->355 356 405def-405df2 347->356 367 4057a1-4057a8 348->367 368 405787-405796 VirtualFree 348->368 350->340 359 405d66-405d7a Sleep 350->359 351->346 360 405daa-405dbe Sleep 351->360 362 405df6-405dfa 355->362 364 405e34-405e39 call 405528 355->364 356->362 357->358 363 405d3e-405d4b 357->363 358->363 359->341 365 405d80-405d8b Sleep 359->365 360->347 366 405dc0-405dc7 Sleep 360->366 369 405e3c-405e49 362->369 370 405dfc-405e02 362->370 363->342 364->362 365->340 366->346 378 4057aa-4057c6 VirtualQuery VirtualFree 367->378 374 405798-40579a 368->374 375 40579c-40579f 368->375 369->370 373 405e4b-405e52 call 405528 369->373 376 405e54-405e5e 370->376 377 405e04-405e22 call 405568 370->377 373->370 382 4057db-4057dd 374->382 375->382 380 405e60-405e88 VirtualFree 376->380 381 405e8c-405eb9 call 4055c8 376->381 384 4057c8-4057cb 378->384 385 4057cd-4057d3 378->385 386 4057f2-405802 382->386 387 4057df-4057ef 382->387 384->382 385->382 391 4057d5-4057d9 385->391 387->386 391->378
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNEL32(00000000,?,?,00000000,00405946), ref: 00405D6A
                                                                                                                            • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,00405946), ref: 00405D84
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Sleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3472027048-0
                                                                                                                            • Opcode ID: bf55c4a8b4325fc80d3ba671499515482fef93059d5458a4d5b70fd8e74363ca
                                                                                                                            • Instruction ID: f42874e96fb100516b1e3b15773f3479f6daa7b2b6afeb8833a6be1f5f91c3e8
                                                                                                                            • Opcode Fuzzy Hash: bf55c4a8b4325fc80d3ba671499515482fef93059d5458a4d5b70fd8e74363ca
                                                                                                                            • Instruction Fuzzy Hash: A271C231604A008BE715DB29D988B2BBBD4EF85314F14C2BFE448AB3D6D6788C41CF99
                                                                                                                            Function 05645F50 Relevance: 10.9, APIs: 7, Instructions: 406COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 513 5645f50-5645f5a 514 5645f60-5645f6b 513->514 515 5645fe8-5645feb 513->515 516 5645fa4-5645fbd call 56459d4 514->516 517 5645f6d-5645f76 514->517 518 5645ff1-5646003 515->518 519 5646258-564625d 515->519 538 5645fe3-5645fe6 516->538 539 5645fbf-5645fc5 516->539 521 5645f7c-5645f87 call 56459d4 517->521 522 5645f78-5645f7a 517->522 525 5646118-564611d 518->525 526 5646009-564600e 518->526 523 5646263-5646265 519->523 524 5645888-56458a6 519->524 556 5645f9f-5645fa1 521->556 557 5645f89-5645f9d call 5645590 call 5645d58 521->557 528 56458ac-56458b5 524->528 529 564598b-564598f 524->529 531 5646210-564622f call 56459d4 525->531 532 5646123-564612b 525->532 533 5646010-5646014 526->533 534 5646018-564601e 526->534 540 56458b7-56458b9 528->540 541 56458bb 528->541 542 5645991-5645999 529->542 543 564599b-56459a6 call 56459d4 529->543 560 5646231-5646237 531->560 561 5646202-5646206 531->561 532->531 545 5646131-5646138 532->545 536 5646035-5646050 534->536 537 5646020-5646026 534->537 549 5646052-564605f 536->549 550 5646098-56460a5 536->550 547 56460f0-56460fb call 56459d4 537->547 548 564602c-5646033 537->548 551 5645fc7 539->551 552 5645fca-5645fe1 call 5645d58 539->552 553 56458bd-56458e3 VirtualQuery 540->553 541->553 554 56459ca-56459d3 542->554 543->554 579 56459a8-56459ae 543->579 558 5646195-564619a 545->558 559 564613a-5646147 545->559 593 5646113-5646117 547->593 594 56460fd-5646111 call 5645590 call 5645d58 547->594 548->533 548->536 566 5646090-5646095 549->566 567 5646061-564606a 549->567 572 56460a7-56460ad 550->572 573 56460b0-56460bf 550->573 551->552 552->538 570 56458e5-56458f7 553->570 571 5645953-564595e call 56459d4 553->571 557->556 568 56461a7-56461cb 558->568 569 564619c-56461a6 call 56455ac 558->569 564 564617c-5646189 559->564 565 5646149-5646152 559->565 575 564623c-5646256 call 5645560 call 5645d58 560->575 576 5646239 560->576 581 5646209 564->581 582 564618b-5646193 564->582 565->559 580 5646154-564616c Sleep 565->580 566->550 567->549 583 564606c-5646082 Sleep 567->583 585 56461cd-56461d4 568->585 586 56461d8-56461eb 568->586 569->568 570->571 587 56458f9-564590e 570->587 571->554 611 5645960-5645966 571->611 588 56460c6-56460d6 572->588 573->588 589 56460c1 call 56455ac 573->589 576->575 597 56459b0-56459b5 579->597 598 56459b8-56459c5 call 5645590 call 5645d58 579->598 580->564 599 564616e-5646179 Sleep 580->599 581->531 582->558 582->581 583->566 600 5646084-564608d Sleep 583->600 602 56461f4-5646200 585->602 586->602 605 56461ed-56461ef call 56455ec 586->605 603 5645910 587->603 604 5645912-5645926 VirtualAlloc 587->604 608 56460e2-56460ef 588->608 609 56460d8-56460dd call 56455ec 588->609 589->588 594->593 597->598 598->554 599->559 600->549 602->561 603->604 604->571 616 5645928-564593c VirtualAlloc 604->616 605->602 609->608 619 5645970-5645989 call 5645560 call 5645d58 611->619 620 5645968-564596d 611->620 616->571 624 564593e-5645951 616->624 619->554 620->619 624->554
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2801166151.0000000005641000.00000040.00001000.00020000.00000000.sdmp, Offset: 05640000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2801111895.0000000005640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_5640000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 788740c004d95050d2a400a6b4fe8b5c4070cf7ecba720160fd36448bc475cf6
                                                                                                                            • Instruction ID: c6bce8fe077074a455aa48501e8fdc8d8398b9151e031468167f7f7a254323e9
                                                                                                                            • Opcode Fuzzy Hash: 788740c004d95050d2a400a6b4fe8b5c4070cf7ecba720160fd36448bc475cf6
                                                                                                                            • Instruction Fuzzy Hash: CCC165727147440BD725EA7CDC8877EB786ABD5221F18823EE216CB785DBA4C846CF84
                                                                                                                            Function 00405ECC Relevance: 10.9, APIs: 7, Instructions: 406COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 393 405ecc-405ed6 394 405f64-405f67 393->394 395 405edc-405ee7 393->395 396 4061d4-4061d9 394->396 397 405f6d-405f7f 394->397 398 405f20-405f39 call 405950 395->398 399 405ee9-405ef2 395->399 400 405804-405822 396->400 401 4061df-4061e1 396->401 402 406094-406099 397->402 403 405f85-405f8a 397->403 420 405f3b-405f41 398->420 421 405f5f-405f62 398->421 405 405ef4-405ef6 399->405 406 405ef8-405f03 call 405950 399->406 412 405907-40590b 400->412 413 405828-405831 400->413 407 40618c-4061ab call 405950 402->407 408 40609f-4060a7 402->408 409 405f94-405f9a 403->409 410 405f8c-405f90 403->410 427 405f05-405f19 call 40550c call 405cd4 406->427 428 405f1b-405f1d 406->428 443 4061ad-4061b3 407->443 444 40617e-406182 407->444 408->407 416 4060ad-4060b4 408->416 418 405fb1-405fcc 409->418 419 405f9c-405fa2 409->419 424 405917-405922 call 405950 412->424 425 40590d-405915 412->425 422 405833-405835 413->422 423 405837 413->423 430 406111-406116 416->430 431 4060b6-4060c3 416->431 435 406014-406021 418->435 436 405fce-405fdb 418->436 433 405fa8-405faf 419->433 434 40606c-406077 call 405950 419->434 437 405f43 420->437 438 405f46-405f5d call 405cd4 420->438 439 405839-40585f VirtualQuery 422->439 423->439 426 405946-40594f 424->426 463 405924-40592a 424->463 425->426 427->428 449 406123-406147 430->449 450 406118-406122 call 405528 430->450 447 4060c5-4060ce 431->447 448 4060f8-406105 431->448 433->410 433->418 481 406079-40608d call 40550c call 405cd4 434->481 482 40608f-406093 434->482 440 406023-406029 435->440 441 40602c-40603b 435->441 451 40600c-406011 436->451 452 405fdd-405fe6 436->452 437->438 438->421 453 405861-405873 439->453 454 4058cf-4058da call 405950 439->454 455 406042-406052 440->455 441->455 456 40603d call 405528 441->456 459 4061b5 443->459 460 4061b8-4061d2 call 4054dc call 405cd4 443->460 447->431 464 4060d0-4060e8 Sleep 447->464 465 406185 448->465 466 406107-40610f 448->466 469 406154-406167 449->469 470 406149-406150 449->470 450->449 451->435 452->436 468 405fe8-405ffe Sleep 452->468 453->454 471 405875-40588a 453->471 454->426 494 4058dc-4058e2 454->494 478 406054-406059 call 405568 455->478 479 40605e-40606b 455->479 456->455 459->460 485 405934-405941 call 40550c call 405cd4 463->485 486 40592c-405931 463->486 464->448 487 4060ea-4060f5 Sleep 464->487 465->407 466->430 466->465 468->451 489 406000-406009 Sleep 468->489 472 406170-40617c 469->472 475 406169-40616b call 405568 469->475 470->472 473 40588c 471->473 474 40588e-4058a2 VirtualAlloc 471->474 472->444 473->474 474->454 490 4058a4-4058b8 VirtualAlloc 474->490 475->472 478->479 481->482 485->426 486->485 487->431 489->436 490->454 499 4058ba-4058cd 490->499 500 4058e4-4058e9 494->500 501 4058ec-405905 call 4054dc call 405cd4 494->501 499->426 500->501 501->426
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 79643ef1003fa301609067a8eb4aa8843e0c70367852bd7da28e5c391c9f8f21
                                                                                                                            • Instruction ID: 8bf2f484fb052dc348627bc6056703cb5cc6fcb1b83457ffed024862f1f7e90f
                                                                                                                            • Opcode Fuzzy Hash: 79643ef1003fa301609067a8eb4aa8843e0c70367852bd7da28e5c391c9f8f21
                                                                                                                            • Instruction Fuzzy Hash: CDC124B2700A014BE714AA7D9C8436FB386DB84324F18823FE615EB3C6DA7CCC558B58
                                                                                                                            Function 007B4514 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 124COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 633 7b4514-7b453d 634 7b4548-7b454f 633->634 635 7b453f-7b4543 633->635 636 7b45db-7b4624 634->636 637 7b4555-7b4560 634->637 638 7b467c-7b4696 call 409ce4 635->638 642 7b462d-7b4679 GetModuleHandleW call 40a2dc call 7b3fd8 VirtualProtect 636->642 643 7b4626 636->643 639 7b45d2-7b45d6 637->639 640 7b4562-7b4569 637->640 639->638 644 7b456b-7b4579 640->644 645 7b458f-7b45cb GetModuleHandleW call 40a2dc call 7b3fd8 640->645 642->638 643->642 644->645 648 7b457b-7b458d 644->648 645->639 648->639 648->645
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,007B4697), ref: 007B4594
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: HandleModule
                                                                                                                            • String ID: VirtualFree$VirtualProtect$kernel32.dll
                                                                                                                            • API String ID: 4139908857-1224923055
                                                                                                                            • Opcode ID: 19c8551c2195fcdceebd7926ab0eb691ef3b0810175740698e713e31f368a411
                                                                                                                            • Instruction ID: 0b8ab5a9b2856f36598400422616f5644310fea3b9dc8890968105fc8d5a7df4
                                                                                                                            • Opcode Fuzzy Hash: 19c8551c2195fcdceebd7926ab0eb691ef3b0810175740698e713e31f368a411
                                                                                                                            • Instruction Fuzzy Hash: 1C511C74A042499FCB05CFA8C484FEDBBF6BF49304F198195E444E7362D778AA50DB54
