Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xsYbMYg5Dr.exe

Overview

General Information

Sample name:xsYbMYg5Dr.exe
Analysis ID:1587294
MD5:bbc1d10fdf7fc20b03eb2b00fe75637a
SHA1:61a1eeaf8d6c4f58b4a03da6b7a4846e3cbc2b24
SHA256:c074a4f33aec271dbbbe6734a7e501f6500441a6dfaf502bcf511605f3dc9488
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Loading BitLocker PowerShell Module
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Program Location with Network Connections
Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Installs a global mouse hook
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64native
  • xsYbMYg5Dr.exe (PID: 6772 cmdline: "C:\Users\user\Desktop\xsYbMYg5Dr.exe" MD5: BBC1D10FDF7FC20B03EB2B00FE75637A)
    • cmd.exe (PID: 5332 cmdline: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bulete\program\ShellExperienceHosts.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • ShellExperienceHosts.exe (PID: 4612 cmdline: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe MD5: B67C4DAACF5916623340F6AA870FEDC9)
        • cmd.exe (PID: 4456 cmdline: cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 4448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
          • tasklist.exe (PID: 4180 cmdline: tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 1424 cmdline: findstr /I "ShellExperienceHosts.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 1484 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 4644 cmdline: tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 3228 cmdline: findstr /I "ShellExperienceHosts.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 7912 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 3344 cmdline: tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 624 cmdline: findstr /I "ShellExperienceHosts.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 2676 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 4980 cmdline: tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 7712 cmdline: findstr /I "ShellExperienceHosts.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 4840 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 1840 cmdline: tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 5972 cmdline: findstr /I "ShellExperienceHosts.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 4476 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 4664 cmdline: tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 4808 cmdline: findstr /I "ShellExperienceHosts.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 5116 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 6700 cmdline: tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 6060 cmdline: findstr /I "ShellExperienceHosts.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 7820 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 3628 cmdline: tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 2992 cmdline: findstr /I "ShellExperienceHosts.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 7400 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 5284 cmdline: tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 2312 cmdline: findstr /I "ShellExperienceHosts.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 2424 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 6352 cmdline: tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 3368 cmdline: findstr /I "ShellExperienceHosts.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 3380 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 5980 cmdline: tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 7648 cmdline: findstr /I "ShellExperienceHosts.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 3344 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 6868 cmdline: tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 7404 cmdline: findstr /I "ShellExperienceHosts.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 716 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
        • cmd.exe (PID: 1156 cmdline: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 6632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
          • powershell.exe (PID: 5332 cmdline: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 3628 cmdline: cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 5696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
          • powershell.exe (PID: 5684 cmdline: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Execution from Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe, CommandLine: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe, NewProcessName: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe, OriginalFileName: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bulete\program\ShellExperienceHosts.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5332, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe, ProcessId: 4612, ProcessName: ShellExperienceHosts.exe
Sigma detected: Parent in Public Folder Suspicious Process
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe, ParentImage: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe, ParentProcessId: 4612, ParentProcessName: ShellExperienceHosts.exe, ProcessCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 1156, ProcessName: cmd.exe
Sigma detected: Suspicious Program Location with Network Connections
Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 137.220.229.26, DestinationIsIpv6: false, DestinationPort: 18852, EventID: 3, Image: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe, Initiated: true, ProcessId: 4612, Protocol: tcp, SourceIp: 192.168.11.20, SourceIsIpv6: false, SourcePort: 49750
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1156, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 5332, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1156, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 5332, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-10T04:50:36.465071+010020528751A Network Trojan was detected192.168.11.2049751137.220.229.2618091TCP
2025-01-10T04:52:58.725681+010020528751A Network Trojan was detected192.168.11.2049756137.220.229.2618091TCP
2025-01-10T04:56:08.483227+010020528751A Network Trojan was detected192.168.11.2049764137.220.229.2618091TCP
2025-01-10T04:57:10.596408+010020528751A Network Trojan was detected192.168.11.2049766137.220.229.2618091TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\backup.dllAvira: detection malicious, Label: TR/Farfli.xupgd
Source: C:\Users\Public\Bulete\program\steam_api.dllAvira: detection malicious, Label: TR/Farfli.xupgd
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\backup.dllReversingLabs: Detection: 73%
Source: C:\Users\Public\Bulete\program\steam_api.dllReversingLabs: Detection: 73%
Multi AV Scanner detection for submitted file
Source: xsYbMYg5Dr.exeVirustotal: Detection: 19%Perma Link
Source: xsYbMYg5Dr.exeReversingLabs: Detection: 52%
Source: xsYbMYg5Dr.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: C:\jenkins\workspace\steamoverlayinjector\bin\overlayinjector.pdb source: ShellExperienceHosts.exe, 00000004.00000000.23192953331.0000000000F98000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.24016401306.0000000003561000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \YSS\Release\steam_api.pdb source: xsYbMYg5Dr.exe, 00000000.00000003.23190827029.0000000007160000.00000004.00001000.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000004.00000003.23903275936.000000000374D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.24038132308.0000000008F91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.24039507669.0000000009078000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbk source: powershell.exe, 0000000F.00000002.24038132308.0000000008FD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.24038132308.0000000008FD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.24038132308.0000000008FD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbfI source: powershell.exe, 0000000F.00000002.24038132308.0000000008F91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.24032033189.0000000007AB0000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: z:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: x:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: v:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: t:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: r:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: p:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: n:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: l:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: j:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: h:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: f:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: d:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: b:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: y:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: w:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: u:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: s:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: q:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: o:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: m:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: k:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: i:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: g:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: e:Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: c:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: [:Jump to behavior
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeCode function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,0_2_0040301A
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeCode function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00402B79

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.11.20:49764 -> 137.220.229.26:18091
Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.11.20:49766 -> 137.220.229.26:18091
Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.11.20:49751 -> 137.220.229.26:18091
Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.11.20:49756 -> 137.220.229.26:18091
Connects to many ports of the same IP (likely port scanning)
Source: global trafficTCP traffic: 137.220.229.26 ports 18852,18091,18092,1,2,5,8
Source: global trafficTCP traffic: 192.168.11.20:49750 -> 137.220.229.26:18852
Source: Joe Sandbox ViewASN Name: BCPL-SGBGPNETGlobalASNSG BCPL-SGBGPNETGlobalASNSG
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: unknownTCP traffic detected without corresponding DNS query: 137.220.229.26
Source: powershell.exe, 0000000E.00000002.24017231710.0000000003718000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.24016401306.00000000035A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 0000000E.00000002.24017231710.0000000003718000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.24016401306.00000000035A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 0000000E.00000002.24036484222.0000000008F6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsof
Source: powershell.exe, 0000000E.00000002.24026441664.00000000065D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.24027604462.00000000061A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000E.00000002.24019204352.00000000056C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.24019187691.0000000005298000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000E.00000002.24019204352.00000000056C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.24019187691.0000000005298000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png4
Source: powershell.exe, 0000000E.00000002.24019204352.0000000005D5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.24019204352.00000000056C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.24019187691.0000000005298000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000E.00000002.24019204352.0000000005571000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.24019187691.0000000005141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000E.00000002.24019204352.0000000005D5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.24019204352.00000000056C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.24019187691.0000000005298000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000E.00000002.24019204352.00000000056C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.24019187691.0000000005298000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000E.00000002.24019204352.00000000056C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.24019187691.0000000005298000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html4
Source: powershell.exe, 0000000E.00000002.24017231710.0000000003718000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.24016401306.00000000035A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 0000000E.00000002.24019204352.0000000005571000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.24019187691.0000000005141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 0000000F.00000002.24027604462.00000000061A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000F.00000002.24027604462.00000000061A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000F.00000002.24027604462.00000000061A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000E.00000002.24019204352.00000000056C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.24019187691.0000000005298000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000E.00000002.24019204352.00000000056C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.24019187691.0000000005298000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester4
Source: powershell.exe, 0000000E.00000002.24026441664.00000000065D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.24027604462.00000000061A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000E.00000002.24017231710.0000000003718000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.24016401306.00000000035A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeWindows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeProcess Stats: CPU usage > 6%
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeCode function: 0_2_00404FAA0_2_00404FAA
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeCode function: 0_2_0041206B0_2_0041206B
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeCode function: 0_2_0041022D0_2_0041022D
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeCode function: 0_2_00411F910_2_00411F91
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_037B1BED15_2_037B1BED
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_037B165315_2_037B1653
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_037B1D7215_2_037B1D72
Source: Joe Sandbox ViewDropped File: C:\Users\Public\Bulete\Firefox Setup 132.0.2.exe F451E97BF0F25CC841366C190F62C8037577EC2EBC5A67DD524396559134F3B8
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeCode function: String function: 0040243B appears 37 times
Source: xsYbMYg5Dr.exeStatic PE information: invalid certificate
Source: xsYbMYg5Dr.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: xsYbMYg5Dr.exe, 00000000.00000000.23114844387.0000000000455000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameosprovision.exe` vs xsYbMYg5Dr.exe
Source: xsYbMYg5Dr.exe, 00000000.00000000.23114844387.0000000000455000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAOKAISB.exe< vs xsYbMYg5Dr.exe
Source: xsYbMYg5Dr.exe, 00000000.00000003.23190827029.0000000007160000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamensdksetupJ vs xsYbMYg5Dr.exe
Source: xsYbMYg5Dr.exeBinary or memory string: OriginalFileNameosprovision.exe` vs xsYbMYg5Dr.exe
Source: xsYbMYg5Dr.exeBinary or memory string: OriginalFilenameAOKAISB.exe< vs xsYbMYg5Dr.exe
Source: xsYbMYg5Dr.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal96.troj.evad.winEXE@100/44@0/1
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeCode function: 0_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,0_2_00407776
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeCode function: 0_2_0040118A GetDiskFreeSpaceExW,SendMessageW,0_2_0040118A
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeCode function: 0_2_004034C1 _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_004034C1
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeCode function: 0_2_00401BDF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,0_2_00401BDF
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeFile created: C:\Users\Public\BuleteJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4820:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4820:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5696:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5696:304:WilStaging_02
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeMutant created: \Sessions\1\BaseNamedObjects\2024.12. 7
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4448:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4448:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6632:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6632:304:WilStaging_02
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile created: C:\Users\user\AppData\Local\Temp\monitor.batJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
Source: xsYbMYg5Dr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;SHELLEXPERIENCEHOSTS.EXE&apos;
Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;SHELLEXPERIENCEHOSTS.EXE&apos;
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;SHELLEXPERIENCEHOSTS.EXE&apos;
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;SHELLEXPERIENCEHOSTS.EXE&apos;
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;SHELLEXPERIENCEHOSTS.EXE&apos;
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;SHELLEXPERIENCEHOSTS.EXE&apos;
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;SHELLEXPERIENCEHOSTS.EXE&apos;
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;SHELLEXPERIENCEHOSTS.EXE&apos;
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;SHELLEXPERIENCEHOSTS.EXE&apos;
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;SHELLEXPERIENCEHOSTS.EXE&apos;
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;SHELLEXPERIENCEHOSTS.EXE&apos;
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;SHELLEXPERIENCEHOSTS.EXE&apos;
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;SHELLEXPERIENCEHOSTS.EXE&apos;
Source: C:\Windows\SysWOW64\timeout.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;SHELLEXPERIENCEHOSTS.EXE&apos;
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;SHELLEXPERIENCEHOSTS.EXE&apos;
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: xsYbMYg5Dr.exeVirustotal: Detection: 19%
Source: xsYbMYg5Dr.exeReversingLabs: Detection: 52%
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeFile read: C:\Users\user\Desktop\xsYbMYg5Dr.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\xsYbMYg5Dr.exe "C:\Users\user\Desktop\xsYbMYg5Dr.exe"
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bulete\program\ShellExperienceHosts.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe C:\Users\Public\Bulete\program\ShellExperienceHosts.exeJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1Jump to behavior
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: steam_api.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: dinput8.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: devenum.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: msdmo.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: avicap32.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: msvfw32.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: windows.staterepositorycore.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Source: Firefox Setup 132.0.2.exe.lnk.4.drLNK file: ..\..\Public\Bulete\Firefox Setup 132.0.2.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: xsYbMYg5Dr.exeStatic file information: File size 70578951 > 1048576
Source: Binary string: C:\jenkins\workspace\steamoverlayinjector\bin\overlayinjector.pdb source: ShellExperienceHosts.exe, 00000004.00000000.23192953331.0000000000F98000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.24016401306.0000000003561000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \YSS\Release\steam_api.pdb source: xsYbMYg5Dr.exe, 00000000.00000003.23190827029.0000000007160000.00000004.00001000.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000004.00000003.23903275936.000000000374D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.24038132308.0000000008F91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.24039507669.0000000009078000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbk source: powershell.exe, 0000000F.00000002.24038132308.0000000008FD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.24038132308.0000000008FD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.24038132308.0000000008FD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbfI source: powershell.exe, 0000000F.00000002.24038132308.0000000008F91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.24032033189.0000000007AB0000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeCode function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,0_2_00406D5D
Source: steam_api.dll.0.drStatic PE information: section name: .00cfg
Source: backup.dll.4.drStatic PE information: section name: .00cfg
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeCode function: 0_2_00411C20 push eax; ret 0_2_00411C4E
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile created: C:\Users\user\AppData\Local\Temp\backup.dllJump to dropped file
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeFile created: C:\Users\Public\Bulete\program\steam_api.dllJump to dropped file
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeFile created: C:\Users\Public\Bulete\Firefox Setup 132.0.2.exeJump to dropped file
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeFile created: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeJump to dropped file
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile created: C:\Users\user\AppData\Local\Temp\backup.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeKey value created or modified: HKEY_CURRENT_USER\Console\0 9e9e85e05ee16fc372a0c7df6549fbd4Jump to behavior
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeWindow / User API: threadDelayed 8151Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9586Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9796Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\backup.dllJump to dropped file
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeDropped PE file which has not been started: C:\Users\Public\Bulete\Firefox Setup 132.0.2.exeJump to dropped file
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe TID: 5664Thread sleep time: -73000s >= -30000sJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe TID: 5596Thread sleep count: 114 > 30Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe TID: 5596Thread sleep time: -342000s >= -30000sJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe TID: 5596Thread sleep count: 8151 > 30Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe TID: 5596Thread sleep time: -24453000s >= -30000sJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe TID: 5268Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe TID: 5192Thread sleep count: 42 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5344Thread sleep count: 9586 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5488Thread sleep count: 245 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7048Thread sleep count: 9796 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4148Thread sleep count: 47 > 30Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 5668Thread sleep count: 274 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 6840Thread sleep count: 268 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 5748Thread sleep count: 275 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 5436Thread sleep count: 269 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 5356Thread sleep count: 270 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 1708Thread sleep count: 269 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 3496Thread sleep count: 267 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 7312Thread sleep count: 269 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 8060Thread sleep count: 267 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 2184Thread sleep count: 267 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 4860Thread sleep count: 267 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 1688Thread sleep count: 269 > 30
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeCode function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,0_2_0040301A
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeCode function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00402B79
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeThread delayed: delay time: 73000Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeThread delayed: delay time: 30000Jump to behavior
Source: powershell.exe, 0000000F.00000002.24019187691.0000000005298000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 0000000F.00000002.24019187691.0000000005298000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 0000000F.00000002.24019187691.0000000005298000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeCode function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,0_2_00406D5D
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bulete\program\ShellExperienceHosts.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe C:\Users\Public\Bulete\program\ShellExperienceHosts.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1Jump to behavior
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeCode function: 0_2_0040D72E cpuid 0_2_0040D72E
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeCode function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,0_2_00401F9D
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeCode function: 0_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00401626
Source: C:\Users\user\Desktop\xsYbMYg5Dr.exeCode function: 0_2_00404FAA KiUserCallbackDispatcher,GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,0_2_00404FAA
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		1
Replication Through Removable Media		1
Windows Management Instrumentation		1
Scripting		11
Process Injection		1
Masquerading		1
Input Capture		1
System Time Discovery		Remote Services1
Input Capture		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Modify Registry		LSASS Memory11
Security Software Discovery		Remote Desktop Protocol1
Archive Collected Data		1
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
PowerShell		Logon Script (Windows)Logon Script (Windows)11
Virtualization/Sandbox Evasion		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS11
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
Obfuscated Files or Information		Cached Domain Credentials11
Peripheral Device Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Software Packing		DCSync2
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc Filesystem37
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1587294 Sample: xsYbMYg5Dr.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 96 60 Suricata IDS alerts for network traffic 2->60 62 Antivirus detection for dropped file 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 5 other signatures 2->66 9 xsYbMYg5Dr.exe 10 2->9         started        process3 file4 50 C:\Users\Public\Bulete\...\steam_api.dll, PE32 9->50 dropped 52 C:\Users\Public\...\Firefox Setup 132.0.2.exe, PE32 9->52 dropped 54 C:\Users\Public\...\ShellExperienceHosts.exe, PE32 9->54 dropped 12 cmd.exe 1 9->12         started        process5 signatures6 68 Bypasses PowerShell execution policy 12->68 15 ShellExperienceHosts.exe 3 8 12->15         started        19 conhost.exe 12->19         started        process7 dnsIp8 56 137.220.229.26, 18091, 18092, 18852 BCPL-SGBGPNETGlobalASNSG Singapore 15->56 44 C:\Users\user\AppData\Local\Temp\backup.dll, PE32 15->44 dropped 46 C:\Users\user\AppData\Local\updated.ps1, ASCII 15->46 dropped 48 C:\Users\user\AppData\Local\Temp\backup.exe, PE32 15->48 dropped 21 cmd.exe 1 15->21         started        23 cmd.exe 1 15->23         started        25 cmd.exe 1 15->25         started        file9 process10 process11 27 conhost.exe 21->27         started        29 tasklist.exe 1 21->29         started        31 findstr.exe 1 21->31         started        42 34 other processes 21->42 33 powershell.exe 1 23 23->33         started        36 conhost.exe 23->36         started        38 powershell.exe 39 25->38         started        40 conhost.exe 25->40         started        signatures12 58 Loading BitLocker PowerShell Module 38->58

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
xsYbMYg5Dr.exe19%VirustotalBrowse
xsYbMYg5Dr.exe53%ReversingLabsWin32.Trojan.DllHijack

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\backup.dll100%AviraTR/Farfli.xupgd
C:\Users\Public\Bulete\program\steam_api.dll100%AviraTR/Farfli.xupgd
C:\Users\user\AppData\Local\Temp\backup.dll74%ReversingLabsWin32.Trojan.DllHijack
C:\Users\user\AppData\Local\Temp\backup.exe0%ReversingLabs
C:\Users\Public\Bulete\Firefox Setup 132.0.2.exe0%ReversingLabs
C:\Users\Public\Bulete\program\ShellExperienceHosts.exe0%ReversingLabs
C:\Users\Public\Bulete\program\steam_api.dll74%ReversingLabsWin32.Trojan.DllHijack

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crl.microsof0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://pesterbdd.com/images/Pester.png4powershell.exe, 0000000E.00000002.24019204352.00000000056C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.24019187691.0000000005298000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    https://github.com/Pester/Pester4powershell.exe, 0000000E.00000002.24019204352.00000000056C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.24019187691.0000000005298000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://nuget.org/NuGet.exepowershell.exe, 0000000E.00000002.24026441664.00000000065D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.24027604462.00000000061A4000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000E.00000002.24019204352.00000000056C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.24019187691.0000000005298000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000E.00000002.24019204352.0000000005D5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.24019204352.00000000056C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.24019187691.0000000005298000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://aka.ms/pscore6lBpowershell.exe, 0000000E.00000002.24019204352.0000000005571000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.24019187691.0000000005141000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000E.00000002.24019204352.00000000056C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.24019187691.0000000005298000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://crl.microsofpowershell.exe, 0000000E.00000002.24036484222.0000000008F6B000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000E.00000002.24019204352.0000000005D5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.24019204352.00000000056C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.24019187691.0000000005298000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/powershell.exe, 0000000F.00000002.24027604462.00000000061A4000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://nuget.org/nuget.exepowershell.exe, 0000000E.00000002.24026441664.00000000065D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.24027604462.00000000061A4000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Licensepowershell.exe, 0000000F.00000002.24027604462.00000000061A4000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Iconpowershell.exe, 0000000F.00000002.24027604462.00000000061A4000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.quovadis.bm0powershell.exe, 0000000E.00000002.24017231710.0000000003718000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.24016401306.00000000035A7000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://ocsp.quovadisoffshore.com0powershell.exe, 0000000E.00000002.24017231710.0000000003718000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.24016401306.00000000035A7000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000E.00000002.24019204352.0000000005571000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.24019187691.0000000005141000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.apache.org/licenses/LICENSE-2.0.html4powershell.exe, 0000000E.00000002.24019204352.00000000056C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.24019187691.0000000005298000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://github.com/Pester/Pesterpowershell.exe, 0000000E.00000002.24019204352.00000000056C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.24019187691.0000000005298000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    137.220.229.26
                                    		unknownSingapore
                                    		64050BCPL-SGBGPNETGlobalASNSGtrue

                                    General Information

                                    Joe Sandbox version:42.0.0 Malachite
                                    Analysis ID:1587294
                                    Start date and time:2025-01-10 04:47:01 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 17m 19s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                    Run name:Suspected Instruction Hammering
                                    Number of analysed new started processes analysed:50
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:xsYbMYg5Dr.exe
                                    Detection:MAL
                                    Classification:mal96.troj.evad.winEXE@100/44@0/1
                                    EGA Information:
                                    • Successful, ratio: 33.3%
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 51
                                    • Number of non-executed functions: 58
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                    Warnings

                                    • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                    • Exclude process from analysis (whitelisted): dllhost.exe
                                    • Execution Graph export aborted for target powershell.exe, PID 5332 because it is empty
                                    • Execution Graph export aborted for target powershell.exe, PID 5684 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtCreateKey calls found.
                                    • Report size getting too big, too many NtEnumerateKey calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    22:49:57API Interceptor13162589x Sleep call for process: ShellExperienceHosts.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    No context

                                    Domains

                                    No context

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    BCPL-SGBGPNETGlobalASNSGhttps://199.188.109.181Get hashmaliciousUnknownBrowse
                                    • 134.122.133.80
                                    QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                    • 202.95.11.110
                                    QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                    • 202.95.11.110
                                    QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                    • 202.95.11.110
                                    0Z2lZiPk5K.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                    • 134.122.133.80
                                    DHL DOCS 2-0106-25.exeGet hashmaliciousFormBookBrowse
                                    • 134.122.135.48
                                    PO_62401394_MITech_20250601.exeGet hashmaliciousFormBookBrowse
                                    • 134.122.135.48
                                    ErbgterT2R.exeGet hashmaliciousGhostRatBrowse
                                    • 134.122.155.39
                                    Order Inquiry.exeGet hashmaliciousFormBookBrowse
                                    • 134.122.135.48
                                    Uulw5M1DfU.exeGet hashmaliciousGhostRatBrowse
                                    • 137.220.229.61

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    C:\Users\Public\Bulete\Firefox Setup 132.0.2.exeFqae7BLq4m.exeGet hashmaliciousUnknownBrowse
                                      Fqae7BLq4m.exeGet hashmaliciousUnknownBrowse

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):64
                                        Entropy (8bit):0.34726597513537405
                                        Encrypted:false
                                        SSDEEP:3:Nlll:Nll
                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                        Malicious:false
                                        Preview:@...e...........................................................