                                                                                                                            Function 056459D4 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 725 56459d4-56459e6 726 5645c34-5645c39 725->726 727 56459ec-56459fc 725->727 730 5645d4c-5645d4f 726->730 731 5645c3f-5645c50 726->731 728 5645a54-5645a5d 727->728 729 56459fe-5645a0b 727->729 728->729 736 5645a5f-5645a6b 728->736 734 5645a24-5645a30 729->734 735 5645a0d-5645a1a 729->735 732 5645d55-5645d57 730->732 733 5645780-56457a9 VirtualAlloc 730->733 737 5645c52-5645c6e 731->737 738 5645bf8-5645c05 731->738 745 56457db-56457e1 733->745 746 56457ab-56457d8 call 5645734 733->746 741 5645a32-5645a40 734->741 742 5645aa8-5645ab1 734->742 739 5645a44-5645a51 735->739 740 5645a1c-5645a20 735->740 736->729 744 5645a6d-5645a79 736->744 747 5645c70-5645c78 737->747 748 5645c7c-5645c8b 737->748 738->737 743 5645c07-5645c10 738->743 753 5645ab3-5645ac0 742->753 754 5645aec-5645af6 742->754 743->738 755 5645c12-5645c26 Sleep 743->755 744->729 756 5645a7b-5645a87 744->756 746->745 750 5645cd8-5645cee 747->750 751 5645ca4-5645cac 748->751 752 5645c8d-5645ca1 748->752 763 5645d07-5645d13 750->763 764 5645cf0-5645cfe 750->764 758 5645cae-5645cc6 751->758 759 5645cc8-5645cca call 56456b8 751->759 752->750 753->754 760 5645ac2-5645acb 753->760 761 5645b68-5645b74 754->761 762 5645af8-5645b23 754->762 755->737 765 5645c28-5645c2f Sleep 755->765 756->728 766 5645a89-5645a99 Sleep 756->766 768 5645ccf-5645cd7 758->768 759->768 760->753 769 5645acd-5645ae1 Sleep 760->769 776 5645b76-5645b88 761->776 777 5645b9c-5645bab call 56456b8 761->777 771 5645b25-5645b33 762->771 772 5645b3c-5645b4a 762->772 774 5645d34 763->774 775 5645d15-5645d28 763->775 764->763 773 5645d00 764->773 765->738 766->729 767 5645a9f-5645aa6 Sleep 766->767 767->728 769->754 782 5645ae3-5645aea Sleep 769->782 771->772 783 5645b35 771->783 784 5645b4c-5645b66 call 56455ec 772->784 785 5645bb8 772->785 773->763 778 5645d39-5645d4b 774->778 775->778 786 5645d2a-5645d2f call 56455ec 775->786 779 5645b8c-5645b9a 776->779 780 5645b8a 776->780 787 5645bbd-5645bf6 777->787 791 5645bad-5645bb7 777->791 779->787 780->779 782->753 783->772 784->787 785->787 786->778
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNEL32(00000000,?,05646274), ref: 05645A8B
                                                                                                                            • Sleep.KERNEL32(0000000A,00000000,?,05646274), ref: 05645AA1
                                                                                                                            • Sleep.KERNEL32(00000000,?,?,?,05646274), ref: 05645ACF
                                                                                                                            • Sleep.KERNEL32(0000000A,00000000,?,?,?,05646274), ref: 05645AE5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2801166151.0000000005641000.00000040.00001000.00020000.00000000.sdmp, Offset: 05640000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2801111895.0000000005640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_5640000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Sleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3472027048-0
                                                                                                                            • Opcode ID: 0b22fdd87b35be1751054292762438289fb30992f0a756fc89f22805162635dc
                                                                                                                            • Instruction ID: 84154c809a6bce05e817d1b349a301878078a29c10cb07a4a02251aca96c2656
                                                                                                                            • Opcode Fuzzy Hash: 0b22fdd87b35be1751054292762438289fb30992f0a756fc89f22805162635dc
                                                                                                                            • Instruction Fuzzy Hash: C0C167726157558FC715CF28E48472ABFE1BB96311F0882AEE4579B785CBB0E845CF80
                                                                                                                            Function 00405950 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 656 405950-405962 657 405bb0-405bb5 656->657 658 405968-405978 656->658 659 405cc8-405ccb 657->659 660 405bbb-405bcc 657->660 661 4059d0-4059d9 658->661 662 40597a-405987 658->662 666 405cd1-405cd3 659->666 667 4056fc-405725 VirtualAlloc 659->667 664 405b74-405b81 660->664 665 405bce-405bea 660->665 661->662 663 4059db-4059e7 661->663 668 4059a0-4059ac 662->668 669 405989-405996 662->669 663->662 670 4059e9-4059f5 663->670 664->665 677 405b83-405b8c 664->677 671 405bf8-405c07 665->671 672 405bec-405bf4 665->672 673 405757-40575d 667->673 674 405727-405754 call 4056b0 667->674 678 405a24-405a2d 668->678 679 4059ae-4059bc 668->679 675 4059c0-4059cd 669->675 676 405998-40599c 669->676 670->662 680 4059f7-405a03 670->680 683 405c20-405c28 671->683 684 405c09-405c1d 671->684 681 405c54-405c6a 672->681 674->673 677->664 687 405b8e-405ba2 Sleep 677->687 685 405a68-405a72 678->685 686 405a2f-405a3c 678->686 680->661 689 405a05-405a15 Sleep 680->689 696 405c83-405c8f 681->696 697 405c6c-405c7a 681->697 691 405c44-405c46 call 405634 683->691 692 405c2a-405c42 683->692 684->681 694 405ae4-405af0 685->694 695 405a74-405a9f 685->695 686->685 693 405a3e-405a47 686->693 687->665 688 405ba4-405bab Sleep 687->688 688->664 689->662 702 405a1b-405a22 Sleep 689->702 703 405c4b-405c53 691->703 692->703 693->686 704 405a49-405a5d Sleep 693->704 700 405af2-405b04 694->700 701 405b18-405b27 call 405634 694->701 706 405aa1-405aaf 695->706 707 405ab8-405ac6 695->707 698 405cb0 696->698 699 405c91-405ca4 696->699 697->696 708 405c7c 697->708 711 405cb5-405cc7 698->711 699->711 712 405ca6-405cab call 405568 699->712 713 405b06 700->713 714 405b08-405b16 700->714 720 405b39-405b72 701->720 724 405b29-405b33 701->724 702->661 704->685 716 405a5f-405a66 Sleep 704->716 706->707 717 405ab1 706->717 709 405b34 707->709 710 405ac8-405ae2 call 405568 707->710 708->696 709->720 710->720 712->711 713->714 714->720 716->686 717->707
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNEL32(00000000,FFFFFFDC,0040591E), ref: 00405A07
                                                                                                                            • Sleep.KERNEL32(0000000A,00000000,FFFFFFDC,0040591E), ref: 00405A1D
                                                                                                                            • Sleep.KERNEL32(00000000,?,?,FFFFFFDC,0040591E), ref: 00405A4B
                                                                                                                            • Sleep.KERNEL32(0000000A,00000000,?,?,FFFFFFDC,0040591E), ref: 00405A61
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Sleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3472027048-0
                                                                                                                            • Opcode ID: e66bb4f38784bfd9137c613fbcda4af8e397fc48fb03a2f0753061454b312cb4
                                                                                                                            • Instruction ID: 448122a87f01940f9d306d6a2908d841a3c3914fb1e7434872886097ef0cf150
                                                                                                                            • Opcode Fuzzy Hash: e66bb4f38784bfd9137c613fbcda4af8e397fc48fb03a2f0753061454b312cb4
                                                                                                                            • Instruction Fuzzy Hash: CDC12672605A518BDB19CF2DE884767BBA0EB85310F09C2BFD0149B3D1C3B8A941CF99
                                                                                                                            Function 007E9D18 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 166memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 007E7EC8: GetSystemInfo.KERNEL32(007FCF58,00000000,007E7F3B,?,?,?,?,?,007E9D51,00000000,007E9F5B), ref: 007E7F00
                                                                                                                              • Part of subcall function 007E9238: GetModuleHandleW.KERNEL32(kernel32.dll,ExitProcess,007E9D56,00000000,007E9F5B), ref: 007E9242
                                                                                                                              • Part of subcall function 007E9238: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 007E9248
                                                                                                                            • ExitProcess.KERNEL32(00000001,00000000,007E9F5B), ref: 007E9D58
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,002CCA80,00001000,00000004,00000001,00000000,007E9F5B), ref: 007E9D70
                                                                                                                              • Part of subcall function 007B5354: LoadLibraryW.KERNEL32(advapi32.dll,00000000,007B55F5), ref: 007B539D
                                                                                                                              • Part of subcall function 007B5354: CryptAcquireContextA.ADVAPI32(00000004,00000000,00000000,00000018,F0000000,advapi32.dll,00000000,007B55F5), ref: 007B53D2
                                                                                                                              • Part of subcall function 007B5354: LoadLibraryW.KERNEL32(advapi32.dll), ref: 007B53E5
                                                                                                                              • Part of subcall function 007B5354: CryptCreateHash.ADVAPI32(00000004,00008003,00000000,00000000,002CCA80,advapi32.dll), ref: 007B541C
                                                                                                                              • Part of subcall function 007B5354: LoadLibraryW.KERNEL32(advapi32.dll), ref: 007B542F
                                                                                                                              • Part of subcall function 007B5354: CryptHashData.ADVAPI32(002CCA80,00000000,00000000,00000000,advapi32.dll), ref: 007B547A
                                                                                                                              • Part of subcall function 007B5354: LoadLibraryW.KERNEL32(advapi32.dll), ref: 007B548D
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,002CCA80,00001000,00000004,00000001,00000000,007E9F5B), ref: 007E9DF8
                                                                                                                              • Part of subcall function 007B5008: VirtualAlloc.KERNEL32(?,?,00003000,00000004,00000000,007B52AF), ref: 007B5068
                                                                                                                              • Part of subcall function 007B5008: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,00003000,00000004,00000000,007B52AF), ref: 007B5086
                                                                                                                              • Part of subcall function 007B5008: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00003000,00000004,00000000,007B52AF), ref: 007B509D
                                                                                                                              • Part of subcall function 007B5008: GetModuleHandleW.KERNEL32(ntdll.dll,kernel32.dll,?,?,00003000,00000004,00000000,007B52AF), ref: 007B50C8
                                                                                                                              • Part of subcall function 007B5008: GetProcessHeap.KERNEL32(00000008,0000001C,ntdll.dll,kernel32.dll,?,?,00003000,00000004,00000000,007B52AF), ref: 007B50F2
                                                                                                                              • Part of subcall function 007B5008: RtlAllocateHeap.NTDLL(00000000), ref: 007B50F9
                                                                                                                              • Part of subcall function 007B5008: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 007B510D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: HandleModule$LibraryLoad$AllocCryptVirtual$HashHeapProcess$AcquireAddressAllocateContextCreateDataExitInfoProcSystem
                                                                                                                            • String ID: VirtualFree$kernel32.dll
                                                                                                                            • API String ID: 528590579-864021412
                                                                                                                            • Opcode ID: 918b7068f8ec72758d153b81cd160311601308c42483dd8f54d8782c0b0498ad
                                                                                                                            • Instruction ID: 9d69ba79558f97364bd82286ef3f0e0da92e3bdc48a3e2c4c3618ee282f8d7f6
                                                                                                                            • Opcode Fuzzy Hash: 918b7068f8ec72758d153b81cd160311601308c42483dd8f54d8782c0b0498ad
                                                                                                                            • Instruction Fuzzy Hash: AD611E74E002098FDB00EBA5C882ADDB7B5EF49304F60453AE504BB396DB78AD45CB95
                                                                                                                            Function 007B4C5C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 66memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,007B4D10), ref: 007B4C86