                                        C:\Users\user\AppData\Local\PolicyManagement.xml

                                        Download File
                                        Process:C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
                                        File Type:XML 1.0 document, ASCII text
                                        Category:dropped
                                        Size (bytes):1893
                                        Entropy (8bit):5.212287775015203
                                        Encrypted:false
                                        SSDEEP:48:c55XzDl4Q2ZbXL6Q0QFdOFQOzN33O4OiDdKrKsTLXbGMv:O5XzDl4Q2ZbGQhFdOFQOzBdKrKsTLXbV
                                        MD5:E3FB2ECD2AD10C30913339D97E0E9042
                                        SHA1:A004CE2B3D398312B80E2955E76BDA69EF9B7203
                                        SHA-256:1BD6DB55FFF870C9DF7A0AAC11B895B50F57774F20A5744E63BBC3BD40D11F28
                                        SHA-512:9D6F0C1E344F1DC5A0EF4CAAD86281F92A6C108E1085BACD8D6143F9C742198C2F759CA5BDFFAD4D9E40203E6B0460E84896D1C6B8B1759350452E1DE809B716
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2006-11-10T14:29:55.5851926</Date>. <Author>Microsoft Corporation</Author>. <Description>????? AD RMS ?????????????????? Web ?????????,???????????</Description>. <URI>\AS AMD updata</URI>. <SecurityDescriptor>D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;WD)</SecurityDescriptor>. </RegistrationInfo>. <Triggers>. <LogonTrigger id="06b3f632-87ad-4ac0-9737-48ea5ddbaf11">. <Enabled>true</Enabled>. <Delay>PT30S</Delay>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="AllUsers">. <GroupId>S-1-1-0</GroupId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerm

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4nil0sjr.gmz.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4uths3lj.5yl.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aelqdylw.kei.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_amety2qd.i43.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cxrkvyhr.yp5.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d4i4cuna.p5m.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m4pyvpbe.yoz.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wrdhrf44.xbe.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\backup.dll

                                        Download File
                                        Process:C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):2291000
                                        Entropy (8bit):6.606115317112524
                                        Encrypted:false
                                        SSDEEP:49152:F/kcCMJuG+opH4CLOpd7ioYiKq8iBh3n1XK0pcioOKTjJ:FMcCMJuGhB4CLmZioYQ8iBh3nhK0pciM
                                        MD5:F2AAF80741E8F710A4881841827C2B60
                                        SHA1:5947F5D09CCB62A6FB9543A95876425B2E2FC3A9
                                        SHA-256:B359AEC63091307343AD8FE9FA2AF0C016CE1A34500CD7EDDCEA4F1BC84DE4CA
                                        SHA-512:2B084333FEBE08AF2155B3469139B9125802877E92415D9C270BC232E5659CE65AFEEF0377498F38582328317BAEC442334ABAD339BD49A14F999ED72C9C65CF
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 74%
                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...^8^g...........!.........<.......!.......................................`#...........@.............................N......h..... ..H............".8)... !..0.......................... b......p...............T................................text.............................. ..`.rdata...^.......`..................@..@.data......... ..^..................@....00cfg........ ......N .............@..@.tls.......... ......P .............@....rsrc....H.... ..H...R .............@..@.reloc...0... !..2.... .............@..B................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\backup.exe

                                        Download File
                                        Process:C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):238376
                                        Entropy (8bit):6.538604095210033
                                        Encrypted:false
                                        SSDEEP:6144:BQOdKqcmNKotaoXAjEw4yJMaGVJ5haSO3vmvdrJm2sV0D:BQ7msobXAygf65hr8+vBov0D
                                        MD5:B67C4DAACF5916623340F6AA870FEDC9
                                        SHA1:F1B396939F89E71AB59938C8C3846BAAF7996DE6
                                        SHA-256:79C6471E6F2C93978CE1593EED24D8C380ED7F1B4F5E939982CE03CC21DDB3A1
                                        SHA-512:30A48780A82F475FC690E66E6907F04F1EA0F7840D718E1061E71950E29324E29C4A15E36346090510BEFD80EE5927E9056A286A6978B5B3D9906C1FC1D0B682
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.I.v.'.v.'.v.'...$.{.'..."...'...#.o.'...&.t.'.M.$.b.'.M."...'.M.#.`.'.J.&.u.'.v.&...'..".w.'....w.'..%.w.'.Richv.'.........................PE..L...^..].................p..."......j:............@.......................................@..................................0..<.......................(.......P*..0...T...............................@............................................text...xn.......p.................. ..`.rdata...............t..............@..@.data...p*...@.......0..............@....gfids..p....p.......L..............@..@.rsrc................X..............@..@.reloc..P*.......,...Z..............@..B................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\monitor.bat

                                        Download File
                                        Process:C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):802
                                        Entropy (8bit):5.118076548156536
                                        Encrypted:false
                                        SSDEEP:24:NFW/WilW/WvlWEAzWcnMZKx31SIYaYZLZ6y:NFVIVNjAzCZKx31SIYN/6y
                                        MD5:588623824D8BE347C1C4724268CD0FB6
                                        SHA1:9CAD56CD57824BE97E9B91B67CB53171E2668363
                                        SHA-256:EFFC11C28CD96C8372D4A9817F446837F42CB0BF2A5ED95410F3077E9692C9FC
                                        SHA-512:B7CFAFB7CE77D66E4320CC98C939E3BBBE382306F4A10B0823D3E5FDB2EDF3CE1E61F5C9F0D28692E11D04E9CDB2E399CE2ADFCB9ABAC62FDD9F0A378A1EB3CB
                                        Malicious:false
                                        Preview:@echo off..:CheckProcess..set "ProcessName=ShellExperienceHosts.exe"..set "ProcessPath=C:\Users\Public\Bulete\program\ShellExperienceHosts.exe"..set "BackupProcessPath=C:\Users\user\AppData\Local\Temp\\backup.exe"..set "DLLPath=C:\Users\Public\Bulete\program\steam_api.dll"..set "BackupDLLPath=C:\Users\user\AppData\Local\Temp\\backup.dll"..if not exist "%ProcessPath%" (.. echo Process file not found, restoring from backup..... copy /Y "%BackupProcessPath%" "%ProcessPath%"..)..if not exist "%DLLPath%" (.. echo DLL file not found, restoring from backup..... copy /Y "%BackupDLLPath%" "%DLLPath%"..)..tasklist /FI "IMAGENAME eq %ProcessName%" | findstr /I "%ProcessName%" >nul..if %ERRORLEVEL% neq 0 (.. start "" "%ProcessPath%"..)..timeout /t 30 /nobreak >nul..goto CheckProcess..

                                        C:\Users\user\AppData\Local\Temp\monitor.pid

                                        Download File
                                        Process:C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):4
                                        Entropy (8bit):1.5
                                        Encrypted:false
                                        SSDEEP:3:W:W
                                        MD5:8AB8DFF7441EDA91AA7BB26BECB3AFD3
                                        SHA1:6048A71FB8922DD264B5FD2BE476BA489663168A
                                        SHA-256:FF805620597E92258A4FDF2324268ECB9704A8D0600924EFC10FF253EDDEAB01
                                        SHA-512:72517FF34461E1A2E6FCCF8A317FAC57FB41D6D0AC044CE7C5F407A410D774AB2EDC25A191B416AB77E39E3DF523D58BB67700D70EE9CF81AF453E508FEF65DE
                                        Malicious:false
                                        Preview:4456

                                        C:\Users\user\AppData\Local\updated.ps1

                                        Download File
                                        Process:C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
                                        File Type:ASCII text
                                        Category:dropped
                                        Size (bytes):151
                                        Entropy (8bit):4.741657013789009
                                        Encrypted:false
                                        SSDEEP:3:41Ai+PBoAwnLFsI2FIERMJyjqLWAfXIhS/ytIEFMEQVGdAn:4yi+5dwnLFsI2F5KJy0fXnMFFQhn
                                        MD5:AA0E1012D3B7C24FAD1BE4806756C2CF
                                        SHA1:FE0D130AF9105D9044FF3D657D1ABEAF0B750516
                                        SHA-256:FC47E1FA89397C3139D9047DC667531A9153A339F8E29AC713E518D51A995897
                                        SHA-512:15FAE192951747A0C71059F608700F88548F3E60BB5C708B206BF793A7E3D059A278F2058D4AC86B86781B202037401A29602EE4D6C0CBAAFF532CEF311975F4
                                        Malicious:true
                                        Preview:$xmlPath = "XML??".$taskName = "????".$xmlContent = Get-Content -Path $xmlPath | Out-String.Register-ScheduledTask -Xml $xmlContent -TaskName $taskName

                                        C:\Users\user\Desktop\Firefox Setup 132.0.2.exe.lnk

                                        Download File
                                        Process:C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Jan 10 02:49:12 2025, mtime=Fri Jan 10 02:49:16 2025, atime=Tue Dec 3 12:11:47 2024, length=68284584, window=hide
                                        Category:dropped
                                        Size (bytes):1106
                                        Entropy (8bit):4.675456650728397
                                        Encrypted:false
                                        SSDEEP:12:8yXu0U4I3ZcCHqXZeiACmqEx+6+wNBFDtYjAsIKGTF0avl0wV/KJ/K9v4t2YCBT7:8yOMJ2ZPDyAs8dvu6CJCrJTvm
                                        MD5:3413A05EA891E7FE60920D8CA473CE66
                                        SHA1:24E9A5654854761C53958E89BD7D594E78086997
                                        SHA-256:B8EB9EAA89FECCE0605309A3916E0CE862E468D3E54952EF5320F560DC5AD612
                                        SHA-512:B055C456B4F61213231BACB1D9D49D21C553D9C4B5A8FDB979FEAF73546D31031A8311231389FA1194D97E8E47891C334640B662DDE7C39DC605C8B39F24ECEA
                                        Malicious:false
                                        Preview:L..................F.... ...7...c......c......E...............................P.O. .:i.....+00.../C:\...................x.1....."S...Users.d......OwH*Z#......u..............:.......8.U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....|.1.....*Z'...Public..f......O.I*Z'.....Du..............<.....3K..P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....T.1.....*Z'...Bulete..>......*Z'.*Z'.....+......................<..B.u.l.e.t.e.......2......Yxi .FIREFO~1.EXE..d......*Z'.*Z)...........................1.).F.i.r.e.f.o.x. .S.e.t.u.p. .1.3.2...0...2...e.x.e......._...............-.......^.............a.....C:\Users\Public\Bulete\Firefox Setup 132.0.2.exe..-.....\.....\.P.u.b.l.i.c.\.B.u.l.e.t.e.\.F.i.r.e.f.o.x. .S.e.t.u.p. .1.3.2...0...2...e.x.e..........v..*.cM.jVD.Es.!...`.......X.......358075..............n4UB.. .|..om. /.....G.P..#.....n4UB.. .|..om. /.....G.P..#.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.4.2.5.3.1.6.5.6.7.-.2.9.6.9.5.8.8.3.8.2

                                        C:\Users\Public\Bulete\Firefox Setup 132.0.2.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\xsYbMYg5Dr.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                        Category:dropped
                                        Size (bytes):68284584
                                        Entropy (8bit):7.999992371883463
                                        Encrypted:true
                                        SSDEEP:1572864:QHms4Lp3eKMWTi1hdM0C49TEX+tWBrhCJOfH:TNlfD46Xh
                                        MD5:23F241F690F1F73A272EC524FB0537A7
                                        SHA1:E9C8177734425D5A5544B6BD6BE6D5B4627E1FE1
                                        SHA-256:F451E97BF0F25CC841366C190F62C8037577EC2EBC5A67DD524396559134F3B8
                                        SHA-512:8E574C0069B8D3EBE8E43DFFA3DE6A9BECBFDF3681E88801D93FB81AD623490ECA7852DA933198E40F10BAB9E249D8E3509D0AC505575FC151D768E799F03957
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Joe Sandbox View:
                                        • Filename: Fqae7BLq4m.exe, Detection: malicious, Browse
                                        • Filename: Fqae7BLq4m.exe, Detection: malicious, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............`Y.`Y.`YM.nY.`Y&.dY.`Y..?Y.`Y..=Y.`Y.aYb.`Y&.jY.`Y&.kY..`Yv.fY.`YRich.`Y........................PE..L...9m.[.........................@...O...P...`....@..........................`.............................................L[.......`..L...........X...P5..................................................................0.......................UPX0.....@..............................UPX1.........P......................@....rsrc........`......................@..............................................................................................................................................................................................................................................................................................................................................................................................3.95.UPX!....

                                        C:\Users\Public\Bulete\program\IOVAS

                                        Download File
                                        Process:C:\Users\user\Desktop\xsYbMYg5Dr.exe
                                        File Type:openssl enc'd data with salted password, base64 encoded
                                        Category:dropped
                                        Size (bytes):64
                                        Entropy (8bit):5.214614648336088
                                        Encrypted:false
                                        SSDEEP:3:iqkwjRDzCnxEV6XO/8n1RxVd:ilwtDzCCKiexVd
                                        MD5:90D024DFE70520C0AB9B10DE0FA60419
                                        SHA1:7B3E234334337A2B90255A4582807A6B6171B418
                                        SHA-256:76A373B460314AA7D5244E4600BBBA648995DD0ED01456DD73CF5ECE078D2FEB
                                        SHA-512:862E57106EB15C80DC570893EAE831BC6167125BDCD2E3330C2D0A4031A27D53BD9B7CC85297FF544B16B342D74AF765A4D452CFCFD91F9CC42DE56186DBCFF6
                                        Malicious:false
                                        Preview:U2FsdGVkX1+zFtfVaNBYEa0v0afSI+6Vj9mL1nphbplejr1tMI9ouy5kap18t8oW

                                        C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\xsYbMYg5Dr.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):238376
                                        Entropy (8bit):6.538604095210033
                                        Encrypted:false
                                        SSDEEP:6144:BQOdKqcmNKotaoXAjEw4yJMaGVJ5haSO3vmvdrJm2sV0D:BQ7msobXAygf65hr8+vBov0D
                                        MD5:B67C4DAACF5916623340F6AA870FEDC9
                                        SHA1:F1B396939F89E71AB59938C8C3846BAAF7996DE6
                                        SHA-256:79C6471E6F2C93978CE1593EED24D8C380ED7F1B4F5E939982CE03CC21DDB3A1
                                        SHA-512:30A48780A82F475FC690E66E6907F04F1EA0F7840D718E1061E71950E29324E29C4A15E36346090510BEFD80EE5927E9056A286A6978B5B3D9906C1FC1D0B682
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.I.v.'.v.'.v.'...$.{.'..."...'...#.o.'...&.t.'.M.$.b.'.M."...'.M.#.`.'.J.&.u.'.v.&...'..".w.'....w.'..%.w.'.Richv.'.........................PE..L...^..].................p..."......j:............@.......................................@..................................0..<.......................(.......P*..0...T...............................@............................................text...xn.......p.................. ..`.rdata...............t..............@..@.data...p*...@.......0..............@....gfids..p....p.......L..............@..@.rsrc................X..............@..@.reloc..P*.......,...Z..............@..B................................................................................................................................................................................................................................................

                                        C:\Users\Public\Bulete\program\steam_api.dll

                                        Download File
                                        Process:C:\Users\user\Desktop\xsYbMYg5Dr.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):2291000
                                        Entropy (8bit):6.606115317112524
                                        Encrypted:false
                                        SSDEEP:49152:F/kcCMJuG+opH4CLOpd7ioYiKq8iBh3n1XK0pcioOKTjJ:FMcCMJuGhB4CLmZioYQ8iBh3nhK0pciM
                                        MD5:F2AAF80741E8F710A4881841827C2B60
                                        SHA1:5947F5D09CCB62A6FB9543A95876425B2E2FC3A9
                                        SHA-256:B359AEC63091307343AD8FE9FA2AF0C016CE1A34500CD7EDDCEA4F1BC84DE4CA
                                        SHA-512:2B084333FEBE08AF2155B3469139B9125802877E92415D9C270BC232E5659CE65AFEEF0377498F38582328317BAEC442334ABAD339BD49A14F999ED72C9C65CF
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 74%
                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...^8^g...........!.........<.......!.......................................`#...........@.............................N......h..... ..H............".8)... !..0.......................... b......p...............T................................text.............................. ..`.rdata...^.......`..................@..@.data......... ..^..................@....00cfg........ ......N .............@..@.tls.......... ......P .............@....rsrc....H.... ..H...R .............@..@.reloc...0... !..2.... .............@..B................................................................................................................................................................................................................................................................................................................................................................

                                        \Device\Null

                                        Download File
                                        Process:C:\Windows\SysWOW64\timeout.exe
                                        File Type:ASCII text, with CRLF line terminators, with overstriking
                                        Category:dropped
                                        Size (bytes):172
                                        Entropy (8bit):3.8842159555406113
                                        Encrypted:false
                                        SSDEEP:3:hYFRZARcWmFsFJQZ/ctXvY/4to/9uF8cttEfYhnQUqg2Htyst3g4t32vov:hYFRamFSQZ0lv5y/9JctESnQUq3tyMXZ
                                        MD5:B44FC16E07912C24524F74A8D3C9BCED
                                        SHA1:CCBA90D10D32BFF18221183C88146B378011CC3B
                                        SHA-256:FA51D90457861D7169034A0D4122B3AFDA2B4C07E157A4C18AF06D833C96ED2A
                                        SHA-512:1B9F0DD3387FDD1324828AA7CC94A98EC0344A5CAF1EDFFAAF7C0F98F134B09A4DCFD440E9374B0D3C80E099DFE43DABD838B0BE34C395C2F64C9334AE569516
                                        Malicious:false
                                        Preview:..Waiting for 30 seconds, press CTRL+C to quit .....29..28..27..26..25..24..23..22..21..20..19..18..17..16..15..14..13..12..11..10.. 9.. 8.. 7.. 6.. 5.. 4.. 3.. 2.. 1.. 0..

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Entropy (8bit):7.999065343720958
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                        • DOS Executable Generic (2002/1) 0.02%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:xsYbMYg5Dr.exe
                                        File size:70'578'951 bytes
                                        MD5:bbc1d10fdf7fc20b03eb2b00fe75637a
                                        SHA1:61a1eeaf8d6c4f58b4a03da6b7a4846e3cbc2b24
                                        SHA256:c074a4f33aec271dbbbe6734a7e501f6500441a6dfaf502bcf511605f3dc9488
                                        SHA512:87e2c7b9cea2e8e99951a518c80db3995803f473069c52385c5713244d955600256573d7fd25635c0412e0724801e54bddb9a61a79d7d72b1b0aff05a8ab378f
                                        SSDEEP:1572864:bhTT9C+Yg8SrPYr+iraHMhj5ZCBnej/vlZ4q/kJa:dTylSTaZashj+A/v/PEa
                                        TLSH:41F73383132A66ADC3ED74350A900618DF6869F34135D8A974EC6F4FAF73E11A2E7C19
                                        File Content Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................................0....@..................................~.......................................P...........O............4.8).

                                        File Icon

                                        Icon Hash:2d2e3797b32b2b99

                                        Static PE Info

                                        General

                                        Entrypoint:0x411def
                                        Entrypoint Section:.text
                                        Digitally signed:true
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:
                                        Time Stamp:0x4C26F87E [Sun Jun 27 07:06:38 2010 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:b5a014d7eeb4c2042897567e1288a095

                                        Authenticode Signature

                                        Signature Valid:false
                                        Signature Issuer:CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                        Signature Validation Error:The digital signature of the object did not verify
                                        Error Number:-2146869232
                                        Not Before, Not After
                                        • 22/02/2024 21:25:52 19/02/2025 21:25:52
                                        Subject Chain
                                        • CN=.NET, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                        Version:3
                                        Thumbprint MD5:430565BEA94CD2EBC1BA24A3A2D7FC84
                                        Thumbprint SHA-1:724C8D7BBEB78F2618147BF7BA8060AC308B7468
                                        Thumbprint SHA-256:A7F501CB1578B030063B4490C3DAD52AFA6820FCB0CA047961B459E7DC43BDDF
                                        Serial:33000003D2DA19165D6DC749AF0000000003D2

                                        Entrypoint Preview

                                        Instruction
                                        push ebp
                                        mov ebp, esp
                                        push FFFFFFFFh
                                        push 00414C50h
                                        push 00411F80h
                                        mov eax, dword ptr fs:[00000000h]
                                        push eax
                                        mov dword ptr fs:[00000000h], esp
                                        sub esp, 68h
                                        push ebx
                                        push esi
                                        push edi
                                        mov dword ptr [ebp-18h], esp
                                        xor ebx, ebx
                                        mov dword ptr [ebp-04h], ebx
                                        push 00000002h
                                        call dword ptr [00413184h]
                                        pop ecx
                                        or dword ptr [00419924h], FFFFFFFFh
                                        or dword ptr [00419928h], FFFFFFFFh
                                        call dword ptr [00413188h]
                                        mov ecx, dword ptr [0041791Ch]
                                        mov dword ptr [eax], ecx
                                        call dword ptr [0041318Ch]
                                        mov ecx, dword ptr [00417918h]
                                        mov dword ptr [eax], ecx
                                        mov eax, dword ptr [00413190h]
                                        mov eax, dword ptr [eax]
                                        mov dword ptr [00419920h], eax
                                        call 00007FC63CBD80D2h
                                        cmp dword ptr [00417710h], ebx
                                        jne 00007FC63CBD7FBEh
                                        push 00411F78h
                                        call dword ptr [00413194h]
                                        pop ecx
                                        call 00007FC63CBD80A4h
                                        push 00417048h
                                        push 00417044h
                                        call 00007FC63CBD808Fh
                                        mov eax, dword ptr [00417914h]
                                        mov dword ptr [ebp-6Ch], eax
                                        lea eax, dword ptr [ebp-6Ch]
                                        push eax
                                        push dword ptr [00417910h]
                                        lea eax, dword ptr [ebp-64h]
                                        push eax
                                        lea eax, dword ptr [ebp-70h]
                                        push eax
                                        lea eax, dword ptr [ebp-60h]
                                        push eax
                                        call dword ptr [0041319Ch]
                                        push 00417040h
                                        push 00417000h
                                        call 00007FC63CBD805Ch

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x150dc0xb4.rdata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a0000x64f18.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x434c9cf0x2938
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x130000x310.rdata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000x113170x11400797279c5ab1a163aed1f2a528f9fe3ceFalse0.6174988677536232data6.576987441854239IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rdata0x130000x30ea0x32001359639b02bcb8f0a8743e6ead1c0030False0.43828125data5.549434098115495IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .data0x170000x292c0x8009415c9c8dea3245d6d73c23393e27d8eFalse0.431640625data3.6583182363171756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .rsrc0x1a0000x64f180x65000c7317c940d5138133876964eb5039b9aFalse0.06085386370668317data3.895736995095981IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_BITMAP0x1a8980x3a9aaDevice independent bitmap graphic, 400 x 300 x 16, image size 240002, resolution 2834 x 2834 px/mEnglishUnited States0.004811657959857025
                                        RT_BITMAP0x552440x13eDevice independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 5 important colorsEnglishUnited States0.25471698113207547
                                        RT_BITMAP0x553840x828Device independent bitmap graphic, 32 x 16 x 32, image size 0EnglishUnited States0.03017241379310345
                                        RT_BITMAP0x55bac0x48a8Device independent bitmap graphic, 290 x 16 x 32, image size 0EnglishUnited States0.11881720430107527
                                        RT_BITMAP0x5a4540xa6aDevice independent bitmap graphic, 320 x 16 x 4, image size 2562, resolution 2834 x 2834 px/mEnglishUnited States0.21680420105026257
                                        RT_BITMAP0x5aec00x152Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 10 important colorsEnglishUnited States0.5295857988165681
                                        RT_BITMAP0x5b0140x828Device independent bitmap graphic, 32 x 16 x 32, image size 0EnglishUnited States0.4875478927203065
                                        RT_ICON0x5b83c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.43185920577617326
                                        RT_DIALOG0x5c0e40xacdataEnglishUnited States0.7151162790697675
                                        RT_DIALOG0x5c1900xccdataEnglishUnited States0.6911764705882353
                                        RT_DIALOG0x5c25c0x1b4dataEnglishUnited States0.5458715596330275
                                        RT_DIALOG0x5c4100x4cdataEnglishUnited States0.8289473684210527
                                        RT_STRING0x5c45c0x234dataEnglishUnited States0.4645390070921986
                                        RT_STRING0x5c6900x182dataEnglishUnited States0.5103626943005182
                                        RT_STRING0x5c8140x50dataEnglishUnited States0.7375
                                        RT_STRING0x5c8640x9adataEnglishUnited States0.37662337662337664
                                        RT_STRING0x5c9000x2f6dataEnglishUnited States0.449868073878628
                                        RT_STRING0x5cbf80x5c0dataEnglishUnited States0.3498641304347826
                                        RT_STRING0x5d1b80x434dataEnglishUnited States0.32899628252788105
                                        RT_STRING0x5d5ec0x100dataEnglishUnited States0.5703125
                                        RT_STRING0x5d6ec0x484dataEnglishUnited States0.39186851211072665
                                        RT_STRING0x5db700x1eadataEnglishUnited States0.44081632653061226
                                        RT_STRING0x5dd5c0x18adataEnglishUnited States0.5228426395939086
                                        RT_STRING0x5dee80x216Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.46254681647940077
                                        RT_STRING0x5e1000x624dataEnglishUnited States0.3575063613231552
                                        RT_STRING0x5e7240x660dataEnglishUnited States0.3474264705882353
                                        RT_STRING0x5ed840x2e2dataEnglishUnited States0.4037940379403794
                                        RT_MESSAGETABLE0x5f0680x2840dataEnglishUnited States0.28823757763975155
                                        RT_GROUP_ICON0x618a80x14dataEnglishUnited States1.15
                                        RT_VERSION0x618bc0x328dataEnglishUnited States0.44183168316831684
                                        RT_VERSION0x61be40x2b8COM executable for DOSChineseChina0.5301724137931034
                                        RT_HTML0x61e9c0x3835ASCII text, with very long lines (443), with CRLF line terminatorsEnglishUnited States0.08298005420807561
                                        RT_HTML0x656d40x1316ASCII text, with CRLF line terminatorsEnglishUnited States0.18399508800654932
                                        RT_HTML0x669ec0x8c77HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.08081426068578103
                                        RT_HTML0x6f6640x6acdHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.10679931238798873
                                        RT_HTML0x761340x6a2HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3486454652532391
                                        RT_HTML0x767d80x104aHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.2170263788968825
                                        RT_HTML0x778240x15b1HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.17612101566720692
                                        RT_HTML0x78dd80x205cexported SGML document, ASCII text, with very long lines (659), with CRLF line terminatorsEnglishUnited States0.13604538870111058
                                        RT_HTML0x7ae340x368dHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.10834228428213391
                                        RT_MANIFEST0x7e4c40x80fXML 1.0 document, ASCII text, with CRLF, LF line terminatorsEnglishUnited States0.40814348036839554
                                        RT_MANIFEST0x7ecd40x244XML 1.0 document, ASCII text, with CRLF line terminatorsChineseChina0.453448275862069