                                                                                                                            • VirtualProtect.KERNEL32(?,00000005,00000040,?,kernel32.dll,00000000,007B4D10), ref: 007B4CB8
                                                                                                                            • VirtualProtect.KERNEL32(?,00000005,?,?), ref: 007B4CEB
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual$HandleModule
                                                                                                                            • String ID: VirtualProtect$kernel32.dll
                                                                                                                            • API String ID: 3519776433-1817385118
                                                                                                                            • Opcode ID: e04c1c663b7986d7137b6b3082f198b0faff0eb3f2886fd61576c0eab88c9e65
                                                                                                                            • Instruction ID: 7dd80464bf91538b607d59b3f1fd4d4d353c8507154cab6e8507e319a6f64483
                                                                                                                            • Opcode Fuzzy Hash: e04c1c663b7986d7137b6b3082f198b0faff0eb3f2886fd61576c0eab88c9e65
                                                                                                                            • Instruction Fuzzy Hash: E011A272A00248AFDB01DBA4C801BEFB7B9EB05700F51487AF605E3281D77A5A01CB64
                                                                                                                            Function 007E93D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97comCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CoInitialize.OLE32(00000000), ref: 007E93F2
                                                                                                                            • CoCreateInstance.COMBASE(007F68F0,00000000,00000001,007F6900,00000000), ref: 007E941C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateInitializeInstance
                                                                                                                            • String ID: ;~
                                                                                                                            • API String ID: 3519745914-3055229447
                                                                                                                            • Opcode ID: 6d6446ab4a22b5c229ab1acce25db7fbaa64785fd43dfb239ff7a04bdc353970
                                                                                                                            • Instruction ID: 1b56f296d172d2fc3affbfadac37da574de591152644671a5325bca81054ba8a
                                                                                                                            • Opcode Fuzzy Hash: 6d6446ab4a22b5c229ab1acce25db7fbaa64785fd43dfb239ff7a04bdc353970
                                                                                                                            • Instruction Fuzzy Hash: 5531DFB2604689AFDB10EFA2CC42B6E77B8EB09710F510679F220E61D1DB7999068625
                                                                                                                            Function 007E9238 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 10libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,ExitProcess,007E9D56,00000000,007E9F5B), ref: 007E9242
                                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 007E9248
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                            • String ID: ExitProcess$kernel32.dll
                                                                                                                            • API String ID: 1646373207-4112012295
                                                                                                                            • Opcode ID: dce792e2e45b2118e5b5c76a9d29b09f0b2e6183cbb1c2d3e48d654cbf6b8ba7
                                                                                                                            • Instruction ID: b5be30c904d9d74bb80d725a855925430e24f7239fee57d97a71b1719dbe80c7
                                                                                                                            • Opcode Fuzzy Hash: dce792e2e45b2118e5b5c76a9d29b09f0b2e6183cbb1c2d3e48d654cbf6b8ba7
                                                                                                                            • Instruction Fuzzy Hash: 5CC04CF67C72C4658F0577732E0766B358D6949704340486AB3019AE56DD6C9440D298
                                                                                                                            Function 057EBE68 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNEL32(?,?,?,?,00000000,057EBED3), ref: 057EBEB4
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2801166151.0000000005659000.00000040.00001000.00020000.00000000.sdmp, Offset: 05640000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2801111895.0000000005640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005641000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_5640000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID: VirtualProtect
                                                                                                                            • API String ID: 544645111-268857135
                                                                                                                            • Opcode ID: c42a11969040b36ced3a269523aa751c757d50420a663b2507930e5d7effae00
                                                                                                                            • Instruction ID: fc16df0c280efdf8439963cc3faf70d079d5e7a9f160b2388140158e32fb27e4
                                                                                                                            • Opcode Fuzzy Hash: c42a11969040b36ced3a269523aa751c757d50420a663b2507930e5d7effae00
                                                                                                                            • Instruction Fuzzy Hash: 14F03C79614308AFCB11DFA8D89989B7BF9FB4C210F918464FA18D7740D730AA10DF91
                                                                                                                            Function 007E62F0 Relevance: 3.2, APIs: 2, Instructions: 154memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00003000,?), ref: 007E631F
                                                                                                                            • GetSystemInfo.KERNEL32(?), ref: 007E6331
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocInfoSystemVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3440192736-0
                                                                                                                            • Opcode ID: 89a9f59359bb3fbaec5662b6a33a025e1c9d1aea44bb5d5268c8ddcd45ca7a00
                                                                                                                            • Instruction ID: c3b0f1e1b300b1af1e21708838bf393d448573e5f1d6bc0aa95c91d42a221c85
                                                                                                                            • Opcode Fuzzy Hash: 89a9f59359bb3fbaec5662b6a33a025e1c9d1aea44bb5d5268c8ddcd45ca7a00
                                                                                                                            • Instruction Fuzzy Hash: 9C615975E0125DAFCF40DFEAC885AEEBBF9BB18350F108415E515E7284D378AA818F64
                                                                                                                            Function 0564E394 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetUserDefaultUILanguage.KERNEL32(00000000,0564E4AB,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0564E532,00000000,?,00000105), ref: 0564E43F
                                                                                                                            • GetSystemDefaultUILanguage.KERNEL32(00000000,0564E4AB,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0564E532,00000000,?,00000105), ref: 0564E467
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2801166151.0000000005641000.00000040.00001000.00020000.00000000.sdmp, Offset: 05640000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2801111895.0000000005640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_5640000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: DefaultLanguage$SystemUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 384301227-0
                                                                                                                            • Opcode ID: 9c60753ae905af299dda7232093581f5a3f304d11e9f4a9ae23d905f97d72e63
                                                                                                                            • Instruction ID: ecbd9fea9fb47070ed5593b4c95261e120151d33af0604b99572dbef0722e251
                                                                                                                            • Opcode Fuzzy Hash: 9c60753ae905af299dda7232093581f5a3f304d11e9f4a9ae23d905f97d72e63
                                                                                                                            • Instruction Fuzzy Hash: 19312134B142199FDF10EBA8C884AAEB7BAFF44300F504569D401A7750DB76AD81CF96
                                                                                                                            Function 0040D378 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetUserDefaultUILanguage.KERNEL32 ref: 0040D423
                                                                                                                            • GetSystemDefaultUILanguage.KERNEL32 ref: 0040D44B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DefaultLanguage$SystemUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 384301227-0
                                                                                                                            • Opcode ID: a4ac03e75571fd549eeb2d23af14b5e7c3f6f09fb06d1919fec1ba4d434f6737
                                                                                                                            • Instruction ID: 144690602737783ba191e9b6cb0d065b61b9d279e7ac058649a8306dd94f0ab3
                                                                                                                            • Opcode Fuzzy Hash: a4ac03e75571fd549eeb2d23af14b5e7c3f6f09fb06d1919fec1ba4d434f6737
                                                                                                                            • Instruction Fuzzy Hash: 44310F70E002099BDB14EF95C881AAEB7B5EF48704F50457BE400B72D1DBB8AE49CA59
                                                                                                                            Function 0564E4B8 Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0564E572,?,00400000,05B3EC1C,?,0564D270,00400000,?,0000020A,00400000,05B3EC1C,0564D2B0), ref: 0564E4F4
                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0564E572,?,00400000,05B3EC1C,?,0564D270,00400000,?,0000020A), ref: 0564E545
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2801166151.0000000005641000.00000040.00001000.00020000.00000000.sdmp, Offset: 05640000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2801111895.0000000005640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_5640000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FileLibraryLoadModuleName
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1159719554-0
                                                                                                                            • Opcode ID: eec13f3f622d541b514c1eb385b598781c6d205dd190005b78d4a5d5de45ca6d
                                                                                                                            • Instruction ID: 8eaba625a1721fc25e38e0347aef64091d5636f101d52712a8d7277484642968
                                                                                                                            • Opcode Fuzzy Hash: eec13f3f622d541b514c1eb385b598781c6d205dd190005b78d4a5d5de45ca6d
                                                                                                                            • Instruction Fuzzy Hash: 6911A371B8021CABDB14EB64CC89BDEB3B9EB14300F5140E9A508A7290EB705F85CE95
                                                                                                                            Function 0040D49C Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040D556,?,00400000,007EFC1C), ref: 0040D4D8
                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000002), ref: 0040D529
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileLibraryLoadModuleName
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1159719554-0