                                        Imports

                                        DLLImport
                                        COMCTL32.dll
                                        KERNEL32.dllGetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceExA, MulDiv, GlobalFree, GlobalAlloc, lstrcmpiA, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, MultiByteToWideChar, GetLocaleInfoW, lstrlenA, lstrcmpiW, GetEnvironmentVariableW, lstrcmpW, GlobalMemoryStatusEx, VirtualAlloc, WideCharToMultiByte, ExpandEnvironmentStringsW, RemoveDirectoryW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, SetThreadLocale, GetLocalTime, GetSystemTimeAsFileTime, lstrlenW, GetTempPathW, SetEnvironmentVariableW, CloseHandle, CreateFileW, GetDriveTypeW, SetCurrentDirectoryW, GetModuleFileNameW, GetCommandLineW, GetVersionExW, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, TerminateThread, ResumeThread, SuspendThread, IsBadReadPtr, LocalFree, lstrcpyW, FormatMessageW, GetSystemDirectoryW, DeleteCriticalSection, GetFileSize, SetFilePointer, ReadFile, SetFileTime, SetEndOfFile, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetModuleHandleA, SystemTimeToFileTime, GetLastError, CreateThread, WaitForSingleObject, GetExitCodeThread, Sleep, SetLastError, SetFileAttributesW, GetDiskFreeSpaceExW, lstrcatW, ExitProcess, CompareFileTime, GetStartupInfoA
                                        USER32.dllCharUpperW, EndDialog, DestroyWindow, KillTimer, ReleaseDC, DispatchMessageW, GetMessageW, SetTimer, CreateWindowExW, ScreenToClient, GetWindowRect, wsprintfW, GetParent, GetSystemMenu, EnableMenuItem, EnableWindow, MessageBeep, LoadIconW, LoadImageW, wvsprintfW, IsWindow, DefWindowProcW, CallWindowProcW, DrawIconEx, DialogBoxIndirectParamW, GetWindow, ClientToScreen, GetDC, DrawTextW, ShowWindow, SystemParametersInfoW, SetFocus, SetWindowLongW, GetSystemMetrics, GetClientRect, GetDlgItem, GetKeyState, MessageBoxA, wsprintfA, SetWindowTextW, GetSysColor, GetWindowTextLengthW, GetWindowTextW, GetClassNameA, GetWindowLongW, GetMenu, SetWindowPos, CopyImage, SendMessageW, GetWindowDC
                                        GDI32.dllGetCurrentObject, StretchBlt, SetStretchBltMode, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetObjectW, GetDeviceCaps, DeleteObject, CreateFontIndirectW, DeleteDC
                                        SHELL32.dllSHGetFileInfoW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, SHGetSpecialFolderPathW, ShellExecuteW
                                        ole32.dllCoInitialize, CreateStreamOnHGlobal, CoCreateInstance
                                        OLEAUT32.dllVariantClear, OleLoadPicture, SysAllocString
                                        MSVCRT.dll__set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, memset, _wcsnicmp, strncmp, malloc, memmove, _wtol, memcpy, free, memcmp, _purecall, ??2@YAPAXI@Z, ??3@YAXPAX@Z, _except_handler3, _controlfp

                                        Possible Origin

                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishUnited States
                                        ChineseChina

                                        Network Behavior

                                        Suricata IDS Alerts

                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                        2025-01-10T04:50:36.465071+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.11.2049751137.220.229.2618091TCP
                                        2025-01-10T04:52:58.725681+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.11.2049756137.220.229.2618091TCP
                                        2025-01-10T04:56:08.483227+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.11.2049764137.220.229.2618091TCP
                                        2025-01-10T04:57:10.596408+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.11.2049766137.220.229.2618091TCP

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jan 10, 2025 04:50:32.371851921 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:32.662174940 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:32.662478924 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:32.953984976 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:32.954054117 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:32.954140902 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:32.954294920 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:32.954361916 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:32.954528093 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:33.244971037 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.245024920 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.245192051 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.245315075 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.245379925 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.245527983 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.245611906 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.245718002 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.246093035 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:33.246270895 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:33.246433973 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:33.536258936 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.536333084 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.536463976 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.536607981 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.536685944 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:33.536705017 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.536797047 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.536963940 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.537029028 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:33.537049055 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.537156105 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.537264109 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.537362099 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.537363052 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:33.537492990 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.537616014 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.537704945 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:33.537705898 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.537868977 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.537925005 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.538777113 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:33.538777113 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:33.538948059 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:33.827080011 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.827104092 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.827275038 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.827419043 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.827528000 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.827614069 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.827752113 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.827835083 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.827936888 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.828006029 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:33.828056097 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.828146935 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.828262091 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.828381062 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.828485966 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.828634024 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.828685045 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:33.828685999 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:33.828685999 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:33.828738928 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.828866959 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:33.828892946 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.828980923 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.829085112 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.829204082 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.829356909 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.829360962 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:33.829484940 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.829602957 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.829699993 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:33.829699993 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:33.829701900 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.829822063 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.830040932 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:33.830342054 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.830605984 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.830725908 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.830835104 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.830945969 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.831315041 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:33.831315041 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:33.831444025 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.831598043 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:33.831654072 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:33.831934929 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:34.118235111 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.118273973 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.118402004 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.118432999 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.118638992 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.118705988 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.119019032 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.119096994 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.119199991 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:34.119244099 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.119322062 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.119365931 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:34.119365931 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:34.119365931 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:34.119478941 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.119513035 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.119663000 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.119780064 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.119870901 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:34.119885921 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.120004892 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.120029926 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:34.120095015 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.120253086 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.120332003 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.120429039 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.120538950 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:34.120543957 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.120686054 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.120776892 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.120893002 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.121011019 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.121129036 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.121244907 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.121541023 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:34.121541023 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:34.121706963 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:34.121706963 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:34.121900082 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.121995926 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.122112036 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.122241974 CET1885249750137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:34.122308016 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:34.122308016 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:34.122476101 CET4975018852192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:36.167277098 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:36.464607954 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:36.465070963 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:36.465070963 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:36.762291908 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:36.762706041 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:36.762739897 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:37.060364008 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.063790083 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.063904047 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.064028978 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.064049006 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.064249992 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:37.361495018 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.361532927 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.361697912 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.361716032 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:37.361809969 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.361901999 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.361996889 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.362050056 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:37.362116098 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.362282991 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:37.402622938 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:37.659163952 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.659223080 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.659388065 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:37.659389973 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.659471989 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.659584999 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.659735918 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.659780025 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:37.659854889 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.659924030 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.659953117 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:37.660015106 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.660119057 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:37.660181046 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.660249949 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.660376072 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.660461903 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:37.660800934 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:37.700057030 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.700083017 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.700577974 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:37.956444979 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.956473112 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.956623077 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.956722975 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:37.956743956 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.957016945 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.957058907 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:37.957267046 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.957293987 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.957487106 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:37.957516909 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.957575083 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.957699060 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.957782030 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.957824945 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:37.957902908 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.958033085 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.958055019 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:37.958097935 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.958220959 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:37.958256960 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.958338022 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.958390951 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:37.958492994 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.958563089 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:37.958575964 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.958728075 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.958861113 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.958894968 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:37.958977938 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.959037066 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.959072113 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:37.959155083 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.959233999 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:37.959270954 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.959573984 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:37.997690916 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.997816086 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.997922897 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.998054028 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:37.998150110 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:37.998317957 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.254103899 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.254131079 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.254312038 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.254440069 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.254489899 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.254658937 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.254767895 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.254879951 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.254885912 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.254962921 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.255045891 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.255060911 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.255060911 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.255207062 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.255220890 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.255291939 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.255394936 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.255454063 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.255496979 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.255610943 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.255728960 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.255897999 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.256011963 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.256130934 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.256244898 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.256244898 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.256248951 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.256331921 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.256416082 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.256416082 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.256499052 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.256577969 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.256660938 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.256737947 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.256747961 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.256886005 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.256920099 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.257318974 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.257489920 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.257602930 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.257615089 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.257704020 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.257807016 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.257936001 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.258101940 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.258404970 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.258532047 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.258637905 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.258768082 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.258826017 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.258847952 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.259169102 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.259434938 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.259737968 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.259855032 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.259968042 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.260087967 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.260220051 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.260220051 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.260385990 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.260575056 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.260596037 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.260694027 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.260811090 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.260931015 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.260998011 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.260998011 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.261537075 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.261647940 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.261727095 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.261773109 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.262065887 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.295259953 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.295381069 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.295438051 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.295593023 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.295701027 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.295720100 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.295870066 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.295885086 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.296034098 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.296056986 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.296549082 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.296549082 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.552081108 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.552118063 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.552278042 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.552299023 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.552423000 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.552457094 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.552642107 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.552676916 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.552690983 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.552830935 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.552928925 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.553034067 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.553035021 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.553086042 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.553164005 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.553221941 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.553366899 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.553446054 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.553481102 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.553539038 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.553582907 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.553708076 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.553736925 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.553791046 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.553917885 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.554033995 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.554044008 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.554157019 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.554182053 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.554277897 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.554383993 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.554460049 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.554496050 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.554716110 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.554724932 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.554879904 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.555162907 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.555322886 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.555438995 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.555548906 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.555558920 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.555669069 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.555901051 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.556205034 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.556456089 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.556509972 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.556699991 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.556700945 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.556739092 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.556874037 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.557043076 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.557238102 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.557271957 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.557429075 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.557463884 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.557543039 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.557626963 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.557828903 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.558233976 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.558329105 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.558455944 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.558475971 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.558634043 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.558777094 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.558819056 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.558988094 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.559344053 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.559379101 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.559581041 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.559582949 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.559659004 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.559743881 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.559926987 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:38.560379982 CET1809149751137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:38.560672045 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:39.589952946 CET4975218091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:39.892925024 CET1809149752137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:39.893290997 CET4975218091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:41.573615074 CET4975118091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:44.543190956 CET4975218091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:44.543247938 CET4975218091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:44.846689939 CET1809149752137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:44.846951962 CET1809149752137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:44.847922087 CET1809149752137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:44.848346949 CET4975218091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:45.201092958 CET1809149752137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:55.523679972 CET4975218091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:55.827023029 CET1809149752137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:50:55.881896973 CET4975218091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:50:56.235531092 CET1809149752137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:51:11.145253897 CET4975218091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:51:11.448064089 CET1809149752137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:51:11.470168114 CET4975218091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:51:11.822916985 CET1809149752137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:51:26.766587019 CET4975218091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:51:27.069883108 CET1809149752137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:51:27.104919910 CET4975218091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:51:27.458408117 CET1809149752137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:51:42.388174057 CET4975218091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:51:42.691220045 CET1809149752137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:51:42.719696999 CET4975218091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:51:43.072704077 CET1809149752137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:51:58.010210037 CET4975218091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:51:58.010210037 CET4975218091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:51:59.946832895 CET4975318092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:52:00.250036955 CET1809249753137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:52:00.250233889 CET4975318092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:52:04.814959049 CET4975318092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:52:04.815023899 CET4975318092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:52:05.118308067 CET1809249753137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:52:05.118518114 CET1809249753137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:52:05.119673014 CET1809249753137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:52:05.120033026 CET4975318092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:52:05.473201036 CET1809249753137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:52:15.880754948 CET4975318092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:52:15.880755901 CET4975318092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:52:17.817913055 CET4975418091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:52:18.117050886 CET1809149754137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:52:18.117255926 CET4975418091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:52:22.688657999 CET4975418091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:52:22.688714981 CET4975418091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:52:22.988042116 CET1809149754137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:52:22.988545895 CET1809149754137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:52:22.989557028 CET1809149754137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:52:22.989885092 CET4975418091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:52:23.338624001 CET1809149754137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:52:33.751622915 CET4975418091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:52:33.751622915 CET4975418091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:52:35.689199924 CET4975518092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:52:35.981842995 CET1809249755137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:52:35.982059002 CET4975518092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:52:40.533859015 CET4975518092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:52:40.533945084 CET4975518092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:52:40.826997995 CET1809249755137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:52:40.827028990 CET1809249755137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:52:40.828175068 CET1809249755137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:52:40.828547001 CET4975518092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:52:41.171767950 CET1809249755137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:52:51.622657061 CET4975518092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:52:51.622657061 CET4975518092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:52:53.559870005 CET4975618091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:52:53.853652954 CET1809149756137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:52:53.853849888 CET4975618091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:52:58.429908037 CET4975618091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:52:58.724222898 CET1809149756137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:52:58.724457026 CET1809149756137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:52:58.725363970 CET1809149756137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:52:58.725681067 CET4975618091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:52:59.069901943 CET1809149756137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:53:09.493720055 CET4975618091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:53:09.787691116 CET1809149756137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:53:09.822654963 CET4975618091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:53:10.167892933 CET1809149756137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:53:25.115201950 CET4975618091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:53:25.409437895 CET1809149756137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:53:25.438333035 CET4975618091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:53:25.782279968 CET1809149756137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:53:40.736700058 CET4975618091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:53:40.736722946 CET4975618091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:53:42.673923016 CET4975718092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:53:42.973263025 CET1809249757137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:53:42.973587036 CET4975718092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:53:47.547599077 CET4975718092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:53:47.547687054 CET4975718092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:53:47.847254992 CET1809249757137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:53:47.847527981 CET1809249757137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:53:47.848445892 CET1809249757137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:53:47.848757982 CET4975718092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:53:48.198319912 CET1809249757137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:53:58.592120886 CET4975718092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:53:58.891428947 CET1809249757137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:53:58.921823025 CET4975718092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:53:59.271121025 CET1809249757137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:54:14.213639975 CET4975718092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:54:14.213640928 CET4975718092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:54:16.150916100 CET4975818091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:54:16.444063902 CET1809149758137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:54:16.444283009 CET4975818091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:54:21.024426937 CET4975818091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:54:21.024507999 CET4975818091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:54:21.317965984 CET1809149758137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:54:21.317979097 CET1809149758137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:54:21.319096088 CET1809149758137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:54:21.319478989 CET4975818091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:54:21.669222116 CET1809149758137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:54:32.069005013 CET4975818091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:54:32.069005013 CET4975818091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:54:34.006280899 CET4975918092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:54:34.308147907 CET1809249759137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:54:34.308327913 CET4975918092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:54:38.858588934 CET4975918092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:54:38.858680964 CET4975918092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:54:39.160892963 CET1809249759137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:54:39.160934925 CET1809249759137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:54:39.161988020 CET1809249759137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:54:39.162483931 CET4975918092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:54:39.514631033 CET1809249759137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:54:49.940264940 CET4975918092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:54:49.940308094 CET4975918092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:54:51.877285004 CET4976018091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:54:52.173358917 CET1809149760137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:54:52.173609972 CET4976018091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:54:56.735809088 CET4976018091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:54:56.735897064 CET4976018091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:54:57.032433987 CET1809149760137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:54:57.032574892 CET1809149760137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:54:57.033842087 CET1809149760137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:54:57.034307003 CET4976018091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:54:57.380983114 CET1809149760137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:55:07.795603991 CET4976018091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:55:07.795603991 CET4976018091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:55:09.732673883 CET4976118092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:55:10.022089958 CET1809249761137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:55:10.022521019 CET4976118092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:55:14.739981890 CET4976118092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:55:14.740005970 CET4976118092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:55:15.030045033 CET1809249761137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:55:15.030059099 CET1809249761137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:55:15.030931950 CET1809249761137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:55:15.031392097 CET4976118092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:55:15.371886969 CET1809249761137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:55:25.650926113 CET4976118092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:55:25.650959969 CET4976118092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:55:27.588098049 CET4976218091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:55:27.887926102 CET1809149762137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:55:27.888202906 CET4976218091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:55:32.554565907 CET4976218091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:55:32.554635048 CET4976218091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:55:32.854722977 CET1809149762137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:55:32.854799986 CET1809149762137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:55:32.855791092 CET1809149762137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:55:32.856132030 CET4976218091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:55:33.206875086 CET1809149762137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:55:43.522181988 CET4976218091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:55:43.522277117 CET4976218091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:55:45.459144115 CET4976318092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:55:45.766082048 CET1809249763137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:55:45.766237020 CET4976318092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:55:50.384243011 CET4976318092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:55:50.691390991 CET1809249763137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:55:50.691813946 CET1809249763137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:55:50.692810059 CET1809249763137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:55:50.693172932 CET4976318092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:55:51.050225019 CET1809249763137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:56:01.408620119 CET4976318092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:56:01.408699989 CET4976318092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:56:01.715703964 CET1809249763137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:56:01.715889931 CET4976318092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:56:03.346673012 CET4976418091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:56:03.639902115 CET1809149764137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:56:03.640172005 CET4976418091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:56:08.187999964 CET4976418091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:56:08.188061953 CET4976418091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:56:08.481862068 CET1809149764137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:56:08.481901884 CET1809149764137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:56:08.482964039 CET1809149764137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:56:08.483227015 CET4976418091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:56:08.827137947 CET1809149764137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:56:19.263999939 CET4976418091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:56:19.264056921 CET4976418091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:56:21.201194048 CET4976518092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:56:21.493052959 CET1809249765137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:56:21.493247032 CET4976518092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:56:26.081804991 CET4976518092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:56:26.081870079 CET4976518092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:56:26.373936892 CET1809249765137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:56:26.374109983 CET1809249765137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:56:26.375137091 CET1809249765137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:56:26.375467062 CET4976518092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:56:26.716594934 CET1809249765137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:56:37.119580984 CET4976518092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:56:37.119580984 CET4976518092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:56:39.056679010 CET4976618091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:56:39.354805946 CET1809149766137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:56:39.355093956 CET4976618091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:56:43.912743092 CET4976618091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:56:43.912832975 CET4976618091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:56:44.211188078 CET1809149766137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:56:44.211229086 CET1809149766137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:56:44.212310076 CET1809149766137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:56:44.212644100 CET4976618091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:56:44.560117960 CET1809149766137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:56:54.974843025 CET4976618091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:56:55.273164034 CET1809149766137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:56:55.301044941 CET4976618091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:56:55.649115086 CET1809149766137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:57:10.596407890 CET4976618091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:57:10.596407890 CET4976618091192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:57:12.533723116 CET4976718092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:57:12.836179972 CET1809249767137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:57:12.836415052 CET4976718092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:57:17.487121105 CET4976718092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:57:17.487199068 CET4976718092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:57:17.789836884 CET1809249767137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:57:17.789972067 CET1809249767137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:57:17.791038990 CET1809249767137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:57:17.791378975 CET4976718092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:57:18.144294024 CET1809249767137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:57:28.467468023 CET4976718092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:57:28.769828081 CET1809249767137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:57:28.801656961 CET4976718092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:57:29.154860020 CET1809249767137.220.229.26192.168.11.20
                                        Jan 10, 2025 04:57:44.120268106 CET4976718092192.168.11.20137.220.229.26
                                        Jan 10, 2025 04:57:44.120269060 CET4976718092192.168.11.20137.220.229.26

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:22:49:12
                                        Start date:09/01/2025
                                        Path:C:\Users\user\Desktop\xsYbMYg5Dr.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\xsYbMYg5Dr.exe"
                                        Imagebase:0x400000
                                        File size:70'578'951 bytes
                                        MD5 hash:BBC1D10FDF7FC20B03EB2B00FE75637A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:22:49:20
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
                                        Imagebase:0x1e0000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:22:49:20
                                        Start date:09/01/2025
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff72d2c0000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:4
                                        Start time:22:49:20
                                        Start date:09/01/2025
                                        Path:C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
                                        Imagebase:0xf70000
                                        File size:238'376 bytes
                                        MD5 hash:B67C4DAACF5916623340F6AA870FEDC9
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 0%, ReversingLabs
                                        Reputation:low
                                        Has exited:false

                                        General

                                        Target ID:6
                                        Start time:22:50:31
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
                                        Imagebase:0x1e0000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:false

                                        General

                                        Target ID:7
                                        Start time:22:50:31
                                        Start date:09/01/2025
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff72d2c0000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:false