                                                                                                                            • Opcode ID: 94f7ea508b167837a01293ad7fddd0b012af4c27f04a00b0dde00af6e8a22edf
                                                                                                                            • Instruction ID: 7754670e6744272adeaa311b0205e7c1ff0e0d6959019dfb7efd3a6164e24722
                                                                                                                            • Opcode Fuzzy Hash: 94f7ea508b167837a01293ad7fddd0b012af4c27f04a00b0dde00af6e8a22edf
                                                                                                                            • Instruction Fuzzy Hash: 7A114F70E4431CABDB15EB94CC96BDE73B8DB08304F5140BBA508B72D1DA789F848E99
                                                                                                                            Function 05B28760 Relevance: 3.0, APIs: 2, Instructions: 12networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WSAStartup.WS2_32(00000101,?), ref: 05B28775
                                                                                                                            • GetLastError.KERNEL32(?,05B30087,00000000,05B30412), ref: 05B2877A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2801166151.0000000005659000.00000040.00001000.00020000.00000000.sdmp, Offset: 05640000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2801111895.0000000005640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005641000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_5640000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLastStartup
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1235836516-0
                                                                                                                            • Opcode ID: dcf5aaab3248208900f18ca74d7d78a6ad6851bcc134172fd484edd26b7d3aaa
                                                                                                                            • Instruction ID: 928a90bab4488853f2032069403711649c6f5357db12443106f6ccf52c9e2e25
                                                                                                                            • Opcode Fuzzy Hash: dcf5aaab3248208900f18ca74d7d78a6ad6851bcc134172fd484edd26b7d3aaa
                                                                                                                            • Instruction Fuzzy Hash: 40C08031F4520C57D710EEEC5C069D9735C8700711F4001D56D0CC2341F9B11E5046D7
                                                                                                                            Function 00409B14 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNEL32(?,007EEF1D,00409ADC,00000000,00000000,007EEF1D), ref: 00409B6E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateThread
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2422867632-0
                                                                                                                            • Opcode ID: 9bd5014a6119e64b95c4442c84cdec0d62472b1e576ae910b0ca7494d949331b
                                                                                                                            • Instruction ID: 07b5f95f323fc3c21b0e63af01482681ef64b132d96914439497dc6ce754a935
                                                                                                                            • Opcode Fuzzy Hash: 9bd5014a6119e64b95c4442c84cdec0d62472b1e576ae910b0ca7494d949331b
                                                                                                                            • Instruction Fuzzy Hash: 88017176605254AFC700DB9DD880B8BB7ECEB48360F108136F508EB392D6789D00C7A8
                                                                                                                            Function 02FF0014 Relevance: 1.5, APIs: 1, Instructions: 45synchronizationCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000001,02FF006E), ref: 02FF0086
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799515691.0000000002FF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_2ff0000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateMutex
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1964310414-0
                                                                                                                            • Opcode ID: ec533317804e449d0c7685721adbbd9f5cf8779cea3638843639ca7d75c9cc5f
                                                                                                                            • Instruction ID: 133a04ffdb966f32db6294fda61b5b52ba9b5711cd2ce8ddc4b2349820a588ff
                                                                                                                            • Opcode Fuzzy Hash: ec533317804e449d0c7685721adbbd9f5cf8779cea3638843639ca7d75c9cc5f
                                                                                                                            • Instruction Fuzzy Hash: A2E06D8155E3C06AEB9367344C64B567F640F02648F4A44DFC2889B4BBDD1D590986A7
                                                                                                                            Function 007E616C Relevance: 1.5, APIs: 1, Instructions: 38memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNEL32(00000000,?,00000000,?), ref: 007E61A2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 544645111-0
                                                                                                                            • Opcode ID: c4c7a1ec64a324dbe270e1901a24b1f3363cc1d31aadb7c30b10b7bb93cd1331
                                                                                                                            • Instruction ID: f5602c96b05c52cdfcf1dce2779633264920dcf10b6fa3472f2da2ac66a7b31f
                                                                                                                            • Opcode Fuzzy Hash: c4c7a1ec64a324dbe270e1901a24b1f3363cc1d31aadb7c30b10b7bb93cd1331
                                                                                                                            • Instruction Fuzzy Hash: CE01E4B5D0134CEBCB15CFE9C948BAEBBF8AB08314F10859AA524E3291D7789A44CB50
                                                                                                                            Function 007E7EC8 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetSystemInfo.KERNEL32(007FCF58,00000000,007E7F3B,?,?,?,?,?,007E9D51,00000000,007E9F5B), ref: 007E7F00
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: InfoSystem
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 31276548-0
                                                                                                                            • Opcode ID: 7b58f591c32ba62d35696932acf1d7be12a4a309b3a717f25240409b2c48b217
                                                                                                                            • Instruction ID: a514e5f8784d81e25c362462ec2bec4c81c55c95bf7798f7c528f7262753dc8a
                                                                                                                            • Opcode Fuzzy Hash: 7b58f591c32ba62d35696932acf1d7be12a4a309b3a717f25240409b2c48b217
                                                                                                                            • Instruction Fuzzy Hash: 12F0247120E3C89EE306AB36FC15B317FE8E34A764F1084AEF60442662DB7D0805D7A9
                                                                                                                            Function 007E937C Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • waveOutGetVolume.WINMM(00000000,007EEF1D), ref: 007E9388
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Volumewave
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4088794200-0
                                                                                                                            • Opcode ID: 84577bcf9aaf456419977f2eeacb4d905c59c110c6a99cc0a8fdf365e0f96c77
                                                                                                                            • Instruction ID: 1f5c21822ea5f80f780bb9bafa18f897e241ee3783bdd9b3ec825b57bf0143f7
                                                                                                                            • Opcode Fuzzy Hash: 84577bcf9aaf456419977f2eeacb4d905c59c110c6a99cc0a8fdf365e0f96c77
                                                                                                                            • Instruction Fuzzy Hash: F0F09A25E1064DE6CB10DFDA89002FCB3B5EF58310F0092AAE964EB3C0E6348B51D769
                                                                                                                            Function 0564D244 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameW.KERNEL32(00400000,?,0000020A,00400000,05B3EC1C,0564D2B0,?,?,056500C0), ref: 0564D262
                                                                                                                              • Part of subcall function 0564E4B8: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0564E572,?,00400000,05B3EC1C,?,0564D270,00400000,?,0000020A,00400000,05B3EC1C,0564D2B0), ref: 0564E4F4
                                                                                                                              • Part of subcall function 0564E4B8: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0564E572,?,00400000,05B3EC1C,?,0564D270,00400000,?,0000020A), ref: 0564E545
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2801166151.0000000005641000.00000040.00001000.00020000.00000000.sdmp, Offset: 05640000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2801111895.0000000005640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_5640000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FileModuleName$LibraryLoad
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4113206344-0
                                                                                                                            • Opcode ID: 7c1ee64858cc89b131c1bcaaf4c5d23a408bec5d341bc7def07cd761b0403ce4
                                                                                                                            • Instruction ID: db61f267cbe81afa05c4ab4ca414e60a46f1fb988ade07ae1d2e2e8ad0ee7e4a
                                                                                                                            • Opcode Fuzzy Hash: 7c1ee64858cc89b131c1bcaaf4c5d23a408bec5d341bc7def07cd761b0403ce4
                                                                                                                            • Instruction Fuzzy Hash: 42E0C9B1A043109BDF24EE68C8C4A5637A8BB18654F044655ED18DF346E371D914CBE1
                                                                                                                            Function 0040C228 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameW.KERNEL32(00400000,?,0000020A), ref: 0040C246
                                                                                                                              • Part of subcall function 0040D49C: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040D556,?,00400000,007EFC1C), ref: 0040D4D8
                                                                                                                              • Part of subcall function 0040D49C: LoadLibraryExW.KERNEL32(00000000,00000000,00000002), ref: 0040D529
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileModuleName$LibraryLoad
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4113206344-0
                                                                                                                            • Opcode ID: a559c8dbe341fb8b7ed0a93d0f1677756894023c7fe04e0299a3f44a76cdd84b
                                                                                                                            • Instruction ID: ba044da96040afd60275194f994c39a6e3d3e52002c889589e7e8abd48b95cc5
                                                                                                                            • Opcode Fuzzy Hash: a559c8dbe341fb8b7ed0a93d0f1677756894023c7fe04e0299a3f44a76cdd84b
                                                                                                                            • Instruction Fuzzy Hash: 43E0C971E053109BCB10DFA8C8C5A477794AB08B54F044AA6AD28DF386D375D91487E5
                                                                                                                            Function 02FF007D Relevance: 1.5, APIs: 1, Instructions: 9synchronizationCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000001,02FF006E), ref: 02FF0086
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799515691.0000000002FF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_2ff0000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateMutex
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1964310414-0