                                        General

                                        Target ID:8
                                        Start time:22:50:31
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                        Wow64 process (32bit):true
                                        Commandline:tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
                                        Imagebase:0x7ff7f38c0000
                                        File size:79'360 bytes
                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:9
                                        Start time:22:50:31
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\findstr.exe
                                        Wow64 process (32bit):true
                                        Commandline:findstr /I "ShellExperienceHosts.exe"
                                        Imagebase:0x950000
                                        File size:29'696 bytes
                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:10
                                        Start time:22:50:31
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                                        Imagebase:0x1e0000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:11
                                        Start time:22:50:32
                                        Start date:09/01/2025
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff72d2c0000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:12
                                        Start time:22:50:32
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                                        Imagebase:0x1e0000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:13
                                        Start time:22:50:32
                                        Start date:09/01/2025
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff72d2c0000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:14
                                        Start time:22:50:32
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                                        Imagebase:0xa90000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:15
                                        Start time:22:50:32
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                                        Imagebase:0xa90000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:16
                                        Start time:22:50:32
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\timeout.exe
                                        Wow64 process (32bit):true
                                        Commandline:timeout /t 30 /nobreak
                                        Imagebase:0x800000
                                        File size:25'088 bytes
                                        MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:17
                                        Start time:22:51:02
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                        Wow64 process (32bit):true
                                        Commandline:tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
                                        Imagebase:0x4b0000
                                        File size:79'360 bytes
                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:18
                                        Start time:22:51:02
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\findstr.exe
                                        Wow64 process (32bit):true
                                        Commandline:findstr /I "ShellExperienceHosts.exe"
                                        Imagebase:0x950000
                                        File size:29'696 bytes
                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:19
                                        Start time:22:51:02
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\timeout.exe
                                        Wow64 process (32bit):true
                                        Commandline:timeout /t 30 /nobreak
                                        Imagebase:0x800000
                                        File size:25'088 bytes
                                        MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:20
                                        Start time:22:51:32
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                        Wow64 process (32bit):true
                                        Commandline:tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
                                        Imagebase:0x4b0000
                                        File size:79'360 bytes
                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:21
                                        Start time:22:51:32
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\findstr.exe
                                        Wow64 process (32bit):true
                                        Commandline:findstr /I "ShellExperienceHosts.exe"
                                        Imagebase:0x950000
                                        File size:29'696 bytes
                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:22
                                        Start time:22:51:33
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\timeout.exe
                                        Wow64 process (32bit):true
                                        Commandline:timeout /t 30 /nobreak
                                        Imagebase:0x800000
                                        File size:25'088 bytes
                                        MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:23
                                        Start time:22:52:03
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                        Wow64 process (32bit):true
                                        Commandline:tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
                                        Imagebase:0x4b0000
                                        File size:79'360 bytes
                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:24
                                        Start time:22:52:03
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\findstr.exe
                                        Wow64 process (32bit):true
                                        Commandline:findstr /I "ShellExperienceHosts.exe"
                                        Imagebase:0x950000
                                        File size:29'696 bytes
                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:25
                                        Start time:22:52:03
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\timeout.exe
                                        Wow64 process (32bit):true
                                        Commandline:timeout /t 30 /nobreak
                                        Imagebase:0x800000
                                        File size:25'088 bytes
                                        MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:26
                                        Start time:22:52:33
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                        Wow64 process (32bit):true
                                        Commandline:tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
                                        Imagebase:0x4b0000
                                        File size:79'360 bytes
                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:27
                                        Start time:22:52:33
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\findstr.exe
                                        Wow64 process (32bit):true
                                        Commandline:findstr /I "ShellExperienceHosts.exe"
                                        Imagebase:0x950000
                                        File size:29'696 bytes
                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:28
                                        Start time:22:52:33
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\timeout.exe
                                        Wow64 process (32bit):true
                                        Commandline:timeout /t 30 /nobreak
                                        Imagebase:0x800000
                                        File size:25'088 bytes
                                        MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:29
                                        Start time:22:53:03
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                        Wow64 process (32bit):true
                                        Commandline:tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
                                        Imagebase:0x4b0000
                                        File size:79'360 bytes
                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:30
                                        Start time:22:53:03
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\findstr.exe
                                        Wow64 process (32bit):true
                                        Commandline:findstr /I "ShellExperienceHosts.exe"
                                        Imagebase:0x950000
                                        File size:29'696 bytes
                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:31
                                        Start time:22:53:03
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\timeout.exe
                                        Wow64 process (32bit):true
                                        Commandline:timeout /t 30 /nobreak
                                        Imagebase:0x800000
                                        File size:25'088 bytes
                                        MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:32
                                        Start time:22:53:33
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                        Wow64 process (32bit):true
                                        Commandline:tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
                                        Imagebase:0xcf0000
                                        File size:79'360 bytes
                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:33
                                        Start time:22:53:33
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\findstr.exe
                                        Wow64 process (32bit):true
                                        Commandline:findstr /I "ShellExperienceHosts.exe"
                                        Imagebase:0x950000
                                        File size:29'696 bytes
                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:34
                                        Start time:22:53:33
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\timeout.exe
                                        Wow64 process (32bit):true
                                        Commandline:timeout /t 30 /nobreak
                                        Imagebase:0x800000
                                        File size:25'088 bytes
                                        MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:35
                                        Start time:22:54:03
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                        Wow64 process (32bit):true
                                        Commandline:tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
                                        Imagebase:0x4b0000
                                        File size:79'360 bytes
                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:36
                                        Start time:22:54:03
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\findstr.exe
                                        Wow64 process (32bit):true
                                        Commandline:findstr /I "ShellExperienceHosts.exe"
                                        Imagebase:0x950000
                                        File size:29'696 bytes
                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:37
                                        Start time:22:54:03
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\timeout.exe
                                        Wow64 process (32bit):true
                                        Commandline:timeout /t 30 /nobreak
                                        Imagebase:0x800000
                                        File size:25'088 bytes
                                        MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:38
                                        Start time:22:54:33
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                        Wow64 process (32bit):true
                                        Commandline:tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
                                        Imagebase:0x4b0000
                                        File size:79'360 bytes
                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:39
                                        Start time:22:54:33
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\findstr.exe
                                        Wow64 process (32bit):true
                                        Commandline:findstr /I "ShellExperienceHosts.exe"
                                        Imagebase:0x950000
                                        File size:29'696 bytes
                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:40
                                        Start time:22:54:33
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\timeout.exe
                                        Wow64 process (32bit):true
                                        Commandline:timeout /t 30 /nobreak
                                        Imagebase:0x800000
                                        File size:25'088 bytes
                                        MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:41
                                        Start time:22:55:03
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                        Wow64 process (32bit):true
                                        Commandline:tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
                                        Imagebase:0x4b0000
                                        File size:79'360 bytes
                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:42
                                        Start time:22:55:03
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\findstr.exe
                                        Wow64 process (32bit):true
                                        Commandline:findstr /I "ShellExperienceHosts.exe"
                                        Imagebase:0x950000
                                        File size:29'696 bytes
                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:43
                                        Start time:22:55:03
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\timeout.exe
                                        Wow64 process (32bit):true
                                        Commandline:timeout /t 30 /nobreak
                                        Imagebase:0x800000
                                        File size:25'088 bytes
                                        MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:44
                                        Start time:22:55:33
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                        Wow64 process (32bit):true
                                        Commandline:tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
                                        Imagebase:0x4b0000
                                        File size:79'360 bytes
                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:45
                                        Start time:22:55:33
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\findstr.exe
                                        Wow64 process (32bit):true
                                        Commandline:findstr /I "ShellExperienceHosts.exe"
                                        Imagebase:0x950000
                                        File size:29'696 bytes
                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:46
                                        Start time:22:55:33
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\timeout.exe
                                        Wow64 process (32bit):true
                                        Commandline:timeout /t 30 /nobreak
                                        Imagebase:0x800000
                                        File size:25'088 bytes
                                        MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:47
                                        Start time:22:56:03
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                        Wow64 process (32bit):true
                                        Commandline:tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
                                        Imagebase:0x4b0000
                                        File size:79'360 bytes
                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:48
                                        Start time:22:56:03
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\findstr.exe
                                        Wow64 process (32bit):true
                                        Commandline:findstr /I "ShellExperienceHosts.exe"
                                        Imagebase:0x950000
                                        File size:29'696 bytes
                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:49
                                        Start time:22:56:03
                                        Start date:09/01/2025
                                        Path:C:\Windows\SysWOW64\timeout.exe
                                        Wow64 process (32bit):true
                                        Commandline:timeout /t 30 /nobreak
                                        Imagebase:0x800000
                                        File size:25'088 bytes
                                        MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:17.8%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:26.9%
                                          Total number of Nodes:1422
                                          Total number of Limit Nodes:14
                                          execution_graph 9093 410e7f 9094 410e9a 9093->9094 9095 410eb5 9094->9095 9097 40f42d 9094->9097 9098 40f445 free 9097->9098 9099 40f437 9097->9099 9100 4024e7 46 API calls 9098->9100 9099->9098 9101 40f456 9099->9101 9100->9101 9101->9095 9089 40e63c 9090 40e5d3 6 API calls 9089->9090 9091 40e644 9090->9091 8243 4024c4 8244 40245a 45 API calls 8243->8244 8245 4024cd 8244->8245 8246 4024d2 8245->8246 8247 4024d3 VirtualAlloc 8245->8247 8248 4096c7 _EH_prolog 8262 4096fa 8248->8262 8249 40971c 8250 409827 8283 40118a 8250->8283 8252 409851 8256 40985e ??2@YAPAXI 8252->8256 8253 40983c 8334 409425 8253->8334 8254 4094e0 _CxxThrowException ??2@YAPAXI memcpy ??3@YAXPAX 8254->8262 8258 409878 8256->8258 8257 40969d 8 API calls 8257->8262 8263 409925 ??2@YAPAXI 8258->8263 8264 4098c2 8258->8264 8268 409530 3 API calls 8258->8268 8270 409425 3 API calls 8258->8270 8272 4099a2 8258->8272 8277 409a65 8258->8277 8293 409fb4 8258->8293 8297 408ea4 8258->8297 8340 409c13 ??2@YAPAXI 8258->8340 8342 409f49 8258->8342 8260 40e959 VirtualFree ??3@YAXPAX free free 8260->8262 8262->8249 8262->8250 8262->8254 8262->8257 8262->8260 8327 4095b7 8262->8327 8331 409403 8262->8331 8263->8258 8337 409530 8264->8337 8268->8258 8270->8258 8273 409530 3 API calls 8272->8273 8274 4099c7 8273->8274 8275 409425 3 API calls 8274->8275 8275->8249 8279 409530 3 API calls 8277->8279 8280 409a84 8279->8280 8281 409425 3 API calls 8280->8281 8281->8249 8284 401198 GetDiskFreeSpaceExW 8283->8284 8285 4011ee SendMessageW 8283->8285 8284->8285 8286 4011b0 8284->8286 8291 4011d6 8285->8291 8286->8285 8287 401f9d 19 API calls 8286->8287 8288 4011c9 8287->8288 8289 407717 25 API calls 8288->8289 8290 4011cf 8289->8290 8290->8291 8292 4011e7 8290->8292 8291->8252 8291->8253 8292->8285 8294 409fdd 8293->8294 8346 409dff 8294->8346 8620 40aef3 8297->8620 8300 408ec1 8300->8258 8302 408fd5 8638 408b7c 8302->8638 8303 408f0d ??2@YAPAXI 8312 408ef5 8303->8312 8305 408f31 ??2@YAPAXI 8305->8312 8312->8302 8312->8303 8312->8305 8680 40cdb8 ??2@YAPAXI 8312->8680 8328 4095c6 8327->8328 8330 4095cc 8327->8330 8328->8262 8329 4095e2 _CxxThrowException 8329->8328 8330->8328 8330->8329 8332 40e8e2 4 API calls 8331->8332 8333 40940b 8332->8333 8333->8262 8335 40e8da 3 API calls 8334->8335 8336 409433 8335->8336 8338 408963 3 API calls 8337->8338 8339 40953b 8338->8339 8341 409c45 8340->8341 8341->8258 8345 409f4e 8342->8345 8343 409f75 8343->8258 8344 409cde 110 API calls 8344->8345 8345->8343 8345->8344 8348 409e04 8346->8348 8347 409e3a 8347->8258 8348->8347 8350 409cde 8348->8350 8351 409cf8 8350->8351 8355 401626 8351->8355 8418 40db1f 8351->8418 8352 409d2c 8352->8348 8356 401642 8355->8356 8362 401638 8355->8362 8421 40a62f _EH_prolog 8356->8421 8358 40166f 8489 40eca9 8358->8489 8359 401411 2 API calls 8361 401688 8359->8361 8363 401962 ??3@YAXPAX 8361->8363 8364 40169d 8361->8364 8362->8352 8368 40eca9 VariantClear 8363->8368 8447 401329 8364->8447 8367 4016a8 8451 401454 8367->8451 8368->8362 8371 401362 2 API calls 8372 4016c7 ??3@YAXPAX 8371->8372 8377 4016d9 8372->8377 8404 401928 ??3@YAXPAX 8372->8404 8374 40eca9 VariantClear 8374->8362 8375 4016fa 8376 40eca9 VariantClear 8375->8376 8378 401702 ??3@YAXPAX 8376->8378 8377->8375 8379 401764 8377->8379 8388 401725 8377->8388 8378->8358 8382 4017a2 8379->8382 8383 401789 8379->8383 8380 40eca9 VariantClear 8381 401737 ??3@YAXPAX 8380->8381 8381->8358 8385 4017c4 GetLocalTime SystemTimeToFileTime 8382->8385 8386 4017aa 8382->8386 8384 40eca9 VariantClear 8383->8384 8387 401791 ??3@YAXPAX 8384->8387 8385->8386 8386->8388 8389 4017e1 8386->8389 8390 4017f8 8386->8390 8387->8358 8388->8380 8456 403354 lstrlenW 8389->8456 8480 40301a GetFileAttributesW 8390->8480 8394 401934 GetLastError 8394->8404 8395 401818 ??2@YAPAXI 8397 401824 8395->8397 8396 40192a 8396->8394 8493 40db53 8397->8493 8400 40190f 8403 40eca9 VariantClear 8400->8403 8401 40185f GetLastError 8496 4012f7 8401->8496 8403->8404 8404->8374 8405 401871 8406 403354 86 API calls 8405->8406 8409 40187f ??3@YAXPAX 8405->8409 8407 4018cc 8406->8407 8407->8409 8411 40db53 2 API calls 8407->8411 8410 40189c 8409->8410 8412 40eca9 VariantClear 8410->8412 8413 4018f1 8411->8413 8414 4018aa ??3@YAXPAX 8412->8414 8415 4018f5 GetLastError 8413->8415 8416 401906 ??3@YAXPAX 8413->8416 8414->8358 8415->8409 8416->8400 8612 40da56 8418->8612 8422 40a738 8421->8422 8423 40a66a 8421->8423 8424 40a687 8422->8424 8425 40a73d 8422->8425 8423->8424 8426 40a704 8423->8426 8427 40a679 8423->8427 8434 40a6ad 8424->8434 8525 40a3b0 8424->8525 8428 40a6f2 8425->8428 8431 40a747 8425->8431 8433 40a699 8425->8433 8426->8434 8499 40e69c 8426->8499 8427->8428 8429 40a67e 8427->8429 8521 40ed34 8428->8521 8437 40a684 8429->8437 8446 40a6b2 8429->8446 8431->8428 8431->8446 8433->8434 8513 40ed59 8433->8513 8508 40ecae 8434->8508 8436 40a71a 8502 40eced 8436->8502 8437->8424 8437->8433 8443 40eca9 VariantClear 8444 40166b 8443->8444 8444->8358 8444->8359 8446->8434 8517 40ed79 8446->8517 8448 401340 8447->8448 8449 40112b 2 API calls 8448->8449 8450 40134b 8449->8450 8450->8367 8452 4012f7 2 API calls 8451->8452 8453 401462 8452->8453 8540 4013e2 8453->8540 8455 40146d 8455->8371 8457 4024fc 2 API calls 8456->8457 8458 403375 8457->8458 8459 40112b 2 API calls 8458->8459 8462 403385 8458->8462 8459->8462 8461 4033d3 GetSystemTimeAsFileTime GetFileAttributesW 8463 4033e8 8461->8463 8464 4033f2 8461->8464 8462->8461 8472 403477 8462->8472 8543 401986 CreateDirectoryW 8462->8543 8465 40301a 22 API calls 8463->8465 8466 401986 4 API calls 8464->8466 8469 4033f8 ??3@YAXPAX 8464->8469 8465->8464 8478 403405 8466->8478 8467 4034a7 8468 407776 55 API calls 8467->8468 8475 4034b1 ??3@YAXPAX 8468->8475 8477 4034bc 8469->8477 8470 40340a 8549 407776 8470->8549 8472->8467 8472->8469 8473 40346b ??3@YAXPAX 8473->8477 8474 40341d memcpy 8474->8478 8475->8477 8477->8388 8478->8470 8478->8473 8478->8474 8479 401986 4 API calls 8478->8479 8479->8478 8481 403037 8480->8481 8487 401804 8480->8487 8482 403048 8481->8482 8483 40303b SetLastError 8481->8483 8484 403051 8482->8484 8486 40305f FindFirstFileW 8482->8486 8482->8487 8483->8487 8568 402fed 8484->8568 8486->8484 8488 403072 FindClose CompareFileTime 8486->8488 8487->8394 8487->8395 8487->8396 8488->8484 8488->8487 8490 40ec65 8489->8490 8491 40ec86 VariantClear 8490->8491 8492 40ec9d 8490->8492 8491->8362 8492->8362 8609 40db3c 8493->8609 8497 40112b 2 API calls 8496->8497 8498 401311 8497->8498 8498->8405 8500 4012f7 2 API calls 8499->8500 8501 40e6a9 8500->8501 8501->8436 8529 40ecd7 8502->8529 8505 40ed12 8506 40a726 ??3@YAXPAX 8505->8506 8507 40ed17 _CxxThrowException 8505->8507 8506->8434 8507->8506 8532 40ec65 8508->8532 8510 40ecba 8511 40a7b2 8510->8511 8512 40ecbe memcpy 8510->8512 8511->8443 8512->8511 8514 40ed62 8513->8514 8515 40ed67 8513->8515 8516 40ecd7 VariantClear 8514->8516 8515->8434 8516->8515 8518 40ed82 8517->8518 8519 40ed87 8517->8519 8520 40ecd7 VariantClear 8518->8520 8519->8434 8520->8519 8522 40ed42 8521->8522 8523 40ed3d 8521->8523 8522->8434 8524 40ecd7 VariantClear 8523->8524 8524->8522 8526 40a3c2 8525->8526 8527 40a3de 8526->8527 8536 40eda0 8526->8536 8527->8434 8530 40eca9 VariantClear 8529->8530 8531 40ecdf SysAllocString 8530->8531 8531->8505 8531->8506 8533 40ec6d 8532->8533 8534 40ec86 VariantClear 8533->8534 8535 40ec9d 8533->8535 8534->8510 8535->8510 8537 40edae 8536->8537 8538 40eda9 8536->8538 8537->8527 8539 40ecd7 VariantClear 8538->8539 8539->8537 8541 401398 2 API calls 8540->8541 8542 4013f2 8541->8542 8542->8455 8544 4019c7 8543->8544 8545 401997 GetLastError 8543->8545 8544->8462 8546 4019b1 GetFileAttributesW 8545->8546 8548 4019a6 8545->8548 8546->8544 8546->8548 8547 4019a7 SetLastError 8547->8462 8548->8544 8548->8547 8550 401f9d 19 API calls 8549->8550 8551 40778a wvsprintfW 8550->8551 8552 407859 8551->8552 8553 4077ab GetLastError FormatMessageW 8551->8553 8556 4076a8 25 API calls 8552->8556 8554 4077d9 FormatMessageW 8553->8554 8555 4077ee lstrlenW lstrlenW ??2@YAPAXI lstrcpyW lstrcpyW 8553->8555 8554->8552 8554->8555 8560 4076a8 8555->8560 8558 407865 8556->8558 8558->8469 8561 407715 ??3@YAXPAX LocalFree 8560->8561 8562 4076b7 8560->8562 8561->8558 8563 40661a 2 API calls 8562->8563 8564 4076c6 IsWindow 8563->8564 8565 4076ef 8564->8565 8566 4076dd IsBadReadPtr 8564->8566 8567 4073d1 21 API calls 8565->8567 8566->8565 8567->8561 8574 402c86 8568->8574 8570 402ff6 8571 403017 8570->8571 8572 402ffb GetLastError 8570->8572 8571->8487 8573 403006 8572->8573 8573->8487 8575 402c93 GetFileAttributesW 8574->8575 8576 402c8f 8574->8576 8577 402ca4 8575->8577 8578 402ca9 8575->8578 8576->8570 8577->8570 8579 402cc7 8578->8579 8580 402cad SetFileAttributesW 8578->8580 8585 402b79 8579->8585 8582 402cc3 8580->8582 8583 402cba DeleteFileW 8580->8583 8582->8570 8583->8570 8586 4024fc 2 API calls 8585->8586 8587 402b90 8586->8587 8588 40254d 2 API calls 8587->8588 8589 402b9d FindFirstFileW 8588->8589 8590 402c55 SetFileAttributesW 8589->8590 8603 402bbf 8589->8603 8592 402c60 RemoveDirectoryW 8590->8592 8593 402c78 ??3@YAXPAX 8590->8593 8591 401329 2 API calls 8591->8603 8592->8593 8594 402c6d ??3@YAXPAX 8592->8594 8595 402c80 8593->8595 8594->8595 8595->8570 8597 40254d 2 API calls 8597->8603 8598 402c24 SetFileAttributesW 8598->8593 8602 402c2d DeleteFileW 8598->8602 8599 402bef lstrcmpW 8600 402c05 lstrcmpW 8599->8600 8601 402c38 FindNextFileW 8599->8601 8600->8601 8600->8603 8601->8603 8604 402c4e FindClose 8601->8604 8602->8603 8603->8591 8603->8593 8603->8597 8603->8598 8603->8599 8603->8601 8605 402b79 2 API calls 8603->8605 8606 401429 8603->8606 8604->8590 8605->8603 8607 401398 2 API calls 8606->8607 8608 401433 8607->8608 8608->8603 8610 40db1f 2 API calls 8609->8610 8611 401857 8610->8611 8611->8400 8611->8401 8617 40d985 8612->8617 8615 40da65 CreateFileW 8616 40da8a 8615->8616 8616->8352 8618 40d98f CloseHandle 8617->8618 8619 40d99a 8617->8619 8618->8619 8619->8615 8619->8616 8621 40af0c 8620->8621 8636 408ebd 8620->8636 8621->8636 8713 40ac7a 8621->8713 8623 40af3f 8624 40ac7a 7 API calls 8623->8624 8625 40b0cb 8623->8625 8629 40af96 8624->8629 8627 40e959 4 API calls 8625->8627 8626 40afbd 8720 40e959 8626->8720 8627->8636 8629->8625 8629->8626 8630 40b043 8631 40e959 4 API calls 8630->8631 8634 40b07f 8631->8634 8632 408761 _CxxThrowException ??2@YAPAXI memcpy ??3@YAXPAX 8633 40afc6 8632->8633 8633->8630 8633->8632 8635 40e959 4 API calls 8634->8635 8635->8636 8636->8300 8637 4065ea InitializeCriticalSection 8636->8637 8637->8312 8732 4086f0 8638->8732 8681 40cdc7 8680->8681 8682 408761 4 API calls 8681->8682 8683 40cdde 8682->8683 8683->8312 8714 40e8da 3 API calls 8713->8714 8715 40ac86 8714->8715 8724 40e811 8715->8724 8717 40aca2 8717->8623 8718 409403 4 API calls 8719 40ac90 8718->8719 8719->8717 8719->8718 8721 40e93b 8720->8721 8722 40e8da 3 API calls 8721->8722 8723 40e943 ??3@YAXPAX 8722->8723 8723->8633 8725 40e8a5 8724->8725 8726 40e824 8724->8726 8725->8719 8727 40e833 _CxxThrowException 8726->8727 8728 40e863 ??2@YAPAXI 8726->8728 8729 40e895 ??3@YAXPAX 8726->8729 8727->8726 8728->8726 8730 40e879 memcpy 8728->8730 8729->8725 8730->8729 8733 40e8da 3 API calls 8732->8733 8734 4086f8 8733->8734 8735 40e8da 3 API calls 8734->8735 8736 408700 8735->8736 8737 40e8da 3 API calls 8736->8737 8738 408708 8737->8738 9102 40dace 9105 40daac 9102->9105 9108 40da8f 9105->9108 9109 40da56 2 API calls 9108->9109 9110 40daa9 9109->9110 9092 40dadc ReadFile 9111 411def __set_app_type __p__fmode __p__commode 9112 411e5e 9111->9112 9113 411e72 9112->9113 9114 411e66 __setusermatherr 9112->9114 9123 411f66 _controlfp 9113->9123 9114->9113 9116 411e77 _initterm __getmainargs _initterm 9117 411ecb GetStartupInfoA 9116->9117 9119 411eff GetModuleHandleA 9117->9119 9124 4064af _EH_prolog 9119->9124 9123->9116 9127 404faa 9124->9127 9432 401b37 GetModuleHandleW CreateWindowExW 9127->9432 9130 404fdc 9131 40648e MessageBoxA 9130->9131 9133 404ff6 9130->9133 9132 4064a5 exit _XcptFilter 9131->9132 9134 401411 2 API calls 9133->9134 9135 40502d 9134->9135 9136 401411 2 API calls 9135->9136 9137 405035 9136->9137 9435 403e23 9137->9435 9142 40254d 2 API calls 9143 405073 9142->9143 9444 402a69 9143->9444 9145 40507c 9458 403d71 9145->9458 9148 40509b _wtol 9150 4050b1 9148->9150 9463 404405 9150->9463 9151 4050d6 9152 403d71 6 API calls 9151->9152 9153 4050e1 9152->9153 9154 4050e7 9153->9154 9155 405118 9153->9155 9654 404996 9154->9654 9156 405130 GetModuleFileNameW 9155->9156 9158 40112b 2 API calls 9155->9158 9159 405151 9156->9159 9160 405142 9156->9160 9158->9156 9165 403d71 6 API calls 9159->9165 9162 407776 55 API calls 9160->9162 9161 4050ee ??3@YAXPAX 9672 403e70 9161->9672 9170 4050ec 9162->9170 9164 4050ff ??3@YAXPAX ??3@YAXPAX 9164->9132 9177 405173 9165->9177 9166 4052d5 9167 401362 2 API calls 9166->9167 9168 4052e5 9167->9168 9169 401362 2 API calls 9168->9169 9174 4052f2 9169->9174 9170->9161 9171 4051fa 9171->9170 9172 40522a 9171->9172 9176 405213 _wtol 9171->9176 9173 403d71 6 API calls 9172->9173 9182 405289 9173->9182 9175 40538d ??2@YAPAXI 9174->9175 9178 401329 2 API calls 9174->9178 9184 405399 9175->9184 9176->9172 9177->9166 9177->9170 9177->9171 9177->9172 9181 401429 2 API calls 9177->9181 9179 405327 9178->9179 9180 401329 2 API calls 9179->9180 9186 40533d 9180->9186 9181->9177 9182->9166 9183 404594 2 API calls 9182->9183 9185 4052ba 9183->9185 9187 4053cf 9184->9187 9191 407776 55 API calls 9184->9191 9185->9166 9189 401362 2 API calls 9185->9189 9190 401362 2 API calls 9186->9190 9488 4025ae 9187->9488 9189->9166 9193 405367 9190->9193 9191->9187 9195 401f9d 19 API calls 9193->9195 9194 4025ae 2 API calls 9197 4053f6 9194->9197 9196 40536e 9195->9196 9198 40254d 2 API calls 9196->9198 9199 4025ae 2 API calls 9197->9199 9200 405377 9198->9200 9201 4053fe 9199->9201 9200->9175 9491 404e3f 9201->9491 9206 40546f 9208 405534 9206->9208 9211 403d71 6 API calls 9206->9211 9207 402844 10 API calls 9209 405441 9207->9209 9210 40e8da 3 API calls 9208->9210 9209->9206 9214 407776 55 API calls 9209->9214 9212 40553c 9210->9212 9213 405493 9211->9213 9215 