                                                                                                                            • Opcode ID: c71e31eb6a2a75188704a56009c617640797579ebaeb9c66ee061a22f315da0a
                                                                                                                            • Instruction ID: 4b92a433f18cd08e22f38f8de04b1b74ee374cc34af9e1d2a9b01ae781808577
                                                                                                                            • Opcode Fuzzy Hash: c71e31eb6a2a75188704a56009c617640797579ebaeb9c66ee061a22f315da0a
                                                                                                                            • Instruction Fuzzy Hash: 35B012613A810060F610007D1C51B240104CF04700FA11003F208FC0CCC08ADB801036
                                                                                                                            Function 007EEE00 Relevance: 1.3, APIs: 1, Instructions: 75sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004104F0: GetModuleHandleW.KERNEL32(00000000,?,007EEE18), ref: 004104FC
                                                                                                                              • Part of subcall function 007E937C: waveOutGetVolume.WINMM(00000000,007EEF1D), ref: 007E9388
                                                                                                                              • Part of subcall function 007E93D8: CoInitialize.OLE32(00000000), ref: 007E93F2
                                                                                                                              • Part of subcall function 007E93D8: CoCreateInstance.COMBASE(007F68F0,00000000,00000001,007F6900,00000000), ref: 007E941C
                                                                                                                            • Sleep.KERNEL32(00000000,00000000,007EEF1D), ref: 007EEE87
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateHandleInitializeInstanceModuleSleepVolumewave
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3130883371-0
                                                                                                                            • Opcode ID: e4ff22478e1e532da1f1d1b2920a1aff3a3e917e7d970103fabf6fc2d86a0c0b
                                                                                                                            • Instruction ID: 00c27f648798e8fb7903962c8f1f860ff983bad646c2876e0a7dbe8d8762f060
                                                                                                                            • Opcode Fuzzy Hash: e4ff22478e1e532da1f1d1b2920a1aff3a3e917e7d970103fabf6fc2d86a0c0b
                                                                                                                            • Instruction Fuzzy Hash: E521E571602289CEEB50EB6B9D467ADF7F1EB4C314F50892AE604D27D2D73C5401CB65
                                                                                                                            Function 056456B8 Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,?,05645CCF,?,05646274), ref: 056456CF
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2801166151.0000000005641000.00000040.00001000.00020000.00000000.sdmp, Offset: 05640000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2801111895.0000000005640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_5640000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4275171209-0
                                                                                                                            • Opcode ID: 34622fdeda318760e3a1ee17756f08e8cf8420c1c916d390960b725f466a4d3e
                                                                                                                            • Instruction ID: 3c26832e47b665d45a4df2fca7169cccfd0a1611bad0d90ef13aff3094fa3af4
                                                                                                                            • Opcode Fuzzy Hash: 34622fdeda318760e3a1ee17756f08e8cf8420c1c916d390960b725f466a4d3e
                                                                                                                            • Instruction Fuzzy Hash: F9F069B2B207014FD714DE78A946B426FE4A704352B10427EF90AEB788EBB098018B84
                                                                                                                            Function 00405634 Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,?,00405C4B,FFFFFFDC,0040591E), ref: 0040564B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4275171209-0
                                                                                                                            • Opcode ID: 294dff03d6a04316d3557dc222ff1a98499e06d62fde620ed5e3be942bc5c473
                                                                                                                            • Instruction ID: 2fd1637c8a9e76a581e83fbc6107b96fd27cc1e5fee9dd73479bf31e7ab9bc2a
                                                                                                                            • Opcode Fuzzy Hash: 294dff03d6a04316d3557dc222ff1a98499e06d62fde620ed5e3be942bc5c473
                                                                                                                            • Instruction Fuzzy Hash: 7EF08CB2B043014FD7189F7C9D407567BE4E744354B12817EE909EB794D7B88801CB88

                                                                                                                            Non-executed Functions

                                                                                                                            Function 0564DBC4 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,0564DEFB,00000000,0564DFBC,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0564DFD9), ref: 0564DBE1
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0564DBF2
                                                                                                                            • FindFirstFileW.KERNEL32(?,?,kernel32.dll,?,?,?,?,0564DEFB,00000000,0564DFBC,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?), ref: 0564DCF2
                                                                                                                            • FindClose.KERNEL32(?,?,?,kernel32.dll,?,?,?,?,0564DEFB,00000000,0564DFBC,?,80000001,Software\Embarcadero\Locales,00000000,000F0019), ref: 0564DD04
                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,?,?,?,?,0564DEFB,00000000,0564DFBC,?,80000001,Software\Embarcadero\Locales,00000000), ref: 0564DD10
                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,?,?,?,?,0564DEFB,00000000,0564DFBC,?,80000001,Software\Embarcadero\Locales), ref: 0564DD55
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2801166151.0000000005641000.00000040.00001000.00020000.00000000.sdmp, Offset: 05640000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2801111895.0000000005640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_5640000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                                                            • String ID: GetLongPathNameW$\$kernel32.dll
                                                                                                                            • API String ID: 1930782624-3908791685
                                                                                                                            • Opcode ID: c2cd42961203c7e837ce9796f535a5809e3b5dd7c15431b1050136c87ac0b76a
                                                                                                                            • Instruction ID: d467ebc4b3659a7c30c99c9d81bfaa609e805f3314126da4b35bdba278a4de6e
                                                                                                                            • Opcode Fuzzy Hash: c2cd42961203c7e837ce9796f535a5809e3b5dd7c15431b1050136c87ac0b76a
                                                                                                                            • Instruction Fuzzy Hash: 62419FB1F00A189BCB14EBA4CC88BEEB3B9AF45310F1485A9D505E7354EBB4AE45CF44
                                                                                                                            Function 0040CBA8 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,00419FDC,?,?), ref: 0040CBC5
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040CBD6
                                                                                                                            • FindFirstFileW.KERNEL32(?,?,kernel32.dll,00419FDC,?,?), ref: 0040CCD6
                                                                                                                            • FindClose.KERNEL32(000000FF), ref: 0040CCE8
                                                                                                                            • lstrlenW.KERNEL32(?,000000FF), ref: 0040CCF4
                                                                                                                            • lstrlenW.KERNEL32(?,?,000000FF), ref: 0040CD39
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                                                            • String ID: GetLongPathNameW$\$kernel32.dll
                                                                                                                            • API String ID: 1930782624-3908791685
                                                                                                                            • Opcode ID: 0780fd1eb023d6c1f3aab4440b2ce0b042986587d360e664c8ffa89c3883650b
                                                                                                                            • Instruction ID: 70bc7995c4b8c1f727a8e6f74c0114f0dd9ae9748d3feff28ab1683db5cac293
                                                                                                                            • Opcode Fuzzy Hash: 0780fd1eb023d6c1f3aab4440b2ce0b042986587d360e664c8ffa89c3883650b
                                                                                                                            • Instruction Fuzzy Hash: 79417D31A00619DBDB10EBA8CCC5ADEB7B5AF44314F1446BA9508F72D1E77CAE448F89
                                                                                                                            Function 057EC778 Relevance: 42.1, APIs: 12, Strings: 12, Instructions: 112libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryW.KERNEL32(user32.dll), ref: 057EC7ED
                                                                                                                            • LoadLibraryW.KERNEL32(ntdll.dll,user32.dll), ref: 057EC809
                                                                                                                            • LoadLibraryW.KERNEL32(advapi32.dll,ntdll.dll,user32.dll), ref: 057EC825
                                                                                                                            • LoadLibraryW.KERNEL32(shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 057EC841
                                                                                                                            • LoadLibraryW.KERNEL32(ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 057EC85D
                                                                                                                            • LoadLibraryW.KERNEL32(ole32.dll,ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 057EC879
                                                                                                                            • LoadLibraryW.KERNEL32(wininet.dll,ole32.dll,ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 057EC895
                                                                                                                            • LoadLibraryW.KERNEL32(wtsapi32.dll,wininet.dll,ole32.dll,ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 057EC8AE
                                                                                                                            • LoadLibraryW.KERNEL32(crypt32.dll,wtsapi32.dll,wininet.dll,ole32.dll,ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 057EC8C7
                                                                                                                            • LoadLibraryW.KERNEL32(PSAPI.dll,crypt32.dll,wtsapi32.dll,wininet.dll,ole32.dll,ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 057EC8E0
                                                                                                                            • LoadLibraryW.KERNEL32(gdi32.dll,PSAPI.dll,crypt32.dll,wtsapi32.dll,wininet.dll,ole32.dll,ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 057EC8F9
                                                                                                                            • LoadLibraryW.KERNEL32(Iphlpapi.dll,gdi32.dll,PSAPI.dll,crypt32.dll,wtsapi32.dll,wininet.dll,ole32.dll,ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 057EC912