405573 9212->9215 9519 403093 9212->9519 9213->9208 9221 40549d 9213->9221 9216 405450 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9214->9216 9218 405506 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9215->9218 9219 40557c 9215->9219 9216->9206 9218->9161 9218->9170 9223 405588 wsprintfW 9219->9223 9224 4055ed 9219->9224 9230 401411 2 API calls 9219->9230 9231 401329 ??2@YAPAXI ??3@YAXPAX 9219->9231 9234 401f9d 19 API calls 9219->9234 9703 402f6c ??2@YAPAXI 9219->9703 9709 402425 ??3@YAXPAX ??3@YAXPAX 9219->9709 9221->9218 9677 404cbc 9221->9677 9222 405556 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9225 4054f5 9222->9225 9226 401411 2 API calls 9223->9226 9553 404603 9224->9553 9225->9218 9226->9219 9229 4054cc 9229->9218 9232 407776 55 API calls 9229->9232 9230->9219 9231->9219 9233 4054da ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9232->9233 9233->9225 9234->9219 9235 40584a 9236 404603 26 API calls 9235->9236 9268 40586a 9236->9268 9240 405933 9615 404034 9240->9615 9241 4024fc 2 API calls 9241->9268 9245 4059d8 CoInitialize 9252 40243b lstrcmpW 9245->9252 9246 40595a 9249 40243b lstrcmpW 9246->9249 9247 405935 ??3@YAXPAX 9247->9240 9251 405969 9249->9251 9250 401411 ??2@YAPAXI ??3@YAXPAX 9250->9268 9253 405979 9251->9253 9255 401f9d 19 API calls 9251->9255 9254 4059fe 9252->9254 9736 403b40 9253->9736 9256 405a12 9254->9256 9259 401329 2 API calls 9254->9259 9255->9253 9621 403b59 9256->9621 9258 401362 2 API calls 9258->9268 9259->9256 9262 4055f6 9262->9235 9275 403b94 lstrlenW lstrlenW _wcsnicmp 9262->9275 9279 4057dd _wtol 9262->9279 9296 405878 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9262->9296 9710 40484d 9262->9710 9721 40408b 9262->9721 9264 4073d1 21 API calls 9267 40599c 9264->9267 9265 401329 2 API calls 9265->9268 9266 405a4d 9270 405a2b ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9266->9270 9310 405a61 9266->9310 9756 4082e9 9266->9756 9271 4059a7 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9267->9271 9268->9240 9268->9241 9268->9247 9268->9250 9268->9258 9268->9265 9273 402f6c 7 API calls 9268->9273 9612 40243b 9268->9612 9735 402425 ??3@YAXPAX ??3@YAXPAX 9268->9735 9270->9266 9271->9170 9273->9268 9275->9262 9276 405910 ??3@YAXPAX 9276->9268 9277 401411 2 API calls 9277->9310 9279->9262 9280 405bd8 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9302 405bf3 9280->9302 9281 405a9f GetKeyState 9281->9310 9282 405c6c 9283 405ca2 9282->9283 9284 405c74 9282->9284 9288 4012f7 2 API calls 9283->9288 9798 403f85 9284->9798 9286 401429 ??2@YAPAXI ??3@YAXPAX 9286->9310 9289 405cb0 9288->9289 9292 403b59 15 API calls 9289->9292 9297 405cb9 9292->9297 9293 407776 55 API calls 9298 405c13 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9293->9298 9294 40243b lstrcmpW 9294->9310 9295 401362 2 API calls 9299 405c91 ??3@YAXPAX 9295->9299 9296->9170 9301 405cca ??3@YAXPAX 9297->9301 9305 401362 2 API calls 9297->9305 9298->9302 9306 405cd9 9299->9306 9300 401329 ??2@YAPAXI ??3@YAXPAX 9300->9310 9301->9306 9302->9293 9303 405c4a ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9302->9303 9303->9302 9304 405bcd ??3@YAXPAX 9304->9310 9305->9301 9307 405d24 9306->9307 9308 405d16 9306->9308 9811 40786b 9307->9811 9628 404a44 9308->9628 9310->9277 9310->9280 9310->9281 9310->9282 9310->9286 9310->9294 9310->9300 9310->9302 9310->9303 9310->9304 9783 407613 9310->9783 9792 407674 9310->9792 9312 405d20 9313 405d65 9312->9313 9817 403e0d 9312->9817 9314 404034 21 API calls 9313->9314 9316 405d77 9314->9316 9318 401411 2 API calls 9316->9318 9319 406373 9316->9319 9320 405d95 9318->9320 9321 4063f7 9319->9321 9324 40243b lstrcmpW 9319->9324 9364 405da8 9320->9364 9821 40453e 9320->9821 9323 40643a ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9321->9323 9329 40243b lstrcmpW 9321->9329 9326 406461 9323->9326 9327 406467 ??3@YAXPAX 9323->9327 9325 4063a4 9324->9325 9325->9321 9848 403f48 9325->9848 9326->9327 9328 403e70 4 API calls 9327->9328 9330 406478 ??3@YAXPAX ??3@YAXPAX 9328->9330 9332 406416 9329->9332 9330->9132 9331 401411 ??2@YAPAXI ??3@YAXPAX 9331->9364 9332->9323 9336 406423 9332->9336 9335 405dd8 9339 405de5 9335->9339 9340 4061fa ??3@YAXPAX ??3@YAXPAX 9335->9340 9337 4012f7 2 API calls 9336->9337 9342 406432 9337->9342 9338 4073d1 21 API calls 9343 4063e0 ??3@YAXPAX 9338->9343 9830 4043c6 9339->9830 9344 406312 9340->9344 9341 40243b lstrcmpW 9341->9364 9853 404aff 9342->9853 9343->9321 9347 40636a ??3@YAXPAX 9344->9347 9350 404034 21 API calls 9344->9350 9346 405e45 9352 401329 2 API calls 9346->9352 9347->9319 9355 406321 9350->9355 9356 405e4e 9352->9356 9353 4043c6 2 API calls 9354 405e0e 9353->9354 9357 401362 2 API calls 9354->9357 9838 4048ab 9355->9838 9361 403b7f 19 API calls 9356->9361 9362 405e1a ??3@YAXPAX ??3@YAXPAX GetFileAttributesW 9357->9362 9359 40626b ??3@YAXPAX ??3@YAXPAX 9359->9344 9360 401329 2 API calls 9360->9364 9377 405e57 9361->9377 9365 406211 9362->9365 9366 405e41 9362->9366 9363 40633a SetCurrentDirectoryW 9367 4048ab 4 API calls 9363->9367 9364->9331 9364->9335 9364->9341 9364->9346 9364->9359 9364->9360 9368 401429 2 API calls 9364->9368 9371 403e0d 16 API calls 9365->9371 9366->9346 9369 406362 9367->9369 9370 405ee5 ??3@YAXPAX ??3@YAXPAX 9368->9370 9372 403e0d 16 API calls 9369->9372 9370->9364 9373 406216 9371->9373 9372->9347 9374 407776 55 API calls 9373->9374 9375 40621f 7 API calls 9374->9375 9376 40625e 9375->9376 9376->9359 9378 405f61 _wtol 9377->9378 9379 403bce lstrlenW lstrlenW _wcsnicmp 9377->9379 9380 406025 9377->9380 9378->9377 9379->9377 9381 406080 9380->9381 9382 40602e 9380->9382 9383 401362 2 API calls 9381->9383 9384 406053 9382->9384 9385 406034 9382->9385 9386 40607e 9383->9386 9388 401329 2 API calls 9384->9388 9387 401329 2 API calls 9385->9387 9389 40254d 2 API calls 9386->9389 9390 40603f 9387->9390 9391 406051 9388->9391 9392 406092 9389->9392 9393 40254d 2 API calls 9390->9393 9394 40243b lstrcmpW 9391->9394 9395 401411 2 API calls 9392->9395 9396 406048 9393->9396 9397 406068 9394->9397 9398 40609a 9395->9398 9399 40254d 2 API calls 9396->9399 9397->9392 9401 40254d 2 API calls 9397->9401 9400 401411 2 API calls 9398->9400 9399->9391 9402 4060a2 memset 9400->9402 9401->9386 9403 4060e1 9402->9403 9404 404594 2 API calls 9403->9404 9405 4060fe 9404->9405 9406 401329 2 API calls 9405->9406 9407 406109 9406->9407 9408 403b7f 19 API calls 9407->9408 9409 406112 9408->9409 9410 4061b1 9409->9410 9648 4021ed 9409->9648 9412 4062ee ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9410->9412 9414 4061c5 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9410->9414 9412->9344 9414->9340 9415 406150 9417 403b7f 19 API calls 9415->9417 9416 401429 2 API calls 9418 406147 9416->9418 9419 406168 ShellExecuteExW 9417->9419 9421 40254d 2 API calls 9418->9421 9422 406282 9419->9422 9423 40618c 9419->9423 9421->9415 9426 407776 55 API calls 9422->9426 9424 4061a0 CloseHandle 9423->9424 9425 406192 WaitForSingleObject 9423->9425 9835 402185 9424->9835 9425->9424 9428 40628c 9426->9428 9429 403e0d 16 API calls 9428->9429 9430 406291 9 API calls 9429->9430 9431 4062e1 9430->9431 9431->9412 9433 401b6c SetTimer GetMessageW DispatchMessageW KillTimer DestroyWindow 9432->9433 9434 401b9f GetVersionExW 9432->9434 9433->9434 9434->9130 9434->9131 9436 40112b 2 API calls 9435->9436 9437 403e38 GetCommandLineW 9436->9437 9438 404594 9437->9438 9439 4045ce 9438->9439 9441 4045a2 9438->9441 9440 4045c6 9439->9440 9443 401429 2 API calls 9439->9443 9440->9142 9441->9440 9442 401429 2 API calls 9441->9442 9442->9441 9443->9439 9445 401411 2 API calls 9444->9445 9453 402a79 9445->9453 9446 401362 2 API calls 9447 402b6c ??3@YAXPAX 9446->9447 9447->9145 9448 401429 ??2@YAPAXI ??3@YAXPAX 9448->9453 9449 402b5f 9449->9446 9451 401411 2 API calls 9451->9453 9453->9448 9453->9449 9453->9451 9454 401362 2 API calls 9453->9454 9892 4025c6 9453->9892 9895 40272e 9453->9895 9455 402ad9 ??3@YAXPAX 9454->9455 9456 4013e2 2 API calls 9455->9456 9457 402aee ??3@YAXPAX ??3@YAXPAX 9456->9457 9457->9453 9459 403d80 9458->9459 9460 403dbd 9459->9460 9461 403d9a lstrlenW lstrlenW 9459->9461 9460->9148 9460->9150 9906 401a85 9461->9906 9464 401f47 3 API calls 9463->9464 9465 404416 9464->9465 9466 401f9d 19 API calls 9465->9466 9467 40441d 9466->9467 9468 401f9d 19 API calls 9467->9468 9469 404429 9468->9469 9470 401f9d 19 API calls 9469->9470 9471 404435 9470->9471 9472 401f9d 19 API calls 9471->9472 9473 404441 9472->9473 9474 401f9d 19 API calls 9473->9474 9475 40444d 9474->9475 9476 401f9d 19 API calls 9475->9476 9477 404459 9476->9477 9478 401f9d 19 API calls 9477->9478 9479 404465 9478->9479 9480 404480 SHGetSpecialFolderPathW 9479->9480 9483 404533 #17 9479->9483 9484 401411 2 API calls 9479->9484 9485 401329 ??2@YAPAXI ??3@YAXPAX 9479->9485 9487 402f6c 7 API calls 9479->9487 9911 402425 ??3@YAXPAX ??3@YAXPAX 9479->9911 9480->9479 9481 40449a wsprintfW 9480->9481 9482 401411 2 API calls 9481->9482 9482->9479 9483->9151 9484->9479 9485->9479 9487->9479 9489 4022b0 2 API calls 9488->9489 9490 4025c2 9489->9490 9490->9194 9912 403e86 9491->9912 9493 404e56 9494 403e86 2 API calls 9493->9494 9495 404e65 9494->9495 9916 404343 9495->9916 9499 404e82 ??3@YAXPAX 9500 404343 3 API calls 9499->9500 9501 404e9d 9500->9501 9502 403ec1 2 API calls 9501->9502 9503 404ea8 ??3@YAXPAX wsprintfA 9502->9503 9932 403ef6 9503->9932 9505 404ed0 9506 403ef6 2 API calls 9505->9506 9507 404edb 9506->9507 9508 402844 9507->9508 9509 402851 9508->9509 9517 40dcfb 3 API calls 9509->9517 9510 402863 lstrlenA lstrlenA 9515 402890 9510->9515 9511 40296e 9511->9206 9511->9207 9512 40293b memmove 9512->9511 9512->9515 9513 4028db memcmp 9513->9511 9513->9515 9514 402918 memcmp 9514->9515 9515->9511 9515->9512 9515->9513 9515->9514 9518 40dcc7 GetLastError 9515->9518 9943 402640 9515->9943 9517->9510 9518->9515 9520 4025ae 2 API calls 9519->9520 9536 4030a8 9520->9536 9521 403301 9522 403344 ??3@YAXPAX 9521->9522 9523 40334e 9522->9523 9523->9215 9523->9222 9524 401411 ??2@YAPAXI ??3@YAXPAX 9524->9536 9526 40272e ??2@YAPAXI ??3@YAXPAX MultiByteToWideChar 9526->9536 9527 401362 2 API calls 9528 4030f3 ??3@YAXPAX ??3@YAXPAX 9527->9528 9529 403303 9528->9529 9528->9536 9956 4029c3 9529->9956 9533 40331c ??3@YAXPAX 9533->9523 9534 4031e5 strncmp 9535 4031d0 strncmp 9534->9535 9534->9536 9535->9534 9535->9536 9536->9521 9536->9524 9536->9526 9536->9527 9536->9529 9536->9534 9537 401362 2 API calls 9536->9537 9538 402640 2 API calls 9536->9538 9541 402640 ??2@YAPAXI ??3@YAXPAX 9536->9541 9544 402f6c 7 API calls 9536->9544 9546 403330 9536->9546 9547 4032b2 lstrcmpW 9536->9547 9551 401329 2 API calls 9536->9551 9946 402986 9536->9946 9951 4023dd 9536->9951 9955 402425 ??3@YAXPAX ??3@YAXPAX 9536->9955 9539 403252 ??3@YAXPAX 9537->9539 9538->9535 9540 402a69 9 API calls 9539->9540 9542 403263 lstrcmpW 9540->9542 9541->9536 9542->9536 9544->9536 9549 402f6c 7 API calls 9546->9549 9547->9536 9548 4032c0 lstrcmpW 9547->9548 9548->9536 9550 40333c 9549->9550 9974 402425 ??3@YAXPAX ??3@YAXPAX 9550->9974 9551->9536 9554 40243b lstrcmpW 9553->9554 9555 40461c 9554->9555 9556 40466c 9555->9556 9558 401329 2 API calls 9555->9558 9557 40243b lstrcmpW 9556->9557 9559 40468a 9557->9559 9560 404633 9558->9560 9563 40243b lstrcmpW 9559->9563 9561 401f9d 19 API calls 9560->9561 9562 40463a 9561->9562 9565 40254d 2 API calls 9562->9565 9564 4046a2 9563->9564 9567 40243b lstrcmpW 9564->9567 9566 404643 9565->9566 9568 401329 2 API calls 9566->9568 9569 4046ba 9567->9569 9570 40465c 9568->9570 9572 40243b lstrcmpW 9569->9572 9571 401f9d 19 API calls 9570->9571 9573 404663 9571->9573 9574 4046d2 9572->9574 9575 40254d 2 API calls 9573->9575 9576 4046e9 9574->9576 9577 4046d9 lstrcmpiW 9574->9577 9575->9556 9578 40243b lstrcmpW 9576->9578 9577->9576 9579 4046ff 9578->9579 9580 40243b lstrcmpW 9579->9580 9581 40472c 9580->9581 9582 404739 9581->9582 9976 403d1f 9581->9976 9584 40243b lstrcmpW 9582->9584 9588 40474d 9584->9588 9585 40476d 9586 40243b lstrcmpW 9585->9586 9593 404780 9586->9593 9588->9585 9589 40243b lstrcmpW 9588->9589 9980 403cc6 9588->9980 9589->9588 9590 4047a0 9592 40243b lstrcmpW 9590->9592 9594 4047ac 9592->9594 9593->9590 9595 40243b lstrcmpW 9593->9595 9984 403cf7 9593->9984 9596 40243b lstrcmpW 9594->9596 9595->9593 9597 4047bd 9596->9597 9598 40243b lstrcmpW 9597->9598 9599 4047ce 9598->9599 9600 4047e4 9599->9600 9601 4047db _wtol 9599->9601 9602 40243b lstrcmpW 9600->9602 9601->9600 9603 4047f0 9602->9603 9604 404800 9603->9604 9605 4047f7 _wtol 9603->9605 9606 40243b lstrcmpW 9604->9606 9605->9604 9607 40480c 9606->9607 9608 40243b lstrcmpW 9607->9608 9609 404824 9608->9609 9610 40243b lstrcmpW 9609->9610 9611 40483c 9610->9611 9611->9262 9613 4023dd lstrcmpW 9612->9613 9614 40244c 9613->9614 9614->9268 9616 404045 9615->9616 9617 404088 9615->9617 9618 4012f7 2 API calls 9616->9618 9619 403b7f 19 API calls 9616->9619 9617->9245 9617->9246 9618->9616 9620 404062 SetEnvironmentVariableW ??3@YAXPAX 9619->9620 9620->9616 9620->9617 9622 40393b 7 API calls 9621->9622 9623 403b69 9622->9623 9624 4039f6 7 API calls 9623->9624 9625 403b74 9624->9625 9626 4027c7 6 API calls 9625->9626 9627 403b7a 9626->9627 9627->9266 9739 4083b6 9627->9739 9992 408676 9628->9992 9630 404a55 ??2@YAPAXI 9631 404a64 9630->9631 9645 40dcfb 3 API calls 9631->9645 9632 404a85 9994 40a7de _EH_prolog 9632->9994 10010 40b2fc 9632->10010 9633 404a95 9634 404ab3 9633->9634 9635 404a99 9633->9635 9637 404ada ??2@YAPAXI 9634->9637 9641 403354 86 API calls 9634->9641 9636 407776 55 API calls 9635->9636 9640 404aa1 9636->9640 9638 404ae6 9637->9638 9639 404aed 9637->9639 10035 404292 9638->10035 10016 40150b 9639->10016 9640->9312 9643 404ac6 9641->9643 9643->9637 9643->9640 9645->9632 9649 402200 LoadLibraryA GetProcAddress 9648->9649 9650 4021fb 9648->9650 9651 40221b 9649->9651 9652 402223 9649->9652 9650->9410 9650->9415 9650->9416 9651->9650 9652->9651 10498 4021b9 LoadLibraryA GetProcAddress 9652->10498 9655 40661a 2 API calls 9654->9655 9656 4049af 9655->9656 9657 401f9d 19 API calls 9656->9657 9658 4049bd 9657->9658 9659 4024fc 2 API calls 9658->9659 9660 4049c7 9659->9660 9661 4049fd 9660->9661 9663 40254d ??2@YAPAXI ??3@YAXPAX 9660->9663 9662 40254d 2 API calls 9661->9662 9664 404a0a 9662->9664 9663->9660 9665 401f9d 19 API calls 9664->9665 9666 404a11 9665->9666 9667 40254d 2 API calls 9666->9667 9668 404a1b 9667->9668 9669 4073d1 21 API calls 9668->9669 9670 404a30 ??3@YAXPAX 9669->9670 9671 404a41 9670->9671 9671->9170 9673 40e8da 3 API calls 9672->9673 9674 403e7e 9673->9674 9675 40e8da 3 API calls 9674->9675 9676 40e943 ??3@YAXPAX 9675->9676 9676->9164 9678 40db53 2 API calls 9677->9678 9679 404ce8 9678->9679 9680 404d44 9679->9680 9682 4024fc 2 API calls 9679->9682 9681 4025ae 2 API calls 9680->9681 9683 404d4c 9681->9683 9684 404cf7 9682->9684 9685 403e86 2 API calls 9683->9685 9688 404db5 ??3@YAXPAX 9684->9688 9690 403354 86 API calls 9684->9690 9686 404d59 9685->9686 9687 403ef6 2 API calls 9686->9687 9689 404d66 9687->9689 9702 404db1 9688->9702 9691 403ef6 2 API calls 9689->9691 9692 404d1b 9690->9692 9693 404d73 9691->9693 9692->9688 9695 40db53 2 API calls 9692->9695 9694 403ef6 2 API calls 9693->9694 9696 404d80 9694->9696 9697 404d37 9695->9697 9698 40dd5f 2 API calls 9696->9698 9697->9688 9699 404d3b ??3@YAXPAX 9697->9699 9700 404d94 9698->9700 9699->9680 9700->9688 9701 404d9d ??3@YAXPAX 9700->9701 9701->9702 9702->9229 9704 402f86 9703->9704 9705 402f7b 9703->9705 9707 408761 4 API calls 9704->9707 10500 402668 9705->10500 9708 402f92 9707->9708 9708->9219 9709->9219 9711 4024fc 2 API calls 9710->9711 9712 40485f 9711->9712 9713 40254d 2 API calls 9712->9713 9714 40486c 9713->9714 9715 404888 9714->9715 9716 401429 2 API calls 9714->9716 9717 40254d 2 API calls 9715->9717 9716->9714 9718 404892 9717->9718 9719 40408b 94 API calls 9718->9719 9720 40489d ??3@YAXPAX 9719->9720 9720->9262 9722 4040a2 lstrlenW 9721->9722 9723 4040ce 9721->9723 9724 401a85 4 API calls 9722->9724 9723->9262 9725 4040b8 9724->9725 9725->9722 9725->9723 9726 4040d5 9725->9726 9727 4024fc 2 API calls 9726->9727 9730 4040de 9727->9730 10505 402776 9730->10505 9731 403093 84 API calls 9732 40414c 9731->9732 9733 404156 ??3@YAXPAX ??3@YAXPAX 9732->9733 9734 40416d ??3@YAXPAX ??3@YAXPAX 9732->9734 9733->9723 9734->9723 9735->9276 9737 40661a 2 API calls 9736->9737 9738 403b48 9737->9738 9738->9264 9740 408646 9739->9740 9752 4083d5 9739->9752 9740->9270 9741 40243b lstrcmpW 9741->9752 9742 40661a 2 API calls 9742->9752 9743 40786b 23 API calls 9743->9752 9745 407674 23 API calls 9745->9752 9746 407613 23 API calls 9746->9752 9747 403b40 2 API calls 9747->9752 9748 401f9d 19 API calls 9748->9752 9749 407776 55 API calls 9749->9752 9750 403f48 4 API calls 9750->9752 9751 4073d1 21 API calls 9751->9752 9752->9740 9752->9741 9752->9742 9752->9743 9752->9745 9752->9746 9752->9747 9752->9748 9752->9749 9752->9750 9752->9751 9753 407717 25 API calls 9752->9753 9754 4073d1 21 API calls 9752->9754 10515 40744b 9752->10515 9753->9752 9755 408476 ??3@YAXPAX 9754->9755 9755->9752 9757 40243b lstrcmpW 9756->9757 9758 4082fd 9757->9758 9759 40830b 9758->9759 10519 4019f0 GetStdHandle WriteFile 9758->10519 9761 40831e 9759->9761 10520 4019f0 GetStdHandle WriteFile 9759->10520 9766 408333 9761->9766 10521 4019f0 GetStdHandle WriteFile 9761->10521 9765 40243b lstrcmpW 9768 408351 9765->9768 9767 408344 9766->9767 10522 4019f0 GetStdHandle WriteFile 9766->10522 9767->9765 9769 40835f 9768->9769 10523 4019f0 GetStdHandle WriteFile 9768->10523 9771 40243b lstrcmpW 9769->9771 9772 40836c 9771->9772 9773 40837a 9772->9773 10524 4019f0 GetStdHandle WriteFile 9772->10524 9775 40243b lstrcmpW 9773->9775 9776 408387 9775->9776 9777 408395 9776->9777 10525 4019f0 GetStdHandle WriteFile 9776->10525 9779 40243b lstrcmpW 9777->9779 9780 4083a2 9779->9780 9781 4083b2 9780->9781 10526 4019f0 GetStdHandle WriteFile 9780->10526 9781->9266 9784 407636 9783->9784 9785 407658 9784->9785 9786 40764b 9784->9786 10530 407186 9785->10530 10527 407154 9786->10527 9789 407653 9790 4073d1 21 API calls 9789->9790 9791 407671 9790->9791 9791->9310 9793 407689 9792->9793 9794 40716d 2 API calls 9793->9794 9795 407694 9794->9795 9796 4073d1 21 API calls 9795->9796 9797 4076a5 9796->9797 9797->9310 9799 401411 2 API calls 9798->9799 9800 403f96 9799->9800 9801 402535 2 API calls 9800->9801 9802 403f9f GetTempPathW 9801->9802 9803 403fb8 9802->9803 9807 403fcf 9802->9807 9804 402535 2 API calls 9803->9804 9805 403fc3 GetTempPathW 9804->9805 9805->9807 9806 402535 2 API calls 9808 403ff2 wsprintfW 9806->9808 9807->9806 9809 404009 GetFileAttributesW 9807->9809 9810 40402d 9807->9810 9808->9807 9809->9807 9809->9810 9810->9295 9812 40787e 9811->9812 10536 40719f 9812->10536 9815 4073d1 21 API calls 9816 4078b3 9815->9816 9816->9312 9818 403e21 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9817->9818 9819 403e16 9817->9819 9818->9313 9820 402c86 16 API calls 9819->9820 9820->9818 9822 40243b lstrcmpW 9821->9822 9823 40455d 9822->9823 9824 404592 9823->9824 9825 401329 2 API calls 9823->9825 9824->9364 9826 40456c 9825->9826 9827 403b7f 19 API calls 9826->9827 9828 404572 9827->9828 9828->9824 9829 401429 2 API calls 9828->9829 9829->9824 9831 4012f7 2 API calls 9830->9831 9832 4043d4 9831->9832 9833 40254d 2 API calls 9832->9833 9834 4043df 9833->9834 9834->9353 9836 4021a9 9835->9836 9837 40218e LoadLibraryA GetProcAddress 9835->9837 9836->9410 9837->9836 9839 401411 2 API calls 9838->9839 9846 4048bc 9839->9846 9840 401329 2 API calls 9840->9846 9841 40494e 9842 404988 ??3@YAXPAX 9841->9842 9844 4048ab 3 API calls 9841->9844 9842->9363 9843 401429 2 API calls 9843->9846 9845 404985 9844->9845 9845->9842 9846->9840 9846->9841 9846->9843 9847 40243b lstrcmpW 9846->9847 9847->9846 9849 40661a 2 API calls 9848->9849 9850 403f50 9849->9850 9851 401411 2 API calls 9850->9851 9852 403f5e 9851->9852 9852->9338 9854 404cb1 ??3@YAXPAX 9853->9854 9855 404b15 9853->9855 9857 404cb7 9854->9857 9855->9854 9856 404b29 GetDriveTypeW 9855->9856 9856->9854 9858 404b55 9856->9858 9857->9323 9859 403f85 6 API calls 9858->9859 9860 404b63 CreateFileW 9859->9860 9861 404b89 9860->9861 9862 404c7b ??3@YAXPAX ??3@YAXPAX 9860->9862 9863 401411 2 API calls 9861->9863 9862->9857 9864 404b92 9863->9864 9865 401329 2 API calls 9864->9865 9866 404b9f 9865->9866 9867 40254d 2 API calls 9866->9867 9868 404bad 9867->9868 9869 4013e2 2 API calls 9868->9869 9870 404bb9 9869->9870 9871 40254d 2 API calls 9870->9871 9872 404bc7 9871->9872 9873 40254d 2 API calls 9872->9873 9874 404bd4 9873->9874 9875 4013e2 2 API calls 9874->9875 9876 404be0 9875->9876 9877 40254d 2 API calls 9876->9877 9878 404bed 9877->9878 9879 40254d 2 API calls 9878->9879 9880 404bf6 9879->9880 9881 4013e2 2 API calls 9880->9881 9882 404c02 9881->9882 9883 40254d 2 API calls 9882->9883 9884 404c0b 9883->9884 9885 402776 3 API calls 9884->9885 9886 404c1d WriteFile ??3@YAXPAX CloseHandle 9885->9886 9887 404c4b 9886->9887 9888 404c8c 9886->9888 9887->9888 9889 404c53 SetFileAttributesW ShellExecuteW ??3@YAXPAX 9887->9889 9890 402c86 16 API calls 9888->9890 9889->9862 9891 404c94 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9890->9891 9891->9857 9901 4022b0 9892->9901 9896 401411 2 API calls 9895->9896 9897 40273a 9896->9897 9898 402772 9897->9898 9899 402535 2 API calls 9897->9899 9898->9453 9900 402757 MultiByteToWideChar 9899->9900 9900->9898 9902 4022ea 9901->9902 9903 4022be ??2@YAPAXI 9901->9903 9902->9453 9903->9902 9904 4022cf ??3@YAXPAX 9903->9904 9904->9902 9907 401ae3 9906->9907 9910 401a97 9906->9910 9907->9460 9908 401abc CharUpperW CharUpperW 9909 401af3 CharUpperW CharUpperW 9908->9909 9908->9910 9909->9907 9910->9907 9910->9908 9911->9479 9913 403e9e 9912->9913 9914 4022b0 2 API calls 9913->9914 9915 403eac 9914->9915 9915->9493 9917 40435e 9916->9917 9918 404375 9917->9918 9919 40436a 9917->9919 9920 4025ae 2 API calls 9918->9920 9936 4025f6 9919->9936 9921 40437e 9920->9921 9923 4022b0 2 API calls 9921->9923 9925 404387 9923->9925 9924 404373 9928 403ec1 9924->9928 9926 4025f6 2 API calls 9925->9926 9927 4043b5 ??3@YAXPAX 9926->9927 9927->9924 9929 403ecd 9928->9929 9931 403ede 9928->9931 9930 4022b0 2 API calls 9929->9930 9930->9931 9931->9499 9933 403f06 9932->9933 9939 4022fc 9933->9939 9935 403f13 9935->9505 9937 4022b0 2 API calls 9936->9937 9938 402610 9937->9938 9938->9924 9940 402340 9939->9940 9941 402310 9939->9941 9940->9935 9942 4022b0 2 API calls 9941->9942 9942->9940 9944 4022fc 2 API calls 9943->9944 9945 40264a 9944->9945 9945->9515 9947 4025ae 2 API calls 9946->9947 9948 402992 9947->9948 9949 4029be 9948->9949 9950 402640 2 API calls 9948->9950 9949->9536 9950->9948 9954 4023e8 9951->9954 9952 4023f4 lstrcmpW 9953 402411 9952->9953 9952->9954 9953->9536 9954->9952 9954->9953 9955->9536 9957 4029d2 9956->9957 9958 4029de 9956->9958 9975 4019f0 GetStdHandle WriteFile 9957->9975 9960 4025ae 2 API calls 9958->9960 9964 4029e8 9960->9964 9961 4029d9 9973 402425 ??3@YAXPAX ??3@YAXPAX 9961->9973 9962 402a13 9963 40272e 3 API calls 9962->9963 9965 402a25 9963->9965 9964->9962 9968 402640 2 API calls 9964->9968 9966 402a33 9965->9966 9967 402a47 9965->9967 9969 407776 55 API calls 9966->9969 9970 407776 55 API calls 9967->9970 9968->9964 9971 402a42 ??3@YAXPAX ??3@YAXPAX 9969->9971 9970->9971 9971->9961 9973->9533 9974->9522 9975->9961 9977 403d3d 9976->9977 9988 403c63 9977->9988 9981 403cd3 9980->9981 9982 403c63 _wtol 9981->9982 9983 403cf4 9982->9983 9983->9588 9985 403d04 9984->9985 9986 403c63 _wtol 9985->9986 9987 403d1c 9986->9987 9987->9593 9989 403c6d 9988->9989 9990 403c88 _wtol 9989->9990 9991 403cc1 9989->9991 9990->9989 9991->9582 9993 408679 9992->9993 9993->9630 9995 40a7fe 9994->9995 9996 40b2fc 11 API calls 9995->9996 9997 40a823 9996->9997 9998 40a845 9997->9998 9999 40a82c 9997->9999 10040 40cc59 _EH_prolog 9998->10040 10043 40a3fe 9999->10043 10011 40b30d 10010->10011 10015 40dcfb 3 API calls 10011->10015 10012 40b321 10013 40b331 10012->10013 10479 40b163 10012->10479 10013->9633 10015->10012 10017 40151e 10016->10017 10018 401329 2 API calls 10017->10018 10019 40152b 10018->10019 10020 401429 2 API calls 10019->10020 10021 401534 CreateThread 10020->10021 10022 401563 10021->10022 10023 401568 WaitForSingleObject 10021->10023 10492 40129c 10021->10492 10024 40786b 23 API calls 10022->10024 10025 401585 10023->10025 10026 4015b7 10023->10026 10024->10023 10029 4015a3 10025->10029 10032 401594 10025->10032 10027 4015b3 10026->10027 10028 4015bf GetExitCodeThread 10026->10028 10027->9640 10030 4015d6 10028->10030 10031 407776 55 API calls 10029->10031 10030->10027 10030->10032 10033 401605 SetLastError 10030->10033 10031->10027 10032->10027 10034 407776 55 API calls 10032->10034 10033->10032 10034->10027 10036 401411 2 API calls 10035->10036 10037 4042ab 10036->10037 10038 401411 2 API calls 10037->10038 10039 4042b7 10038->10039 10039->9639 10051 40c9fc 10040->10051 10462 40a28e 10043->10462 10073 40a0bf 10051->10073 10207 40a030 10073->10207 10208 40e8da 3 API calls 10207->10208 10209 40a039 10208->10209 10210 40e8da 3 API calls 10209->10210 10211 40a041 10210->10211 10212 40e8da 3 API calls 10211->10212 10213 40a049 10212->10213 10214 40e8da 3 API calls 10213->10214 10215 40a051 10214->10215 10216 40e8da 3 API calls 10215->10216 10217 40a059 10216->10217 10218 40e8da 3 API calls 10217->10218 10219 40a061 10218->10219 10220 40e8da 3 API calls 10219->10220 10221 40a06b 10220->10221 10222 40e8da 3 API calls 10221->10222 10223 40a073 10222->10223 10224 40e8da 3 API calls 10223->10224 10225 40a080 10224->10225 10226 40e8da 3 API calls 10225->10226 10227 40a088 10226->10227 10228 40e8da 3 API calls 10227->10228 10229 40a095 10228->10229 10230 40e8da 3 API calls 10229->10230 10231 40a09d 10230->10231 10232 40e8da 3 API calls 10231->10232 10233 40a0aa 10232->10233 10234 40e8da 3 API calls 10233->10234 10235 40a0b2 10234->10235 10463 40e8da 3 API calls 10462->10463 10464 40a29c 10463->10464 10480 40f0b6 GetLastError 10479->10480 10482 40b17e 10480->10482 10481 40b192 10481->10013 10482->10481 10483 40adc3 3 API calls 10482->10483 10484 40b1b6 memcpy 10483->10484 10489 40b1d9 10484->10489 10485 40b297 ??3@YAXPAX 10485->10481 10486 40b2a2 ??3@YAXPAX 10486->10481 10488 40b27a memmove 10488->10489 10489->10485 10489->10486 10489->10488 10490 40b2ac memcpy 10489->10490 10491 40dcfb 3 API calls 10490->10491 10491->10486 10493 4012a5 10492->10493 10494 4012b8 10492->10494 10493->10494 10495 4012a7 Sleep 10493->10495 10496 4012f1 10494->10496 10497 4012e3 EndDialog 10494->10497 10495->10493 10497->10496 10499 4021db 10498->10499 10499->9651 10501 4012f7 2 API calls 10500->10501 10502 402676 10501->10502 10503 4012f7 2 API calls 10502->10503 10504 402682 10503->10504 10504->9704 10506 4025ae 2 API calls 10505->10506 10507 402785 10506->10507 10508 4027c1 10507->10508 10511 402628 10507->10511 10508->9731 10512 402634 10511->10512 10513 40263a WideCharToMultiByte 10511->10513 10514 4022b0 2 API calls 10512->10514 10513->10508 10514->10513 10516 407456 10515->10516 10517 40745b 10515->10517 10516->9752 10517->10516 10518 4073d1 21 API calls 10517->10518 10518->10516 10519->9759 10520->9761 10521->9766 10522->9767 10523->9769 10524->9773 10525->9777 10526->9781 10528 40661a 2 API calls 10527->10528 10529 40715c 10528->10529 10529->9789 10533 40716d 10530->10533 10534 40661a 2 API calls 10533->10534 10535 407175 10534->10535 10535->9789 10537 40661a 2 API calls 10536->10537 10538 4071a7 10537->10538 10538->9815 8037 40f3f1 8040 4024e7 8037->8040 8045 40245a 8040->8045 8043 4024f5 8044 4024f6 malloc 8046 40246a 8045->8046 8052 402466 8045->8052 8047 40247a GlobalMemoryStatusEx 8046->8047 8046->8052 8048 402488 8047->8048 8047->8052 8048->8052 8053 401f9d 8048->8053 8052->8043 8052->8044 8057 401fb4 8053->8057 8054 401fe5 GetLastError wsprintfW GetEnvironmentVariableW GetLastError 8055 402095 SetLastError 8054->8055 8056 40201d ??2@YAPAXI GetEnvironmentVariableW 8054->8056 8060 401fdb 8055->8060 8061 4020ac 8055->8061 8058 40207e ??3@YAXPAX 8056->8058 8059 40204c GetLastError 8056->8059 8057->8054 8057->8060 8067 402081 8058->8067 8059->8058 8062 402052 8059->8062 8073 407717 8060->8073 8064 4020cb lstrlenA ??2@YAPAXI 8061->8064 8080 401f47 8061->8080 8062->8067 8068 40205c lstrcmpiW 8062->8068 8065 402136 MultiByteToWideChar 8064->8065 8066 4020fc GetLocaleInfoW 8064->8066 8065->8060 8066->8065 8071 402123 _wtol 8066->8071 8067->8055 8068->8058 8072 40206b ??3@YAXPAX 8068->8072 8070 4020c1 8070->8064 8071->8065 8072->8067 8087 40661a 8073->8087 8076 40774e 8091 4073d1 8076->8091 8077 40773c IsBadReadPtr 8077->8076 8081 401f51 GetUserDefaultUILanguage 8080->8081 8082 401f95 8080->8082 8083 401f72 GetSystemDefaultUILanguage 8081->8083 8084 401f6e 8081->8084 8082->8070 8083->8082 8085 401f7e GetSystemDefaultLCID 8083->8085 8084->8070 8085->8082 8086 401f8e 8085->8086 8086->8082 8088 406643 8087->8088 8089 40666f IsWindow 8087->8089 8088->8089 8090 40664b GetSystemMetrics GetSystemMetrics 8088->8090 8089->8076 8089->8077 8090->8089 8092 4073e0 8091->8092 8093 407444 8091->8093 8092->8093 8103 4024fc 8092->8103 8093->8052 8095 4073f1 8096 4024fc 2 API calls 8095->8096 8097 4073fc 8096->8097 8107 403b7f 8097->8107 8100 403b7f 19 API calls 8101 40740e ??3@YAXPAX ??3@YAXPAX 8100->8101 8101->8093 8104 402513 8103->8104 8116 40112b 8104->8116 8106 40251e 8106->8095 8180 403880 8107->8180 8109 403b59 8121 40393b 8109->8121 8111 403b69 8144 4039f6 8111->8144 8113 403b74 8167 4027c7 8113->8167 8117 401177 8116->8117 8118 401139 ??2@YAPAXI 8116->8118 8117->8106 8118->8117 8120 40115a 8118->8120 8119 40116f ??3@YAXPAX 8119->8117 8120->8119 8120->8120 8203 401411 8121->8203 8125 403954 8210 40254d 8125->8210 8127 403961 8128 4024fc 2 API calls 8127->8128 8129 40396e 8128->8129 8214 403805 8129->8214 8132 401362 2 API calls 8133 403992 8132->8133 8134 40254d 2 API calls 8133->8134 8135 40399f 8134->8135 8136 4024fc 2 API calls 8135->8136 8137 4039ac 8136->8137 8138 403805 3 API calls 8137->8138 8139 4039bc ??3@YAXPAX 8138->8139 8140 4024fc 2 API calls 8139->8140 8141 4039d3 8140->8141 8142 403805 3 API calls 8141->8142 8143 4039e2 ??3@YAXPAX ??3@YAXPAX 8142->8143 8143->8111 8145 401411 2 API calls 8144->8145 8146 403a04 8145->8146 8147 401362 2 API calls 8146->8147 8148 403a0f 8147->8148 8149 40254d 2 API calls 8148->8149 8150 403a1c 8149->8150 8151 4024fc 2 API calls 8150->8151 8152 403a29 8151->8152 8153 403805 3 API calls 8152->8153 8154 403a39 ??3@YAXPAX 8153->8154 8155 401362 2 API calls 8154->8155 8156 403a4d 8155->8156 8157 40254d 2 API calls 8156->8157 8158 403a5a 8157->8158 8159 4024fc 2 API calls 8158->8159 8160 403a67 8159->8160 8161 403805 3 API calls 8160->8161 8162 403a77 ??3@YAXPAX 8161->8162 8163 4024fc 2 API calls 8162->8163 8164 403a8e 8163->8164 8165 403805 3 API calls 8164->8165 8166 403a9d ??3@YAXPAX ??3@YAXPAX 8165->8166 8166->8113 8168 401411 2 API calls 8167->8168 8169 4027d5 8168->8169 8170 4027e5 ExpandEnvironmentStringsW 8169->8170 8171 40112b 2 API calls 8169->8171 8172 402809 8170->8172 8173 4027fe ??3@YAXPAX 8170->8173 8171->8170 8239 402535 8172->8239 8174 402840 8173->8174 8174->8100 8177 402824 8178 401362 2 API calls 8177->8178 8179 402838 ??3@YAXPAX 8178->8179 8179->8174 8181 401411 2 API calls 8180->8181 8182 40388e 8181->8182 8183 401362 2 API calls 8182->8183 8184 403899 8183->8184 8185 40254d 2 API calls 8184->8185 8186 4038a6 8185->8186 8187 4024fc 2 API calls 8186->8187 8188 4038b3 8187->8188 8189 403805 3 API calls 8188->8189 8190 4038c3 ??3@YAXPAX 8189->8190 8191 401362 2 API calls 8190->8191 8192 4038d7 8191->8192 8193 40254d 2 API calls 8192->8193 8194 4038e4 8193->8194 8195 4024fc 2 API calls 8194->8195 8196 4038f1 8195->8196 8197 403805 3 API calls 8196->8197 8198 403901 ??3@YAXPAX 8197->8198 8199 4024fc 2 API calls 8198->8199 8200 403918 8199->8200 8201 403805 3 API calls 8200->8201 8202 403927 ??3@YAXPAX ??3@YAXPAX 8201->8202 8202->8109 8204 40112b 2 API calls 8203->8204 8205 401425 8204->8205 8206 401362 8205->8206 8207 40136e 8206->8207 8209 401380 8206->8209 8208 40112b 2 API calls 8207->8208 8208->8209 8209->8125 8211 40255a 8210->8211 8219 401398 8211->8219 8213 402565 8213->8127 8215 40381b 8214->8215 8216 403817 ??3@YAXPAX 8214->8216 8215->8216 8223 4026b1 8215->8223 8227 402f96 8215->8227 8216->8132 8220 4013dc 8219->8220 8221 4013ac 8219->8221 8220->8213 8222 40112b 2 API calls 8221->8222 8222->8220 8224 4026c7 8223->8224 8225 4026db 8224->8225 8231 402346 memmove 8224->8231 8225->8215 8228 402fa5 8227->8228 8230 402fbe 8228->8230 8232 4026e6 8228->8232 8230->8215 8231->8225 8233 4026f6 8232->8233 8234 401398 2 API calls 8233->8234 8235 402702 8234->8235 8238 402346 memmove 8235->8238 8237 40270f 8237->8230 8238->8237 8240 402541 8239->8240 8241 402547 ExpandEnvironmentStringsW 8239->8241 8242 40112b 2 API calls 8240->8242 8241->8177 8242->8241 11204 40e4f9 11205 40e516 11204->11205 11206 40e506 11204->11206 11209 40de46 11206->11209 11212 401b1f VirtualFree 11209->11212 11211 40de81 ??3@YAXPAX 11211->11205 11212->11211

                                          Executed Functions

                                          Function 00404FAA Relevance: 250.2, APIs: 103, Strings: 39, Instructions: 1671keyboardsynchronizationwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00401B37: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
                                            • Part of subcall function 00401B37: CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
                                            • Part of subcall function 00401B37: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
                                            • Part of subcall function 00401B37: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
                                            • Part of subcall function 00401B37: DispatchMessageW.USER32(?), ref: 00401B89
                                            • Part of subcall function 00401B37: KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
                                            • Part of subcall function 00401B37: DestroyWindow.USER32(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99
                                          • GetVersionExW.KERNEL32(?,?,?,00000000), ref: 00404FCE
                                          • GetCommandLineW.KERNEL32(?,00000020,?,?,00000000), ref: 0040505C
                                            • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
                                            • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
                                            • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
                                            • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F
                                            • Part of subcall function 00403D71: lstrlenW.KERNEL32(?,00000000,00000020,?,0040508F,?,?,00000000,?,00000000), ref: 00403DA5
                                            • Part of subcall function 00403D71: lstrlenW.KERNEL32(?,?,00000000), ref: 00403DAD
                                          • _wtol.MSVCRT ref: 0040509F
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004050F1
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405102
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040510A
                                          • GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,?,00000000), ref: 00405138
                                          • _wtol.MSVCRT ref: 00405217
                                          • ??2@YAPAXI@Z.MSVCRT(00000010,004177C4,004177C4,?,00000000), ref: 0040538F
                                            • Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000025,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
                                            • Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000025,004177C4,004177C4,00000000,00000025,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
                                            • Part of subcall function 00404E3F: wsprintfA.USER32 ref: 00404EBC
                                            • Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
                                            • Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
                                            • Part of subcall function 00402844: memcmp.MSVCRT(?,?,?), ref: 004028E4
                                            • Part of subcall function 00402844: memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
                                            • Part of subcall function 00402844: memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405453
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040545B
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405463
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054DD
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054E5
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054ED
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405509
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405511
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405519
                                            • Part of subcall function 00403093: ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405559
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405561
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405569
                                            • Part of subcall function 00403B94: lstrlenW.KERNEL32(?,00000020,?,?,00405650,?,00414668,?,00000000,?), ref: 00403BA1
                                            • Part of subcall function 00403B94: lstrlenW.KERNEL32(?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00403BAA
                                            • Part of subcall function 00403B94: _wcsnicmp.MSVCRT ref: 00403BB6
                                          • wsprintfW.USER32 ref: 00405595
                                          • _wtol.MSVCRT ref: 004057DE
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040587B
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00405883
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040588B
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,0000003D,00000000,00000000,?,?,00000000,?), ref: 00405913
                                          • ??3@YAXPAX@Z.MSVCRT(?,0000003D,00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4), ref: 00405938
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059AA
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059B2
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059BA
                                          • CoInitialize.OLE32(00000000), ref: 004059E9
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405A30
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405A38
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405A40
                                          • GetKeyState.USER32(00000010), ref: 00405AA1
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405BCD
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BDB
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BE3
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C16
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C1E
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C26
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C2E
                                          • memset.MSVCRT ref: 004060AE
                                          • ShellExecuteExW.SHELL32(?), ref: 0040617E
                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 0040619A
                                          • CloseHandle.KERNEL32(?,?,?,?), ref: 004061A6
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004061D4
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004061DC
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 004061E4
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 004061EA
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 004061FD
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00406205
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406222
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040622A
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406232
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040623A
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406242
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 0040624A
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 00406252
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 0040626E
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00406276
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BEB
                                            • Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                            • Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                            • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                            • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                            • Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                            • Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                            • Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                            • Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                            • Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                            • Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                            • Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405C4A
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405C52
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C5A
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C62
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C94
                                          • ??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405CD4
                                          • ??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D41
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D49
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D51
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D59
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E20
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E28
                                          • GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E32
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405EEC
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00405EF4
                                          • _wtol.MSVCRT ref: 00405F65
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000001,00000010,?,?,?,?), ref: 00406294
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000001,00000010,?,?,?,?), ref: 0040629C
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000001,00000010,?,?,?,?), ref: 004062A4
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062AA
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062B2
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062BA
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062C2
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062CA
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062D2
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004062F1
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004062F9
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 00406301
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 00406307
                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406343
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040636D
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,?,?,?,?,?,?,00000000,?,?,?), ref: 004063E6
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040643D
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,?,?,?), ref: 00406445
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,?,?,?), ref: 0040644D
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406455
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040646A
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040647B
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406483
                                          • MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 0040649C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ??3@$lstrlen$Message$_wtol$??2@FileFormatHandleModuleTimerWindowlstrcpymemcmpwsprintf$AttributesCloseCommandCreateCurrentDestroyDirectoryDispatchErrorExecuteFreeInitializeKillLastLineLocalNameObjectShellSingleStateVersionWait_wcsnicmpmemmovememsetwvsprintf
                                          • String ID: 4AA$4DA$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$;!@Install@!UTF-8!$;!@InstallEnd@!$@DA$AutoInstall$BeginPrompt$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$XpA$amd64$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxversion$shc$x64$x86$IA
                                          • API String ID: 3696187633-3058303289
                                          • Opcode ID: 5977866f3f404d434c07ccd4e180593b76fbcc2639a316fad07e6ed4a29f6eb3
                                          • Instruction ID: bd55e9a5e2f2b8c77b34d16bce6880ff8bafa7c96c93ceffa7f521d25999041e
                                          • Opcode Fuzzy Hash: 5977866f3f404d434c07ccd4e180593b76fbcc2639a316fad07e6ed4a29f6eb3
                                          • Instruction Fuzzy Hash: 65C2E231904619AADF21AF61DC45AEF3769EF00708F54403BF906B61E2EB7C9981CB5D
                                          Function 00401626 Relevance: 22.8, APIs: 15, Instructions: 304COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 651 401626-401636 652 401642-40166d call 40874d call 40a62f 651->652 653 401638-40163d 651->653 658 401680-40168c call 401411 652->658 659 40166f 652->659 654 401980-401983 653->654 665 401962-40197d ??3@YAXPAX@Z call 40eca9 658->665 666 401692-401697 658->666 660 401671-40167b call 40eca9 659->660 667 40197f 660->667 665->667 666->665 668 40169d-4016d3 call 401329 call 401454 call 401362 ??3@YAXPAX@Z 666->668 667->654 678 401948-40194b 668->678 679 4016d9-4016f8 668->679 680 40194d-401960 ??3@YAXPAX@Z call 40eca9 678->680 683 401713-401717 679->683 684 4016fa-40170e call 40eca9 ??3@YAXPAX@Z 679->684 680->667 687 401719-40171c 683->687 688 40171e-401723 683->688 684->660 690 40174b-401762 687->690 691 401745-401748 688->691 692 401725 688->692 690->684 695 401764-401787 690->695 691->690 693 401727-40172d 692->693 697 40172f-401740 call 40eca9 ??3@YAXPAX@Z 693->697 701 4017a2-4017a8 695->701 702 401789-40179d call 40eca9 ??3@YAXPAX@Z 695->702 697->660 704 4017c4-4017d6 GetLocalTime SystemTimeToFileTime 701->704 705 4017aa-4017ad 701->705 702->660 706 4017dc-4017df 704->706 708 4017b6-4017c2 705->708 709 4017af-4017b1 705->709 710 4017e1-4017e3 call 403354 706->710 711 4017f8-4017ff call 40301a 706->711 708->706 709->693 714 4017e8-4017eb 710->714 715 401804-401809 711->715 714->697 716 4017f1-4017f3 714->716 717 401934-401943 GetLastError 715->717 718 40180f-401812 715->718 716->693 717->678 719 401818-401822 ??2@YAPAXI@Z 718->719 720 40192a-40192d 718->720 722 401833 719->722 723 401824-401831 719->723 720->717 724 401835-401859 call 4010e2 call 40db53 722->724 723->724 729 40190f-401928 call 408726 call 40eca9 724->729 730 40185f-40187d GetLastError call 4012f7 call 402d5a 724->730 729->680 739 4018ba-4018cf call 403354 730->739 740 40187f-401886 730->740 744 4018d1-4018d9 739->744 745 4018db-4018f3 call 40db53 739->745 743 40188a-40189a ??3@YAXPAX@Z 740->743 746 4018a2-4018b5 call 40eca9 ??3@YAXPAX@Z 743->746 747 40189c-40189e 743->747 744->743 753 4018f5-401904 GetLastError 745->753 754 401906-40190e ??3@YAXPAX@Z 745->754 746->660 747->746 753->743 754->729
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f637a799f1653e3b63fa741730d3cbaf64608c0369243d42a1217ae41316ed6c
                                          • Instruction ID: 8ae67fe93764504dd4472983a8ee98937692ca3eac7777145cc28303e79798ac
                                          • Opcode Fuzzy Hash: f637a799f1653e3b63fa741730d3cbaf64608c0369243d42a1217ae41316ed6c
                                          • Instruction Fuzzy Hash: 8DB17C71900205EFCB14EFA5D8849AEB7B5FF44304B24842BF512BB2F1EB39A945CB58
                                          Function 0040301A Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1082 40301a-403031 GetFileAttributesW 1083 403033-403035 1082->1083 1084 403037-403039 1082->1084 1085 403090-403092 1083->1085 1086 403048-40304f 1084->1086 1087 40303b-403046 SetLastError 1084->1087 1088 403051-403058 call 402fed 1086->1088 1089 40305a-40305d 1086->1089 1087->1085 1088->1085 1091 40308d-40308f 1089->1091 1092 40305f-403070 FindFirstFileW 1089->1092 1091->1085 1092->1088 1094 403072-40308b FindClose CompareFileTime 1092->1094 1094->1088 1094->1091
                                          APIs
                                          • GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403028
                                          • SetLastError.KERNEL32(00000010), ref: 0040303D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: AttributesErrorFileLast
                                          • String ID:
                                          • API String ID: 1799206407-0
                                          • Opcode ID: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
                                          • Instruction ID: 32a2c072cbeca167af0ba40feded167abd8377b8b15159977275e4e23b0806bf
                                          • Opcode Fuzzy Hash: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
                                          • Instruction Fuzzy Hash: 42018B30102004AADF206F749C4CAAB3BACAB0136BF108632F621F11D8D738DB46965E
                                          Function 0040118A Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011A6
                                          • SendMessageW.USER32(00008001,00000000,?), ref: 004011FF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: DiskFreeMessageSendSpace
                                          • String ID:
                                          • API String ID: 696007252-0
                                          • Opcode ID: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
                                          • Instruction ID: 9edb1a80411cac00ba33afe52a6c86c35bfa08927eae57e7515b94cd88b359ae
                                          • Opcode Fuzzy Hash: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
                                          • Instruction Fuzzy Hash: 1C014B30654209ABEB18EB90DD85F9A3BE9EB05704F108436F611F91F0CB79BA408B1D
                                          Function 00411DEF Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 757 411def-411e64 __set_app_type __p__fmode __p__commode call 411f7b 760 411e72-411ec9 call 411f66 _initterm __getmainargs _initterm 757->760 761 411e66-411e71 __setusermatherr 757->761 764 411f05-411f08 760->764 765 411ecb-411ed3 760->765 761->760 766 411ee2-411ee6 764->766 767 411f0a-411f0e 764->767 768 411ed5-411ed7 765->768 769 411ed9-411edc 765->769 770 411ee8-411eea 766->770 771 411eec-411efd GetStartupInfoA 766->771 767->764 768->765 768->769 769->766 772 411ede-411edf 769->772 770->771 770->772 773 411f10-411f12 771->773 774 411eff-411f03 771->774 772->766 775 411f13-411f40 GetModuleHandleA call 4064af exit _XcptFilter 773->775 774->775
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                          • String ID: HpA
                                          • API String ID: 801014965-2938899866
                                          • Opcode ID: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
                                          • Instruction ID: 158ffaedae0d42993a529c42e252781da09b2560f8e529a8c548a3e081932a5e
                                          • Opcode Fuzzy Hash: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
                                          • Instruction Fuzzy Hash: 254192B0944344AFDB20DFA4DC45AEA7BB8FB09711F20452FFA51973A1D7784981CB58
                                          Function 00401B37 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47timewindowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
                                          • CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
                                          • SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
                                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
                                          • DispatchMessageW.USER32(?), ref: 00401B89
                                          • KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
                                          • DestroyWindow.USER32(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: MessageTimerWindow$CreateDestroyDispatchHandleKillModule
                                          • String ID: Static
                                          • API String ID: 1156981321-2272013587
                                          • Opcode ID: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
                                          • Instruction ID: f02a6d563a0a994406544e3b77250aae51f77c8b940714b819f60fd1d37dc764
                                          • Opcode Fuzzy Hash: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
                                          • Instruction Fuzzy Hash: 10F03C3250212476CA203FA69C4DEEF7E6CDB86BA2F008160B615A10D1DAB88241C6B9
                                          Function 0040B163 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 781 40b163-40b183 call 40f0b6 784 40b2f6-40b2f9 781->784 785 40b189-40b190 call 40ac2d 781->785 788 40b192-40b194 785->788 789 40b199-40b1d6 call 40adc3 memcpy 785->789 788->784 792 40b1d9-40b1dd 789->792 793 40b202-40b221 792->793 794 40b1df-40b1f2 792->794 800 40b2a2 793->800 801 40b223-40b22b 793->801 795 40b297-40b2a0 ??3@YAXPAX@Z 794->795 796 40b1f8 794->796 799 40b2f4-40b2f5 795->799 796->793 797 40b1fa-40b1fc 796->797 797->793 797->795 799->784 802 40b2a4-40b2a5 800->802 803 40b2a7-40b2aa 801->803 804 40b22d-40b231 801->804 805 40b2ed-40b2f2 ??3@YAXPAX@Z 802->805 803->802 804->793 806 40b233-40b243 804->806 805->799 807 40b245 806->807 808 40b27a-40b292 memmove 806->808 809 40b254-40b258 807->809 808->792 810 40b25a 809->810 811 40b24c-40b24e 809->811 812 40b25c 810->812 811->812 813 40b250-40b251 811->813 812->808 814 40b25e-40b267 call 40ac2d 812->814 813->809 817 40b269-40b278 814->817 818 40b2ac-40b2e5 memcpy call 40dcfb 814->818 817->808 819 40b247-40b24a 817->819 820 40b2e8-40b2eb 818->820 819->809 820->805
                                          APIs
                                          • memcpy.MSVCRT(00000000,?,0000001F,00010000), ref: 0040B1C5
                                          • memmove.MSVCRT(00000000,-000000C1,00000020,?,00010000), ref: 0040B289
                                          • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040B298
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ??3@memcpymemmove
                                          • String ID:
                                          • API String ID: 3549172513-3916222277
                                          • Opcode ID: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
                                          • Instruction ID: 201babb0cc669d9fea5df8a163075e687156198648327345136f7fe875bf0058
                                          • Opcode Fuzzy Hash: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
                                          • Instruction Fuzzy Hash: 495181B1A00205ABDF14DB95C889AAE7BB4EF49354F1441BAE905B7381D338DD81CB9D
                                          Function 00403354 Relevance: 10.6, APIs: 7, Instructions: 145stringtimeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 822 403354-40337a lstrlenW call 4024fc 825 403385-403391 822->825 826 40337c-403380 call 40112b 822->826 828 403393-403397 825->828 829 403399-40339f 825->829 826->825 828->829 830 4033a2-4033a4 828->830 829->830 831 4033c8-4033d1 call 401986 830->831 834 4033d3-4033e6 GetSystemTimeAsFileTime GetFileAttributesW 831->834 835 4033b7-4033b9 831->835 838 4033e8-4033f6 call 40301a 834->838 839 4033ff-403408 call 401986 834->839 836 4033a6-4033ae 835->836 837 4033bb-4033bd 835->837 836->837 844 4033b0-4033b4 836->844 840 4033c3 837->840 841 403477-40347d 837->841 838->839 852 4033f8-4033fa 838->852 853 403419-40341b 839->853 854 40340a-403417 call 407776 839->854 840->831 848 4034a7-4034ba call 407776 ??3@YAXPAX@Z 841->848 849 40347f-40348a 841->849 844->837 845 4033b6 844->845 845->835 865 4034bc-4034c0 848->865 849->848 850 40348c-403490 849->850 850->848 856 403492-403497 850->856 860 40349c-4034a5 ??3@YAXPAX@Z 852->860 857 40346b-403475 ??3@YAXPAX@Z 853->857 858 40341d-40343c memcpy 853->858 854->852 856->848 862 403499-40349b 856->862 857->865 863 403451-403455 858->863 864 40343e 858->864 860->865 862->860 867 403440-403448 863->867 868 403457-403464 call 401986 863->868 866 403450 864->866 866->863 867->868 869 40344a-40344e 867->869 868->854 872 403466-403469 868->872 869->866 869->868 872->857 872->858
                                          APIs
                                          • lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
                                          • GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
                                          • GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
                                          • ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D
                                            • Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                            • Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                                          • memcpy.MSVCRT(-00000001,00404AC6,?,?,?,?,?,00404AC6,?), ref: 0040342F
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 0040346C
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000001,0000000C,00404AC6,00404AC6,?,?,?,?,00404AC6,?), ref: 004034B2
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
                                          • String ID:
                                          • API String ID: 846840743-0
                                          • Opcode ID: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
                                          • Instruction ID: c1b9adc2f16cc45d244a7c0b75b8b4a4f89234fa72cd4c12ee41ca3d86f3c48f
                                          • Opcode Fuzzy Hash: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
                                          • Instruction Fuzzy Hash: 8F41C836904611AADB216F998881ABF7F6CEF40716F80403BED01B61D5DB3C9B4282DD
                                          Function 00404405 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 00401F47: GetUserDefaultUILanguage.KERNEL32(00404416,00000000,00000020,?), ref: 00401F51
                                            • Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                            • Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
                                            • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                            • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
                                            • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                            • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                            • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
                                            • Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                            • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                            • Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
                                            • Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                            • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                            • Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                                            • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
                                            • Part of subcall function 00401F9D: _wtol.MSVCRT ref: 0040212A
                                            • Part of subcall function 00401F9D: MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A
                                          • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,?,?,00000000,00000020,?), ref: 0040448C
                                          • wsprintfW.USER32 ref: 004044A7
                                            • Part of subcall function 00402F6C: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71
                                          • #17.COMCTL32(?,?,?,?,00000000,00000020,?), ref: 00404533
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
                                          • String ID: 7zSfxFolder%02d$IA
                                          • API String ID: 3387708999-1317665167
                                          • Opcode ID: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
                                          • Instruction ID: c443879f351b6d6d2b07c84fde6f3777072453d7374e8d7fc75fcfd2f507d9dd
                                          • Opcode Fuzzy Hash: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
                                          • Instruction Fuzzy Hash: E03140B19042199BDB10FFA2DC86AEE7B78EB44308F40407FF619B21E1EB785644DB58
                                          Function 00408EA4 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 464COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 913 408ea4-408ebf call 40aef3 916 408ec1-408ecb 913->916 917 408ece-408f07 call 4065ea call 408726 913->917 922 408fd5-408ffb call 408d21 call 408b7c 917->922 923 408f0d-408f17 ??2@YAPAXI@Z 917->923 935 408ffd-409013 call 408858 922->935 936 40901e 922->936 924 408f26 923->924 925 408f19-408f24 923->925 927 408f28-408f61 call 4010e2 ??2@YAPAXI@Z 924->927 925->927 933 408f73 927->933 934 408f63-408f71 927->934 937 408f75-408fae call 4010e2 call 408726 call 40cdb8 933->937 934->937 945 409199-4091b0 935->945 946 409019-40901c 935->946 939 409020-409035 call 40e8da call 40874d 936->939 966 408fb0-408fb2 937->966 967 408fb6-408fbb 937->967 954 409037-409044 ??2@YAPAXI@Z 939->954 955 40906d-40907d 939->955 952 4091b6 945->952 953 40934c-409367 call 4087ea 945->953 946->939 957 4091b9-4091e9 952->957 975 409372-409375 953->975 976 409369-40936f 953->976 958 409046-40904d call 408c96 954->958 959 40904f 954->959 968 4090ad-4090b3 955->968 969 40907f 955->969 978 409219-40925f call 40e811 * 2 957->978 979 4091eb-4091f1 957->979 964 409051-409061 call 408726 958->964 959->964 988 409063-409066 964->988 989 409068 964->989 966->967 970 408fc3-408fcf 967->970 971 408fbd-408fbf 967->971 981 409187-409196 call 408e83 968->981 982 4090b9-4090e6 call 40d94b 968->982 977 409081-4090a7 call 40e959 call 408835 call 408931 call 408963 969->977 970->922 970->923 971->970 975->977 983 40937b-4093a2 call 40e811 975->983 976->975 977->968 1016 409261-409264 978->1016 1017 4092c9 978->1017 986 4091f7-409209 979->986 987 4092b9-4092bb 979->987 981->945 1000 409283-409288 982->1000 1001 4090ec-4090f3 982->1001 1002 4093a4-4093b8 call 408761 983->1002 1003 4093ba-4093d6 983->1003 1014 409293-409295 986->1014 1015 40920f-409211 986->1015 1004 4092bf-4092c4 987->1004 996 40906a 988->996 989->996 996->955 1012 409290 1000->1012 1013 40928a-40928c 1000->1013 1008 409121-409124 1001->1008 1009 4090f5-4090f9 1001->1009 1002->1003 1080 4093d7 call 40ce70 1003->1080 1081 4093d7 call 40f160 1003->1081 1004->977 1022 4092b2-4092b7 1008->1022 1023 40912a-409138 call 408726 1008->1023 1009->1008 1018 4090fb-4090fe 1009->1018 1012->1014 1013->1012 1025 409297-409299 1014->1025 1026 40929d-4092a0 1014->1026 1015->978 1024 409213-409215 1015->1024 1027 409267-40927f call 408761 1016->1027 1030 4092cc-4092d2 1017->1030 1028 409104-409112 call 408726 1018->1028 1029 4092a5-4092aa 1018->1029 1020 4093da-4093e4 call 40e959 1020->977 1022->987 1022->1004 1046 409145-409156 call 40cdb8 1023->1046 1047 40913a-409140 call 40d6f0 1023->1047 1024->978 1025->1026 1026->977 1050 409281 1027->1050 1028->1046 1051 409114-40911f call 40d6cb 1028->1051 1029->1004 1034 4092ac-4092ae 1029->1034 1037 4092d4-4092e0 call 408a55 1030->1037 1038 40931d-409346 call 40e959 * 2 1030->1038 1034->1022 1057 4092e2-4092ec 1037->1057 1058 4092ee-4092fa call 408aa0 1037->1058 1038->953 1038->957 1059 409158-40915a 1046->1059 1060 40915e-409163 1046->1060 1047->1046 1050->1030 1051->1046 1063 409303-40931b call 408761 1057->1063 1074 409300 1058->1074 1075 4093e9-4093fe call 40e959 * 2 1058->1075 1059->1060 1066 409165-409167 1060->1066 1067 40916b-409170 1060->1067 1063->1037 1063->1038 1066->1067 1071 409172-409174 1067->1071 1072 409178-409181 1067->1072 1071->1072 1072->981 1072->982 1074->1063 1075->977 1080->1020 1081->1020
                                          APIs
                                          • ??2@YAPAXI@Z.MSVCRT(00000018,?,?,00000000,?), ref: 00408F0F
                                          • ??2@YAPAXI@Z.MSVCRT(00000028,00000000,?,?,00000000,?), ref: 00408F59
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ??2@
                                          • String ID: IA$IA
                                          • API String ID: 1033339047-1400641299
                                          • Opcode ID: 6a22e71803ea0f4d69e2f58a84b042c4ce0c016d1f42beed39b79896576e25f5
                                          • Instruction ID: ddcf9de22f7a46eeefc4975c1fab543939f34ce9f972055b0c78c556d294e1f5
                                          • Opcode Fuzzy Hash: 6a22e71803ea0f4d69e2f58a84b042c4ce0c016d1f42beed39b79896576e25f5
                                          • Instruction Fuzzy Hash: EF123671A00209DFCB14EFA5C98489ABBB5FF48304B10456EF95AA7392DB39ED85CF44
                                          Function 00410CD0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 23COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1095 410cd0-410d1a call 410b9a free 1098 410d22-410d23 1095->1098 1099 410d1c-410d1e 1095->1099 1099->1098
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: free
                                          • String ID: $KA$4KA$HKA$\KA
                                          • API String ID: 1294909896-3316857779
                                          • Opcode ID: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
                                          • Instruction ID: 889df95fe732b3a4b2d84b4ab476e7a54c7f97cead7299b76f73e2708a1c6c0a
                                          • Opcode Fuzzy Hash: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
                                          • Instruction Fuzzy Hash: C5F09271409B109FC7319F55E405AC6B7F4AE447183058A2EA89A5BA11D3B8F989CB9C