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2801166151.0000000005659000.00000040.00001000.00020000.00000000.sdmp, Offset: 05640000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2801111895.0000000005640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005641000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_5640000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad
                                                                                                                            • String ID: Iphlpapi.dll$PSAPI.dll$advapi32.dll$crypt32.dll$gdi32.dll$ntdll.dll$ole32.dll$shell32.dll$user32.dll$wininet.dll$ws2_32.dll$wtsapi32.dll
                                                                                                                            • API String ID: 1029625771-1098239973
                                                                                                                            • Opcode ID: e86d5d548ce3c7c720d6bf1dea2b6313c4807f066637b8e9a1a6e809b0907840
                                                                                                                            • Instruction ID: 32ce15369f448faa141abb033feffdde47f76da190973b66163ec8caed179180
                                                                                                                            • Opcode Fuzzy Hash: e86d5d548ce3c7c720d6bf1dea2b6313c4807f066637b8e9a1a6e809b0907840
                                                                                                                            • Instruction Fuzzy Hash: 7241C4B8A64308EEC752EFA8E54E65D7BF8FB0D754F504469E945AB300DB306A00EF52
                                                                                                                            Function 007B40E0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 107COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,007B4249), ref: 007B4107
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 007B4167
                                                                                                                            • GetLastError.KERNEL32 ref: 007B41AE
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 007B41C1
                                                                                                                            • GetLastError.KERNEL32 ref: 007B420B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: HandleModule$ErrorLast
                                                                                                                            • String ID: CloseHandle$CreateFileW$GetFileAttributesW$kernel32.dll${
                                                                                                                            • API String ID: 376044232-2642396515
                                                                                                                            • Opcode ID: c78aa9ca8cc6231b8a81011f9f9007123eacbd6fa6aca5be5d991471ef62fdcd
                                                                                                                            • Instruction ID: 70c39c79c02f1817e9240851158c08ff5255e28e1e66c8cbf9de5860453e42d1
                                                                                                                            • Opcode Fuzzy Hash: c78aa9ca8cc6231b8a81011f9f9007123eacbd6fa6aca5be5d991471ef62fdcd
                                                                                                                            • Instruction Fuzzy Hash: EE418D74D04348AADF04EBE5980A7EEBBB4FB45304F10857AF910B22D2D77C5A41EB66
                                                                                                                            Function 0564DA80 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnterCriticalSection.KERNEL32(05B7EC14,00000000,0564DB84,?,?,?,00000000,?,0564E44C,00000000,0564E4AB,?,?,00000000,00000000,00000000), ref: 0564DA9E
                                                                                                                            • LeaveCriticalSection.KERNEL32(05B7EC14,05B7EC14,00000000,0564DB84,?,?,?,00000000,?,0564E44C,00000000,0564E4AB,?,?,00000000,00000000), ref: 0564DAC2
                                                                                                                            • LeaveCriticalSection.KERNEL32(05B7EC14,05B7EC14,00000000,0564DB84,?,?,?,00000000,?,0564E44C,00000000,0564E4AB,?,?,00000000,00000000), ref: 0564DAD1
                                                                                                                            • IsValidLocale.KERNEL32(00000000,00000002,05B7EC14,05B7EC14,00000000,0564DB84,?,?,?,00000000,?,0564E44C,00000000,0564E4AB), ref: 0564DAE3
                                                                                                                            • EnterCriticalSection.KERNEL32(05B7EC14,00000000,00000002,05B7EC14,05B7EC14,00000000,0564DB84,?,?,?,00000000,?,0564E44C,00000000,0564E4AB), ref: 0564DB40
                                                                                                                            • LeaveCriticalSection.KERNEL32(05B7EC14,05B7EC14,00000000,00000002,05B7EC14,05B7EC14,00000000,0564DB84,?,?,?,00000000,?,0564E44C,00000000,0564E4AB), ref: 0564DB69
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2801166151.0000000005641000.00000040.00001000.00020000.00000000.sdmp, Offset: 05640000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2801111895.0000000005640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_5640000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$Leave$Enter$LocaleValid
                                                                                                                            • String ID: en-GB,en,en-US,
                                                                                                                            • API String ID: 975949045-3021119265
                                                                                                                            • Opcode ID: 0fa9f16ad506feb1562eead38280337d28ad64cbbd9ad7a78d7ef1aeb239351a
                                                                                                                            • Instruction ID: 48a441412bb7353ffefad33dcb29a24d3198330b9f4003aa41459bd1e4365eb4
                                                                                                                            • Opcode Fuzzy Hash: 0fa9f16ad506feb1562eead38280337d28ad64cbbd9ad7a78d7ef1aeb239351a
                                                                                                                            • Instruction Fuzzy Hash: 7221E7B4B043445BDB11B7789C49A1E21BDAF46A00F5044A9F0019B650EEB4ED41DFAF
                                                                                                                            Function 056487A8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 056487BD
                                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 056487C3
                                                                                                                            • GetLogicalProcessorInformation.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 056487D6
                                                                                                                            • GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 056487DF
                                                                                                                            • GetLogicalProcessorInformation.KERNEL32(?,?,00000000,05648856,?,00000000,?,GetLogicalProcessorInformation), ref: 0564880A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2801166151.0000000005641000.00000040.00001000.00020000.00000000.sdmp, Offset: 05640000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2801111895.0000000005640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_5640000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: InformationLogicalProcessor$AddressErrorHandleLastModuleProc
                                                                                                                            • String ID: @$GetLogicalProcessorInformation$kernel32.dll
                                                                                                                            • API String ID: 1184211438-79381301
                                                                                                                            • Opcode ID: ecd148831f6ad32729a737892b85512c1ba9d45be7bccc5e8dab679c406b7b8c
                                                                                                                            • Instruction ID: 5c185e49debf0dd2a31c551b87f460cc15f2846f9594da8ae4e64e98165d2f09
                                                                                                                            • Opcode Fuzzy Hash: ecd148831f6ad32729a737892b85512c1ba9d45be7bccc5e8dab679c406b7b8c
                                                                                                                            • Instruction Fuzzy Hash: 61119371E04208AFDF50EBE5D808A6EB7F9EB41700F1084A9E81597A41E7748A40DF55
                                                                                                                            Function 00408628 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 0040863D
                                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00408643
                                                                                                                            • GetLogicalProcessorInformation.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 00408656
                                                                                                                            • GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 0040865F
                                                                                                                            • GetLogicalProcessorInformation.KERNEL32(?,?,00000000,004086D6,?,00000000,?,GetLogicalProcessorInformation), ref: 0040868A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: InformationLogicalProcessor$AddressErrorHandleLastModuleProc
                                                                                                                            • String ID: @$GetLogicalProcessorInformation$kernel32.dll
                                                                                                                            • API String ID: 1184211438-79381301
                                                                                                                            • Opcode ID: 5c1f650784676188e58856916b63c0c3f38add80198dcced6c01d44bfd14551f
                                                                                                                            • Instruction ID: 3a5ca0c6ba0916f4b43a4d76bf6a17100578e13cec400e9c678c7b2076f3e09f
                                                                                                                            • Opcode Fuzzy Hash: 5c1f650784676188e58856916b63c0c3f38add80198dcced6c01d44bfd14551f
                                                                                                                            • Instruction Fuzzy Hash: 0B116D70D00208ABDB10EBA5CA05B6FB7F8EB44304F5184BFE454B72C1DA7E8A808E59
                                                                                                                            Function 056517B0 Relevance: 13.8, APIs: 9, Instructions: 258COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 05651868
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2801166151.0000000005641000.00000040.00001000.00020000.00000000.sdmp, Offset: 05640000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2801111895.0000000005640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_5640000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionRaise
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3997070919-0
                                                                                                                            • Opcode ID: 76dc39e7baf0740c1e8d36844ebfb35cea6f538a87c50bb36a864e90df5f9f72
                                                                                                                            • Instruction ID: c8dcff75b6fdcac1623be22b51ed3235d96988ba7b6c19c5c5878cacd5ac8cd8
                                                                                                                            • Opcode Fuzzy Hash: 76dc39e7baf0740c1e8d36844ebfb35cea6f538a87c50bb36a864e90df5f9f72
                                                                                                                            • Instruction Fuzzy Hash: BEA17F75E44309AFDB21DFA8C884BEEBBB5BF49320F10411AE985A7380DB70E945CB54
                                                                                                                            Function 0041053C Relevance: 13.8, APIs: 9, Instructions: 258COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004105F4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionRaise
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3997070919-0
                                                                                                                            • Opcode ID: 05fa29c61b795b2395a40131ba86ac733d2929ed3cdf9b74d2f1781b962d0199
                                                                                                                            • Instruction ID: a4e6360c13b5b9f3d2bc16358017cfc39c6430ae7aa0f72c77c68697e0b63a4c
                                                                                                                            • Opcode Fuzzy Hash: 05fa29c61b795b2395a40131ba86ac733d2929ed3cdf9b74d2f1781b962d0199
                                                                                                                            • Instruction Fuzzy Hash: AAA16175A013099FDB10DFA4D884BEEB7B5AF88310F14812AE515EB390D7B8A9C5CB58
                                                                                                                            Function 004098B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 40fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,$~,00000000,?,0040996E,?,?,$~,?,00409A82,00406F47,00406F8E,00000002,?), ref: 004098E9
                                                                                                                            • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,$~,00000000,?,0040996E,?,?,$~,?,00409A82,00406F47,00406F8E,00000002), ref: 004098EF
                                                                                                                            • GetStdHandle.KERNEL32(000000F5,00000000,00000002,$~,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,$~,00000000,?,0040996E,?,?,$~), ref: 0040990A
                                                                                                                            • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,$~,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,$~,00000000,?,0040996E), ref: 00409910
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileHandleWrite
                                                                                                                            • String ID: $~$Error$Runtime error at 00000000
                                                                                                                            • API String ID: 3320372497-611976076
                                                                                                                            • Opcode ID: 773b21d0e1e235686b8c975b0367ba2c5725b1b30e329e26ed00eb3780160e28
                                                                                                                            • Instruction ID: 7a89ddf477c9e36db60ff24523b9176b1e887e2bb04061e57fb4fc8c084de822
                                                                                                                            • Opcode Fuzzy Hash: 773b21d0e1e235686b8c975b0367ba2c5725b1b30e329e26ed00eb3780160e28
                                                                                                                            • Instruction Fuzzy Hash: 2EF0FFA168A38478F62077615C47F2B270C9B04B14F80813FF510B82D3C6BC1880DB2E
                                                                                                                            Function 05648A30 Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 05648EBC: GetCurrentThreadId.KERNEL32 ref: 05648EBF
                                                                                                                            • GetTickCount.KERNEL32 ref: 05648A67
                                                                                                                            • GetTickCount.KERNEL32 ref: 05648A7F
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 05648AAE
                                                                                                                            • GetTickCount.KERNEL32 ref: 05648AD9
                                                                                                                            • GetTickCount.KERNEL32 ref: 05648B10
                                                                                                                            • GetTickCount.KERNEL32 ref: 05648B3A
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 05648BAA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2801166151.0000000005641000.00000040.00001000.00020000.00000000.sdmp, Offset: 05640000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2801111895.0000000005640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_5640000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CountTick$CurrentThread
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3968769311-0
                                                                                                                            • Opcode ID: d68ec1abf69cfc70c59f2f91d6cebc4e06fe90a0434943dd8d8eb942de5edc48
                                                                                                                            • Instruction ID: fac2f420fa0986064a93af9b16f8bbda83bbdaf3465a5a4ec0fa8538b07f4766
                                                                                                                            • Opcode Fuzzy Hash: d68ec1abf69cfc70c59f2f91d6cebc4e06fe90a0434943dd8d8eb942de5edc48
                                                                                                                            • Instruction Fuzzy Hash: CC417CB12083418ED721EE7CC88472EBBD2BB94254F088D2DD4D987B81EBB494C2CB56
                                                                                                                            Function 004088B0 Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00408D3C: GetCurrentThreadId.KERNEL32 ref: 00408D3F
                                                                                                                            • GetTickCount.KERNEL32 ref: 004088E7
                                                                                                                            • GetTickCount.KERNEL32 ref: 004088FF
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040892E
                                                                                                                            • GetTickCount.KERNEL32 ref: 00408959
                                                                                                                            • GetTickCount.KERNEL32 ref: 00408990
                                                                                                                            • GetTickCount.KERNEL32 ref: 004089BA
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00408A2A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CountTick$CurrentThread
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3968769311-0
                                                                                                                            • Opcode ID: 04fd666f83ea7920eae9c8d6ac9e75e716ad4726c29343ad6dc7362e2644cc0c
                                                                                                                            • Instruction ID: b02280414301e284f6cab43f2193b111e4bb8fc0ffdb0195ca7ae23dbc2a44bd
                                                                                                                            • Opcode Fuzzy Hash: 04fd666f83ea7920eae9c8d6ac9e75e716ad4726c29343ad6dc7362e2644cc0c
                                                                                                                            • Instruction Fuzzy Hash: E14171712083419ED721AE7CC68432FBAD1AF91354F15893FE4D4A77C1DE7888858B5B
                                                                                                                            Function 05649AF4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,05649BB2,?,?,00000000,00000000,05649CC6,05649CE0,?,?,056511E8), ref: 05649B2D
                                                                                                                            • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,05649BB2,?,?,00000000,00000000,05649CC6,05649CE0), ref: 05649B33
                                                                                                                            • GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,05649BB2,?,?,00000000), ref: 05649B4E
                                                                                                                            • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,05649BB2,?,?), ref: 05649B54
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2801166151.0000000005641000.00000040.00001000.00020000.00000000.sdmp, Offset: 05640000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2801111895.0000000005640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_5640000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FileHandleWrite
                                                                                                                            • String ID: Error$Runtime error at 00000000
                                                                                                                            • API String ID: 3320372497-2970929446
                                                                                                                            • Opcode ID: b1a0b72741337918890e03c52fb2ddd11fdb1378360829b34b1d147ba86af12d
                                                                                                                            • Instruction ID: 317efdb1b1447b14322ca8426cd5c3964b7d2a31c4c1f62d3f2288af28a63025
                                                                                                                            • Opcode Fuzzy Hash: b1a0b72741337918890e03c52fb2ddd11fdb1378360829b34b1d147ba86af12d
                                                                                                                            • Instruction Fuzzy Hash: 7FF0AFB07942487AEB10B2645C4BFAB3E5CA745B50F50024EF221BA0D0EAB4A880DF65
                                                                                                                            Function 057EC700 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 10libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryW.KERNEL32(user32.dll,05B30073,00000000,05B30412), ref: 057EC705
                                                                                                                            • LoadLibraryW.KERNEL32(kernel32.dll,user32.dll,05B30073,00000000,05B30412), ref: 057EC714
                                                                                                                            • LoadLibraryW.KERNEL32(ntdll.dll,kernel32.dll,user32.dll,05B30073,00000000,05B30412), ref: 057EC723
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2801166151.0000000005659000.00000040.00001000.00020000.00000000.sdmp, Offset: 05640000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2801111895.0000000005640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005641000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_5640000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad
                                                                                                                            • String ID: kernel32.dll$ntdll.dll$user32.dll
                                                                                                                            • API String ID: 1029625771-3818928520
                                                                                                                            • Opcode ID: 6896003b2dbe1ef89ff92a16e5e10d0d00aa60e5afd6a3b8856fea4b842f22fa
                                                                                                                            • Instruction ID: c97615b023ca7c4a8a7459fb53648dccdab6f245a2f7e4e17bcb468a396cb307
                                                                                                                            • Opcode Fuzzy Hash: 6896003b2dbe1ef89ff92a16e5e10d0d00aa60e5afd6a3b8856fea4b842f22fa
                                                                                                                            • Instruction Fuzzy Hash: 13C002F8BE1318AE5363BF64550F42E3998F745E50B400419AD08AF200DF701840BF96
                                                                                                                            Function 05B05034 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetVersionExW.KERNEL32(?,?,?,?,?,05B052B1), ref: 05B0505F
                                                                                                                            • GetVersionExW.KERNEL32(?,?,?,?,?,?,05B052B1), ref: 05B05089
                                                                                                                            • LoadLibraryW.KERNEL32(ntdll.dll,RtlGetVersion,00000000,05B051E9,?,?,?,?,?,?,05B052B1), ref: 05B050D6
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2801166151.0000000005659000.00000040.00001000.00020000.00000000.sdmp, Offset: 05640000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2801111895.0000000005640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005641000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_5640000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Version$LibraryLoad
                                                                                                                            • String ID: RtlGetVersion$ntdll.dll
                                                                                                                            • API String ID: 192404683-1489217083
                                                                                                                            • Opcode ID: cdd33ae48966f87c2432c56969680b350c14eb684ef6b16d9b72f0802303c2dd
                                                                                                                            • Instruction ID: f20b21713f5a887ab542221e296fdedce810b56c9a3d9d455a8477cccc421091
                                                                                                                            • Opcode Fuzzy Hash: cdd33ae48966f87c2432c56969680b350c14eb684ef6b16d9b72f0802303c2dd
                                                                                                                            • Instruction Fuzzy Hash: 8F51A074A44208EFCB14DBA4C585ADDBBF5EF49310F2594E9E805A7790E730AE40DF54
                                                                                                                            Function 007B4D80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,007B4E45), ref: 007B4DBB
                                                                                                                            • VirtualProtect.KERNEL32(00000000,00000005,00000040,00000001,kernel32.dll,00000000,007B4E45), ref: 007B4DED
                                                                                                                            • VirtualProtect.KERNEL32(00000000,00000005,00000001,00000001), ref: 007B4E20
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual$HandleModule
                                                                                                                            • String ID: VirtualProtect$kernel32.dll
                                                                                                                            • API String ID: 3519776433-1817385118
                                                                                                                            • Opcode ID: 777bf22d5265d8be7ee9487e6411f158a950ad289d5dcb62c2caa69a7fbc9b76
                                                                                                                            • Instruction ID: 6feec314314617b60e1c2fa0746624d18fb88d0f1d6c6f1f8ed6b67c6740e0fb
                                                                                                                            • Opcode Fuzzy Hash: 777bf22d5265d8be7ee9487e6411f158a950ad289d5dcb62c2caa69a7fbc9b76
                                                                                                                            • Instruction Fuzzy Hash: 6B213E71A00249AFDB01DFE8C885BEFBBB9FB09714F514479E601E3291D7799A00CB94
                                                                                                                            Function 00409948 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040997E
                                                                                                                            • FreeLibrary.KERNEL32(00400000,?,?,$~,?,00409A82,00406F47,00406F8E,00000002,?,00406FA7,?,?,?,?,007EEF1C), ref: 00409A1C
                                                                                                                            • ExitProcess.KERNEL32(00000000,?,?,$~,?,00409A82,00406F47,00406F8E,00000002,?,00406FA7,?,?,?,?,007EEF1C), ref: 00409A55
                                                                                                                              • Part of subcall function 004098B0: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,$~,00000000,?,0040996E,?,?,$~,?,00409A82,00406F47,00406F8E,00000002,?), ref: 004098E9
                                                                                                                              • Part of subcall function 004098B0: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,$~,00000000,?,0040996E,?,?,$~,?,00409A82,00406F47,00406F8E,00000002), ref: 004098EF
                                                                                                                              • Part of subcall function 004098B0: GetStdHandle.KERNEL32(000000F5,00000000,00000002,$~,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,$~,00000000,?,0040996E,?,?,$~), ref: 0040990A
                                                                                                                              • Part of subcall function 004098B0: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,$~,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,$~,00000000,?,0040996E), ref: 00409910
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                                                                                            • String ID: $~
                                                                                                                            • API String ID: 3490077880-1420499540
                                                                                                                            • Opcode ID: b42f7c6514fa2e4ba5d384be508622aee6d9700a1406f69b1d057fe348a384cb
                                                                                                                            • Instruction ID: 729552d4b205c4b6db1c40a69fda68c73a156e7e37d5ee8f3dce140ca8fc0210
                                                                                                                            • Opcode Fuzzy Hash: b42f7c6514fa2e4ba5d384be508622aee6d9700a1406f69b1d057fe348a384cb
                                                                                                                            • Instruction Fuzzy Hash: AA3169B0A002859BDB21AB7A888876B7690AF04318F14893FE545A63D3D77CDC84CB6D
                                                                                                                            Function 0564D964 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetThreadUILanguage.KERNEL32(?,00000000), ref: 0564D975
                                                                                                                            • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0564D9D3
                                                                                                                            • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0564DA30
                                                                                                                            • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0564DA63
                                                                                                                              • Part of subcall function 0564D920: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0564D9E1), ref: 0564D937
                                                                                                                              • Part of subcall function 0564D920: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0564D9E1), ref: 0564D954
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2801166151.0000000005641000.00000040.00001000.00020000.00000000.sdmp, Offset: 05640000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2801111895.0000000005640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2801166151.0000000005B8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_5640000_pipanel.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$LanguagesPreferred$Language
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2255706666-0
                                                                                                                            • Opcode ID: 250029bc87568a604f918389db3947c513fee5713c1f294bfdebf82955fcffc7
                                                                                                                            • Instruction ID: 5d4876894eea2ea716a5bbf9d9d59befd8734359069d86cdc8a08e595b53f2ba
                                                                                                                            • Opcode Fuzzy Hash: 250029bc87568a604f918389db3947c513fee5713c1f294bfdebf82955fcffc7
                                                                                                                            • Instruction Fuzzy Hash: 7A315C31F0421EABDB10DFE8D888AAEB7B9FF04304F044569E555E7290EB74AA45CF54
                                                                                                                            Function 0040C948 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040C959
                                                                                                                            • SetThreadPreferredUILanguages.KERNEL32(00000004,?,000000FF), ref: 0040C9B7
                                                                                                                            • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040CA14
                                                                                                                            • SetThreadPreferredUILanguages.KERNEL32(00000008,00000000,?), ref: 0040CA47
                                                                                                                              • Part of subcall function 0040C904: GetThreadPreferredUILanguages.KERNEL32(00000038,0040C9C5,00000000,00000000,?,00000000,?,?,0040C9C5), ref: 0040C91B
                                                                                                                              • Part of subcall function 0040C904: GetThreadPreferredUILanguages.KERNEL32(00000038,0040C9C5,00000000,00000000,?,?,0040C9C5), ref: 0040C938
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$LanguagesPreferred$Language
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2255706666-0
                                                                                                                            • Opcode ID: 8ef4da217b9d90f3f72582c7eda1050deeca6c1b49fe9d879124390108d6185f
                                                                                                                            • Instruction ID: 60c78255c2fae95a361181b35778ad0afcc5332dc1bf7423088e953ece34cb01
                                                                                                                            • Opcode Fuzzy Hash: 8ef4da217b9d90f3f72582c7eda1050deeca6c1b49fe9d879124390108d6185f
                                                                                                                            • Instruction Fuzzy Hash: C9312D71A0021EDBDB10DBA9C885BAEB3F4EF04314F10827AE551F7291DB789A05CB95
                                                                                                                            Function 004094C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • UnhandledExceptionFilter.KERNEL32(00000006), ref: 004094DF
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.2799030143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.00000000007FC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.2799030143.0000000000802000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_pipanel.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                                            • String ID: pnB$xoB
                                                                                                                            • API String ID: 3192549508-1858878467
                                                                                                                            • Opcode ID: 0a79f63b1534adbb0e29de0ece138e19c4857cbc34462d57ef1bbdd42fa654d9
                                                                                                                            • Instruction ID: f9005ca40e833597cfde3972eed18ca8d48f2f06ad6e454d3b76b5059e9afc12
                                                                                                                            • Opcode Fuzzy Hash: 0a79f63b1534adbb0e29de0ece138e19c4857cbc34462d57ef1bbdd42fa654d9
                                                                                                                            • Instruction Fuzzy Hash: 9831043520C2019AD7249E28D884A777795AB85320F24827BE501BB7D7C63DDC87EB2F