                                          Function 004096C7 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 388COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1100 4096c7-40970f _EH_prolog call 4010e2 1103 409711-409714 1100->1103 1104 409717-40971a 1100->1104 1103->1104 1105 409730-409755 1104->1105 1106 40971c-409721 1104->1106 1109 409757-40975d 1105->1109 1107 409723-409725 1106->1107 1108 409729-40972b 1106->1108 1107->1108 1110 409b93-409ba4 1108->1110 1111 409763-409767 1109->1111 1112 409827-40983a call 40118a 1109->1112 1113 409769-40976c 1111->1113 1114 40976f-40977e 1111->1114 1121 409851-409876 call 408e4e ??2@YAPAXI@Z 1112->1121 1122 40983c-409846 call 409425 1112->1122 1113->1114 1115 409780-409796 call 4094e0 call 40969d call 40e959 1114->1115 1116 4097a3-4097a8 1114->1116 1137 40979b-4097a1 1115->1137 1119 4097b6-4097f0 call 4094e0 call 40969d call 40e959 call 4095b7 1116->1119 1120 4097aa-4097b4 1116->1120 1125 4097f3-409809 1119->1125 1120->1119 1120->1125 1133 409881-40989a call 4010e2 call 40eb24 1121->1133 1134 409878-40987f call 40ebf7 1121->1134 1144 40984a-40984c 1122->1144 1130 40980c-409814 1125->1130 1136 409816-409825 call 409403 1130->1136 1130->1137 1154 40989d-4098c0 call 40eb19 1133->1154 1134->1133 1136->1130 1137->1109 1144->1110 1157 4098c2-4098c7 1154->1157 1158 4098f6-4098f9 1154->1158 1161 4098c9-4098cb 1157->1161 1162 4098cf-4098e7 call 409530 call 409425 1157->1162 1159 409925-409949 ??2@YAPAXI@Z 1158->1159 1160 4098fb-409900 1158->1160 1164 409954 1159->1164 1165 40994b-409952 call 409c13 1159->1165 1166 409902-409904 1160->1166 1167 409908-40991e call 409530 call 409425 1160->1167 1161->1162 1180 4098e9-4098eb 1162->1180 1181 4098ef-4098f1 1162->1181 1170 409956-40996d call 4010e2 1164->1170 1165->1170 1166->1167 1167->1159 1182 40997b-4099a0 call 409fb4 1170->1182 1183 40996f-409978 1170->1183 1180->1181 1181->1110 1186 4099a2-4099a7 1182->1186 1187 4099e3-4099e6 1182->1187 1183->1182 1190 4099a9-4099ab 1186->1190 1191 4099af-4099b4 1186->1191 1188 4099ec-409a49 call 409603 call 4094b1 call 408ea4 1187->1188 1189 409b4e-409b53 1187->1189 1205 409a4e-409a53 1188->1205 1194 409b55-409b56 1189->1194 1195 409b5b-409b7f 1189->1195 1190->1191 1192 4099b6-4099b8 1191->1192 1193 4099bc-4099d4 call 409530 call 409425 1191->1193 1192->1193 1206 4099d6-4099d8 1193->1206 1207 4099dc-4099de 1193->1207 1194->1195 1195->1154 1208 409ab5-409abb 1205->1208 1209 409a55 1205->1209 1206->1207 1207->1110 1211 409ac1-409ac3 1208->1211 1212 409abd-409abf 1208->1212 1210 409a57 1209->1210 1213 409a5a-409a63 call 409f49 1210->1213 1214 409a65-409a67 1211->1214 1215 409ac5-409ad1 1211->1215 1212->1210 1213->1214 1226 409aa2-409aa4 1213->1226 1217 409a69-409a6a 1214->1217 1218 409a6f-409a71 1214->1218 1219 409ad3-409ad5 1215->1219 1220 409ad7-409add 1215->1220 1217->1218 1223 409a73-409a75 1218->1223 1224 409a79-409a91 call 409530 call 409425 1218->1224 1219->1213 1220->1195 1221 409adf-409ae5 1220->1221 1221->1195 1223->1224 1224->1144 1233 409a97-409a9d 1224->1233 1229 409aa6-409aa8 1226->1229 1230 409aac-409ab0 1226->1230 1229->1230 1230->1195 1233->1144
                                          APIs
                                          • _EH_prolog.MSVCRT ref: 004096D0
                                          • ??2@YAPAXI@Z.MSVCRT(00000038,00000001), ref: 0040986E
                                          • ??2@YAPAXI@Z.MSVCRT(00000038,?,00000000,00000000,00000001), ref: 00409941
                                            • Part of subcall function 00409C13: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,?,00409952,?,00000000,00000000,00000001), ref: 00409C3B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ??2@$H_prolog
                                          • String ID: HIA
                                          • API String ID: 3431946709-2712174624
                                          • Opcode ID: 3a91edc2a80342029bdf13785710b8021a7be55c7c109f54d8d38dfd795fbdbc
                                          • Instruction ID: da3614a8b55b1d80bdf53177d95d0cff5abf3d9c279f99a440b99522f39c568d
                                          • Opcode Fuzzy Hash: 3a91edc2a80342029bdf13785710b8021a7be55c7c109f54d8d38dfd795fbdbc
                                          • Instruction Fuzzy Hash: 53F13971610249DFCB24DF69C884AAA77F4BF48314F24416AF829AB392DB39ED41CF54
                                          Function 00402844 Relevance: 6.4, APIs: 5, Instructions: 118stringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1236 402844-40288e call 411c20 call 40dcfb lstrlenA * 2 1240 402893-4028af call 40dcc7 1236->1240 1242 4028b5-4028ba 1240->1242 1243 40297f 1240->1243 1242->1243 1244 4028c0-4028ca 1242->1244 1245 402981-402985 1243->1245 1246 4028cd-4028d2 1244->1246 1247 402911-402916 1246->1247 1248 4028d4-4028d9 1246->1248 1249 40293b-40295f memmove 1247->1249 1251 402918-40292b memcmp 1247->1251 1248->1249 1250 4028db-4028ee memcmp 1248->1250 1256 402961-402968 1249->1256 1257 40296e-402979 1249->1257 1252 4028f4-4028fe 1250->1252 1253 40297b-40297d 1250->1253 1254 40290b-40290f 1251->1254 1255 40292d-402939 1251->1255 1252->1243 1258 402900-402906 call 402640 1252->1258 1253->1245 1254->1246 1255->1246 1256->1257 1259 402890 1256->1259 1257->1245 1258->1254 1259->1240
                                          APIs
                                          • lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
                                          • lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
                                          • memcmp.MSVCRT(?,?,?), ref: 004028E4
                                          • memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
                                          • memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: lstrlenmemcmp$memmove
                                          • String ID:
                                          • API String ID: 3251180759-0
                                          • Opcode ID: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
                                          • Instruction ID: d4955105e7b234ce255a009ef61331e6eb412850de833d0a73495bfba1f32545
                                          • Opcode Fuzzy Hash: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
                                          • Instruction Fuzzy Hash: 4A417F72E00209AFCF01DFA4C9889EEBBB5EF08344F04447AE945B3291D3B49E55CB55
                                          Function 0040150B Relevance: 6.1, APIs: 4, Instructions: 100synchronizationthreadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1263 40150b-401561 call 408726 call 401329 call 401429 CreateThread 1270 401563 call 40786b 1263->1270 1271 401568-401583 WaitForSingleObject 1263->1271 1270->1271 1273 401585-401588 1271->1273 1274 4015b7-4015bd 1271->1274 1277 40158a-40158d 1273->1277 1278 4015ab 1273->1278 1275 40161b 1274->1275 1276 4015bf-4015d4 GetExitCodeThread 1274->1276 1280 401620-401623 1275->1280 1281 4015d6-4015d8 1276->1281 1282 4015de-4015e9 1276->1282 1283 4015a7-4015a9 1277->1283 1284 40158f-401592 1277->1284 1279 4015ad-4015b5 call 407776 1278->1279 1279->1275 1281->1282 1286 4015da-4015dc 1281->1286 1287 4015f1-4015fa 1282->1287 1288 4015eb-4015ec 1282->1288 1283->1279 1289 4015a3-4015a5 1284->1289 1290 401594-401597 1284->1290 1286->1280 1293 401605-401611 SetLastError 1287->1293 1294 4015fc-401603 1287->1294 1292 4015ee-4015ef 1288->1292 1289->1279 1295 401599-40159c 1290->1295 1296 40159e-4015a1 1290->1296 1297 401613-401618 call 407776 1292->1297 1293->1297 1294->1275 1294->1293 1295->1275 1295->1296 1296->1292 1297->1275
                                          APIs
                                          • CreateThread.KERNELBASE(00000000,00000000,0040129C,00000000,00000000,?), ref: 0040154F
                                          • WaitForSingleObject.KERNEL32(000000FF,?,00404AFB,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401570
                                            • Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                            • Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                            • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                            • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                            • Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                            • Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                            • Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                            • Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                            • Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                            • Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                            • Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
                                          • String ID:
                                          • API String ID: 359084233-0
                                          • Opcode ID: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
                                          • Instruction ID: 87277f5b9ffc23463226fd0df2644328d4cfb3d5af9d6e9341eee715f5e270ad
                                          • Opcode Fuzzy Hash: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
                                          • Instruction Fuzzy Hash: 8231F171644200BBDA305B15DC86EBB37B9EBC5350F24843BF522F92F0CA79A941DA5E
                                          Function 00401986 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1300 401986-401995 CreateDirectoryW 1301 4019c7-4019cb 1300->1301 1302 401997-4019a4 GetLastError 1300->1302 1303 4019b1-4019be GetFileAttributesW 1302->1303 1304 4019a6 1302->1304 1303->1301 1306 4019c0-4019c2 1303->1306 1305 4019a7-4019b0 SetLastError 1304->1305 1306->1301 1307 4019c4-4019c5 1306->1307 1307->1305
                                          APIs
                                          • CreateDirectoryW.KERNELBASE(004033CE,00000000,-00000001,004033CE,?,00404AC6,?,?,?,?,00404AC6,?), ref: 0040198D
                                          • GetLastError.KERNEL32(?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401997
                                          • SetLastError.KERNEL32(000000B7,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019A7
                                          • GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019B5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ErrorLast$AttributesCreateDirectoryFile
                                          • String ID:
                                          • API String ID: 635176117-0
                                          • Opcode ID: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
                                          • Instruction ID: 5ae0be16486f509c6b40768ba71a6c1c2cea9be4331c5fc90c1b41dbeb0419e3
                                          • Opcode Fuzzy Hash: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
                                          • Instruction Fuzzy Hash: D5E09AB0518250AFDE142BB4BD187DB3AA5AF46362F508932F495E02F0C33888428A89
                                          Function 00404A44 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 81COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1308 404a44-404a62 call 408676 ??2@YAPAXI@Z 1311 404a64-404a6b call 40a9f8 1308->1311 1312 404a6d 1308->1312 1314 404a6f-404a91 call 408726 call 40dcfb 1311->1314 1312->1314 1341 404a92 call 40b2fc 1314->1341 1342 404a92 call 40a7de 1314->1342 1319 404a95-404a97 1320 404ab3-404abd 1319->1320 1321 404a99-404aa9 call 407776 1319->1321 1323 404ada-404ae4 ??2@YAPAXI@Z 1320->1323 1324 404abf-404ac1 call 403354 1320->1324 1337 404aae-404ab2 1321->1337 1325 404ae6-404aed call 404292 1323->1325 1326 404aef 1323->1326 1331 404ac6-404ac9 1324->1331 1330 404af1-404af6 call 40150b 1325->1330 1326->1330 1336 404afb-404afd 1330->1336 1331->1323 1335 404acb 1331->1335 1338 404ad0-404ad8 1335->1338 1336->1338 1338->1337 1341->1319 1342->1319
                                          APIs
                                          • ??2@YAPAXI@Z.MSVCRT(000001E8,00000000,?,ExecuteFile,00000015,?,00405D20,?,00417788,00417788), ref: 00404A5A
                                          • ??2@YAPAXI@Z.MSVCRT(00000040,?,?,?,?,?,?,?,?,00000000,?), ref: 00404ADC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ??2@
                                          • String ID: ExecuteFile
                                          • API String ID: 1033339047-323923146
                                          • Opcode ID: 612dc6f8e3fe8df0745ed42aa02adea807ab2e0a0b71f5bf8dc2b3d1454147a6
                                          • Instruction ID: 446d0bd8c70a379003bbf02419fa435b46014474c8a02eb0da5acec479ce97d7
                                          • Opcode Fuzzy Hash: 612dc6f8e3fe8df0745ed42aa02adea807ab2e0a0b71f5bf8dc2b3d1454147a6
                                          • Instruction Fuzzy Hash: EA1184B5340104BFD710AB659C85D6B73A8EF80355724443FF602B72D1DA789D418A6D
                                          Function 0040ADC3 Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1343 40adc3-40adce 1344 40add0-40add3 1343->1344 1345 40ae0d-40ae0f 1343->1345 1346 40add5-40ade3 ??2@YAPAXI@Z 1344->1346 1347 40adfb 1344->1347 1348 40adfd-40ae0c ??3@YAXPAX@Z 1346->1348 1349 40ade5-40ade7 1346->1349 1347->1348 1348->1345 1350 40ade9 1349->1350 1351 40adeb-40adf9 memmove 1349->1351 1350->1351 1351->1348
                                          APIs
                                          • ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                          • memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ??2@??3@memmove
                                          • String ID:
                                          • API String ID: 3828600508-0
                                          • Opcode ID: 2c1e852e3357fe345785b0ad8426fcfe448c8ec3a37487201466d82e595bf6a2
                                          • Instruction ID: a8ce0a3cb4653ecb547b1a3698f229d81d6147035ad3680bc60947505803a3f4
                                          • Opcode Fuzzy Hash: 2c1e852e3357fe345785b0ad8426fcfe448c8ec3a37487201466d82e595bf6a2
                                          • Instruction Fuzzy Hash: 74F089763047016FC3205B1ADC80857BBABDFC4715311883FE55E93A50D634F891965A
                                          Function 0040245A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 0040247E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID: @
                                          • API String ID: 1890195054-2766056989
                                          • Opcode ID: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
                                          • Instruction ID: 9ce3ff159218229c34eda893c3d8d64f83397f3f2cddac743d7c565554413103
                                          • Opcode Fuzzy Hash: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
                                          • Instruction Fuzzy Hash: AAF0AF30A042048ADF15AB719E8DA5A37A4BB00348F10853AF516F52D4D7BCE9048B5D
                                          Function 0040C9FC Relevance: 3.2, APIs: 2, Instructions: 184COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040AAAB: _CxxThrowException.MSVCRT(?,00414EF8), ref: 0040AAC5
                                            • Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                            • Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                            • Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,004149F0,?,004149B0), ref: 0040CAF2
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,004149F0,?,004149B0), ref: 0040CC4A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ??3@$??2@ExceptionThrowmemmove
                                          • String ID:
                                          • API String ID: 4269121280-0
                                          • Opcode ID: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
                                          • Instruction ID: 88480e7f7e551c391a26326ce122d220a9eefc885560dc6ed21150e7f5ba8ef6
                                          • Opcode Fuzzy Hash: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
                                          • Instruction Fuzzy Hash: 00712571A00209EFCB24DFA5C8D1AAEBBB1FF08314F10463AE545A3291D739A945CF99
                                          Function 0040A62F Relevance: 3.1, APIs: 2, Instructions: 135COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ??3@H_prolog
                                          • String ID:
                                          • API String ID: 1329742358-0
                                          • Opcode ID: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
                                          • Instruction ID: 956102545b91a7c0cba0a64d671320761176ea25dc816e9057e3d4af94f09eda
                                          • Opcode Fuzzy Hash: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
                                          • Instruction Fuzzy Hash: 0D411F32800204AFCB09DB65CD45EBE7B35EF50304B18883BF402B72E2D63E9E21965B
                                          Function 0040112B Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                          Download Yara Rule
                                          APIs
                                          • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ??2@??3@
                                          • String ID:
                                          • API String ID: 1936579350-0
                                          • Opcode ID: ebac23084a16b944365a47061f6b21e986bd860b63916dd214b45b095081060c
                                          • Instruction ID: 063e94d8e06ff9613a5b681c15dc067c338ae4066a9753272274ce5f9f11bd0f
                                          • Opcode Fuzzy Hash: ebac23084a16b944365a47061f6b21e986bd860b63916dd214b45b095081060c
                                          • Instruction Fuzzy Hash: 71F0A476210612ABC334DF2DC581867B3E4EF88711710893FE6C7C72B1DA31A881C754
                                          Function 0040D9F0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040DA0B
                                          • GetLastError.KERNEL32(?,?,?,?), ref: 0040DA19
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ErrorFileLastPointer
                                          • String ID:
                                          • API String ID: 2976181284-0
                                          • Opcode ID: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
                                          • Instruction ID: d86f9e507f4e039952bd1031b0dc001be1b0661bb6f0ed5f18f0f7cd7a7605a3
                                          • Opcode Fuzzy Hash: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
                                          • Instruction Fuzzy Hash: FCF0B2B8A04208FFCB04CFA8D8448AE7BB9EB49314B2085A9F815A7390D735DA04DF64
                                          Function 0040ECED Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SysAllocString.OLEAUT32(?), ref: 0040ED05
                                          • _CxxThrowException.MSVCRT(?,00415010), ref: 0040ED28
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: AllocExceptionStringThrow
                                          • String ID:
                                          • API String ID: 3773818493-0
                                          • Opcode ID: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
                                          • Instruction ID: 896a1b371a95ab63a3f889c911e7bff8eb1facf706b7c8fcc1dab20228dace7a
                                          • Opcode Fuzzy Hash: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
                                          • Instruction Fuzzy Hash: CDE06D71600309ABDB10AF66D8419D67BE8EF00380B00C83FF948CA250E779E590C7D9
                                          Function 0040E73A Relevance: 2.5, APIs: 2, Instructions: 34COMMON
                                          Download Yara Rule
                                          APIs
                                          • EnterCriticalSection.KERNEL32(?), ref: 0040E745
                                          • LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040E764
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterLeave
                                          • String ID:
                                          • API String ID: 3168844106-0
                                          • Opcode ID: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
                                          • Instruction ID: 086d926b78662e0ab04275255430a857868cdabe8091615e808f779c17768b54
                                          • Opcode Fuzzy Hash: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
                                          • Instruction Fuzzy Hash: 76F05436200214FBCB119F95DC08E9BBBB9FF49761F14842AF945E7260C771E821DBA4
                                          Function 0040A7DE Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID:
                                          • API String ID: 3519838083-0
                                          • Opcode ID: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
                                          • Instruction ID: 39d544f4fee3d18347c8ea8d59cce7c7d4ef222c74644271f89bd24cd9d44c54
                                          • Opcode Fuzzy Hash: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
                                          • Instruction Fuzzy Hash: 4B2180316003099BCB14EFA5C945AAE73B5EF40344F14843EF806BB291DB38DD16CB1A
                                          Function 0040120B Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetFileAttributesW.KERNELBASE(?,?), ref: 0040124F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: AttributesFile
                                          • String ID:
                                          • API String ID: 3188754299-0
                                          • Opcode ID: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
                                          • Instruction ID: 5817d5120c2da98d16edaa91ace5ca285f5b3ff1e58b2ffd557e42fef7bfdc6e
                                          • Opcode Fuzzy Hash: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
                                          • Instruction Fuzzy Hash: 66F05E72100201DBC720AF98C840BA777F5BB84314F04483EE583F2AA0D778B885CB59
                                          Function 00411A2D Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID:
                                          • API String ID: 3519838083-0
                                          • Opcode ID: 05aa82fd4493c2954843b58147a6e12e638aaadf2772ca9641b0bace8f10624d
                                          • Instruction ID: 375caa893e42e0daca7b158ffe4b4b415bc54d3572d418f3e5e61c8e5be1c541
                                          • Opcode Fuzzy Hash: 05aa82fd4493c2954843b58147a6e12e638aaadf2772ca9641b0bace8f10624d
                                          • Instruction Fuzzy Hash: 30F0F272500109BBCF029F85D901AEEBB36EB48354F00811ABA1161160D33A9961AB99
                                          Function 0040DA56 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040D985: CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990
                                          • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50), ref: 0040DA78
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: CloseCreateFileHandle
                                          • String ID:
                                          • API String ID: 3498533004-0
                                          • Opcode ID: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
                                          • Instruction ID: 040011ad7fb3de3f437c6c7e3ebc1dcda5640d8293b7e84d035d3e38099293ab
                                          • Opcode Fuzzy Hash: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
                                          • Instruction Fuzzy Hash: A1E04F32140219ABCF215FA49C01BCA7B96AF09760F144526BE11A61E0C672D465AF94
                                          Function 0040DB97 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040DD78,00000001,00000000,00000000,00413330,?,00404D94,?,?), ref: 0040DBBA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: FileWrite
                                          • String ID:
                                          • API String ID: 3934441357-0
                                          • Opcode ID: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
                                          • Instruction ID: ec3d056ad33d5175d1bee219b94afd5900c8108b90431a53c6143dcb1d381838
                                          • Opcode Fuzzy Hash: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
                                          • Instruction Fuzzy Hash: D7E0C275600208FBCB00CF95C801B9E7BBABB49755F10C069F918AA2A0D739AA10DF54
                                          Function 0040653F Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • _beginthreadex.MSVCRT ref: 00406552
                                            • Part of subcall function 00406501: GetLastError.KERNEL32(00406563,00000000), ref: 004064F5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ErrorLast_beginthreadex
                                          • String ID:
                                          • API String ID: 4034172046-0
                                          • Opcode ID: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
                                          • Instruction ID: fe95790bd269afcad05a26a3721163fc0b830ac61c9b3c5b6bbddf8a66cf2d64
                                          • Opcode Fuzzy Hash: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
                                          • Instruction Fuzzy Hash: 12D05EF6400208BFDF01DFE0DC05CAB3BADEB08204B004464FD05C2150E632DA108B60
                                          Function 0040CC59 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID:
                                          • API String ID: 3519838083-0
                                          • Opcode ID: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
                                          • Instruction ID: 312fbe8762c42e8d4a239ae194adb86e93363bc1e5443e54fb58aca6058f63a2
                                          • Opcode Fuzzy Hash: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
                                          • Instruction Fuzzy Hash: 70D05EB2A04108FBE7109F85D946BEEFB78EB80399F10823FB506B1150D7BC5A0196AD
                                          Function 0040DADC Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040DAF2
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
                                          • Instruction ID: c05821c64f4412cbb188b0f884d423eaa3d686fb1c941f6ac6705c8b1bb703da
                                          • Opcode Fuzzy Hash: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
                                          • Instruction Fuzzy Hash: 58E0EC75211208FFDB01CF90CD01FDE7BBDFB49755F208058E90596160C7759A10EB54
                                          Function 0040DB6A Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetFileTime.KERNELBASE(?,?,?,?,0040DB94,00000000,00000000,?,0040123C,?), ref: 0040DB78
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: FileTime
                                          • String ID:
                                          • API String ID: 1425588814-0
                                          • Opcode ID: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
                                          • Instruction ID: c6000770aa4fb4c72b4925fc402daec6625791e8065b7518697746b49206ca3e
                                          • Opcode Fuzzy Hash: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
                                          • Instruction Fuzzy Hash: 40C04C3A199105FF8F020F70CD04C1ABBA2AB95722F10C918B199C4070CB328424EB02
                                          Function 0040E9F7 Relevance: 1.3, APIs: 1, Instructions: 65COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: memmove
                                          • String ID:
                                          • API String ID: 2162964266-0
                                          • Opcode ID: 97bd8de7a7fe9ad43a3345e9333d2138b4beb196f0434672ce39f7d09e0e15cd
                                          • Instruction ID: f56dbf57367ec124b55c1fed62106b1dafce564086f6503587e0b0fbfa293862
                                          • Opcode Fuzzy Hash: 97bd8de7a7fe9ad43a3345e9333d2138b4beb196f0434672ce39f7d09e0e15cd
                                          • Instruction Fuzzy Hash: EA21A271A00B009FC724CFAAC88485BF7F9FF88724764896EE49A93A40E774B945CB54
                                          Function 0040E5D3 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                          Download Yara Rule
                                          APIs
                                          • _CxxThrowException.MSVCRT(?,00414F84), ref: 0040E616
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ExceptionThrow
                                          • String ID:
                                          • API String ID: 432778473-0
                                          • Opcode ID: 85c4e5dde0f8cee934fbe77132b2d5831568e55a053817787dcfc8e06ea2b7f6
                                          • Instruction ID: f2b552c6dcb6979234feea5fe890f572eb9d388e9264680fa6f26452196acfb0
                                          • Opcode Fuzzy Hash: 85c4e5dde0f8cee934fbe77132b2d5831568e55a053817787dcfc8e06ea2b7f6
                                          • Instruction Fuzzy Hash: 20017171600701AFDB28CFBAD805997BBF8EF85314704496EE482D3651E374F946CB50
                                          Function 0040F42D Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: free
                                          • String ID:
                                          • API String ID: 1294909896-0
                                          • Opcode ID: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
                                          • Instruction ID: 8ccd5c106adaedd21fdabd868c2a091acccb285e2c6396e7c66228af9079aab7
                                          • Opcode Fuzzy Hash: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
                                          • Instruction Fuzzy Hash: 68E0ED311087008BEB74DA38A941F97B3DAAB14314F15893FE89AE7690EB74FC448A59
                                          Function 00402F6C Relevance: 1.3, APIs: 1, Instructions: 17COMMON
                                          Download Yara Rule
                                          APIs
                                          • ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ??2@
                                          • String ID:
                                          • API String ID: 1033339047-0
                                          • Opcode ID: 76c2607c9262a084594b8968e60506e1095ba5b3921c342d3f15f01c827a8030
                                          • Instruction ID: 194059228ff5733793a196764ebf5a0b63d959e09992ce12dff2d54d27d13516
                                          • Opcode Fuzzy Hash: 76c2607c9262a084594b8968e60506e1095ba5b3921c342d3f15f01c827a8030
                                          • Instruction Fuzzy Hash: 67D0A9313083121ADA5432320A09AAF84848B503A0F10083FB800A32D1DCBE8C81A299
                                          Function 0040D985 Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                          Download Yara Rule
                                          APIs
                                          • CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID:
                                          • API String ID: 2962429428-0
                                          • Opcode ID: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
                                          • Instruction ID: 71cfb53d0268b44c797f7400575dcc0518408263689e7c465582b3111ebcfb94
                                          • Opcode Fuzzy Hash: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
                                          • Instruction Fuzzy Hash: 95D0127251422156CF646E7CB8849C277D85A06334335176AF0B4E32E4D3749DCB5698
                                          Function 004024C4 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040E4D6,00020000,00000000,?,00000000,?,0040D92B,?,?,00000000,?,0040D96E), ref: 004024E0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
                                          • Instruction ID: 23ad038ad5ccaf642d49e1102795c1c714580f299e31bec6e074b0e2bc220d86
                                          • Opcode Fuzzy Hash: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
                                          • Instruction Fuzzy Hash: D3C080301443007DED115F505E06B463A916B44717F508065F344540D0C7F484009509
                                          Function 00401B1F Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,0040E561,?,00000004,0040E5B0,?,?,004117E5,?), ref: 00401B2A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: FreeVirtual
                                          • String ID:
                                          • API String ID: 1263568516-0
                                          • Opcode ID: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
                                          • Instruction ID: 5381ed20748db0b7fd93371e38984c83fa4171db9cf80dc6a42123bab5888d64
                                          • Opcode Fuzzy Hash: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
                                          • Instruction Fuzzy Hash: 45A002305446007ADE515B10DD05F457F516744B11F20C5547155540E586755654DA09
                                          Function 0040F3FC Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: free
                                          • String ID:
                                          • API String ID: 1294909896-0
                                          • Opcode ID: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
                                          • Instruction ID: 7baee4be7330d58fba6a4d3e6254b3dabd4481adb37f3967e502ba2394f26960
                                          • Opcode Fuzzy Hash: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
                                          • Instruction Fuzzy Hash:

                                          Non-executed Functions

                                          Function 004034C1 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 290comCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _wtol.MSVCRT ref: 004034E5
                                          • SHGetSpecialFolderPathW.SHELL32(00000000,?,CC5BE863,00000000,004177A0,00000000,00417794), ref: 00403588
                                          • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 004035F9
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 00403601
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00403609
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 00403611
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 00403619
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00403621
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403629
                                          • _wtol.MSVCRT ref: 0040367F
                                          • CoCreateInstance.OLE32(00414BF4,00000000,00000001,00414BE4,00404F9B,.lnk,?,0000005C), ref: 00403720
                                          • ??3@YAXPAX@Z.MSVCRT(?,0000005C), ref: 004037B8
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,0000005C), ref: 004037C0
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,0000005C), ref: 004037C8
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0000005C), ref: 004037D0
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0000005C), ref: 004037D8
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,0000005C), ref: 004037E0
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,0000005C), ref: 004037E8
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,0000005C), ref: 004037EE
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0000005C), ref: 004037F6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
                                          • String ID: .lnk
                                          • API String ID: 408529070-24824748
                                          • Opcode ID: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
                                          • Instruction ID: c4a1d47ac56633071a1bd2db01059e5edb54ffe0bccc65637149caefe5d2277b
                                          • Opcode Fuzzy Hash: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
                                          • Instruction Fuzzy Hash: 8EA18A71910219ABDF04EFA1CC46DEEBB79EF44705F50442AF502B71A1EB79AA81CB18
                                          Function 00401F9D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 150stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                          • wsprintfW.USER32 ref: 00401FFD
                                          • GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                          • GetLastError.KERNEL32 ref: 00402017
                                          • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                          • GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                          • GetLastError.KERNEL32 ref: 0040204C
                                          • lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                          • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                          • ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
                                          • SetLastError.KERNEL32(00000000), ref: 00402098
                                          • lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                          • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                          • GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                                          • _wtol.MSVCRT ref: 0040212A
                                          • MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
                                          • String ID: 7zSfxString%d$XpA$\3A
                                          • API String ID: 2117570002-3108448011
                                          • Opcode ID: 332d11925e247980b34bd098e8b038dc96ba1155979fc83484f9ac8f636b93aa
                                          • Instruction ID: 5c0681f152172bce6659d4e02be164ba9bb36eab7c70e8d4f1a0ed4420d73572
                                          • Opcode Fuzzy Hash: 332d11925e247980b34bd098e8b038dc96ba1155979fc83484f9ac8f636b93aa
                                          • Instruction Fuzzy Hash: 11518471604305AFDB209F74DD899DBBBB9EB08345B11407AF646E62E0E774AA44CB18
                                          Function 00401BDF Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
                                          • FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
                                          • FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
                                          • SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
                                          • LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
                                          • LockResource.KERNEL32(00000000), ref: 00401C41
                                          • LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401C6D
                                          • GetProcAddress.KERNEL32(00000000), ref: 00401C76
                                          • wsprintfW.USER32 ref: 00401C95
                                          • LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401CAA
                                          • GetProcAddress.KERNEL32(00000000), ref: 00401CAD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
                                          • String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
                                          • API String ID: 2639302590-365843014
                                          • Opcode ID: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
                                          • Instruction ID: 1b367ad183524107b1556f539f271e2bfa11f4d2ebd4ebc35158efee647c5c94
                                          • Opcode Fuzzy Hash: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
                                          • Instruction Fuzzy Hash: 002153B1944318BBDB109FA59D48F9B7FBCEB48751F118036FA05B72D1D678DA008BA8
                                          Function 00407776 Relevance: 16.6, APIs: 11, Instructions: 96stringwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                          • GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                          • FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                          • FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                          • lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                          • lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                          • ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                          • lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                          • lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                          • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                          • LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
                                          • String ID:
                                          • API String ID: 829399097-0
                                          • Opcode ID: bf60f95a6a1f59c2bb6c04e2e113b9a1b5cd8de0030c6a868400c9436056581d
                                          • Instruction ID: 98041b7e574f1f1c61a73cce3db0a13ad597614178cae5aaf21d0c5f67190c53
                                          • Opcode Fuzzy Hash: bf60f95a6a1f59c2bb6c04e2e113b9a1b5cd8de0030c6a868400c9436056581d
                                          • Instruction Fuzzy Hash: 85218172804209BEDF14AFA0DC85CEB7BACEB04355B10847BF506A7150EB34EE848BA4
                                          Function 00402B79 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?,00413454,?,?,?,00000000), ref: 00402BA8
                                          • lstrcmpW.KERNEL32(?,00413450,?,0000005C,?,?,?,00000000), ref: 00402BFB
                                          • lstrcmpW.KERNEL32(?,00413448,?,?,00000000), ref: 00402C11
                                          • SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402C27
                                          • DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402C2E
                                          • FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402C40
                                          • FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402C4F
                                          • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402C5A
                                          • RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402C63
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C6E
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C79
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
                                          • String ID:
                                          • API String ID: 1862581289-0
                                          • Opcode ID: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
                                          • Instruction ID: 7ffcf375551190f92b7aba4ef5ef3cd4ed0286f9dec59b0789af02bc25bdcc12
                                          • Opcode Fuzzy Hash: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
                                          • Instruction Fuzzy Hash: A321A230500209BAEB10AF61DE4CFBF7B7C9B0470AF14417AB505B11E0EB78DB459A6C
                                          Function 00406D5D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(uxtheme,?,00407F57,000004B1,00000000,?,?,?,?,?,0040803E), ref: 00406D65
                                          • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00406D76
                                          • GetWindow.USER32(?,00000005), ref: 00406D8F
                                          • GetWindow.USER32(00000000,00000002), ref: 00406DA5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: Window$AddressLibraryLoadProc
                                          • String ID: SetWindowTheme$\EA$uxtheme
                                          • API String ID: 324724604-1613512829
                                          • Opcode ID: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
                                          • Instruction ID: f2e0bdee1e376373ef12be0a37c87caa708c4cf78f5ebad58458586032015049
                                          • Opcode Fuzzy Hash: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
                                          • Instruction Fuzzy Hash: 47F0A73274172537C6312A6A6C4CF9B6B9C9FC6B51B070176B905F7280DA6CCD0045BC
                                          Function 0041022D Relevance: .5, Instructions: 501COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
                                          • Instruction ID: 2cf66fefa79674a345482580870fbecf2b771b639b37e27eb1fc897e4fc9b441
                                          • Opcode Fuzzy Hash: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
                                          • Instruction Fuzzy Hash: 44126E31E00129DFDF08CF68C6945ECBBB2EF85345F2585AAD856AB280D6749EC1DF84
                                          Function 0041206B Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
                                          • Instruction ID: 8743f1180a29be23716da9caa70fae7f7856ace610ba4dfa2102d12747f13ae8
                                          • Opcode Fuzzy Hash: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
                                          • Instruction Fuzzy Hash: D12129725104255BC711DF1DE8887B7B3E1FFC4319F678A36DA81CB281C629D894C6A0
                                          Function 00411F91 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                                          • Instruction ID: 7cc7f0f00d3fdf34bc0739e2af2c3edfb6ca911da6c9eaecf720caf4c907201e
                                          • Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                                          • Instruction Fuzzy Hash: 0621F53290062587CB12CE6EE4845A7F392FBC436AF134727EE84A3291C62CA855C6A0
                                          Function 0040D72E Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
                                          • Instruction ID: 0032c0c3dd355d3b1328166acc4be040b7821e5e83bc1fe28c274bced218c28f
                                          • Opcode Fuzzy Hash: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
                                          • Instruction Fuzzy Hash: 4EF074B5A05209EFCB09CFA9C49199EFBF5FF48304B1084A9E819E7350E731AA11CF50
                                          Function 00404AFF Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDriveTypeW.KERNEL32(?,?,?), ref: 00404B46
                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404B77
                                          • WriteFile.KERNEL32(004177C4,?,?,00406437,00000000,del ",:Repeat,00000000), ref: 00404C2C
                                          • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C37
                                          • CloseHandle.KERNEL32(004177C4), ref: 00404C40
                                          • SetFileAttributesW.KERNEL32(00406437,00000000), ref: 00404C57
                                          • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00404C69
                                          • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C72
                                          • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C7E
                                          • ??3@YAXPAX@Z.MSVCRT(00406437,?), ref: 00404C84
                                          • ??3@YAXPAX@Z.MSVCRT(00406437,?,?,?,?,?,?,?,?,?,?,?,?,?,00406437,004177C4), ref: 00404CB2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
                                          • String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
                                          • API String ID: 3007203151-3467708659
                                          • Opcode ID: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
                                          • Instruction ID: 7a4c4b622d76ac6c1822c64a370ea4e05d699ec4102568342bfcf68b8c9639ad
                                          • Opcode Fuzzy Hash: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
                                          • Instruction Fuzzy Hash: DE416171D01119BADB00EBA5ED85DEEBB78EF44358F50803AF511720E1EB78AE85CB58
                                          Function 00404603 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 207stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrcmpiW.KERNEL32(00000000,0041442C,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004046DF
                                            • Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                            • Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
                                            • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                            • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
                                            • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                            • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                            • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
                                            • Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                            • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                            • Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
                                            • Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                            • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                            • Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                                          • _wtol.MSVCRT ref: 004047DC
                                          • _wtol.MSVCRT ref: 004047F8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
                                          • String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle$|wA
                                          • API String ID: 2725485552-3187639848
                                          • Opcode ID: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
                                          • Instruction ID: a5d789275b7dd46d140941e9fd319bf554fc7ea6ad5da08365fcb0f0a182a74d
                                          • Opcode Fuzzy Hash: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
                                          • Instruction Fuzzy Hash: 4251B5F1A402047EDB10BB619D86EFF36ACDA85308B64443BF904F32C1E6BC5E854A6D
                                          Function 00402DC0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetClassNameA.USER32(?,?,00000040), ref: 00402DD3
                                          • lstrcmpiA.KERNEL32(?,STATIC), ref: 00402DE6
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00402DF3
                                            • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                            • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                                            • Part of subcall function 00401A85: CharUpperW.USER32(?,7675E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                            • Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                                          • ??3@YAXPAX@Z.MSVCRT(?), ref: 00402E20
                                          • GetParent.USER32(?), ref: 00402E2E
                                          • LoadLibraryA.KERNEL32(riched20), ref: 00402E42
                                          • GetMenu.USER32(?), ref: 00402E55
                                          • SetThreadLocale.KERNEL32(00000419), ref: 00402E62
                                          • CreateWindowExW.USER32(00000000,RichEdit20W,0041335C,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 00402E92
                                          • DestroyWindow.USER32(?), ref: 00402EA3
                                          • SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00402EB8
                                          • GetSysColor.USER32(0000000F), ref: 00402EBC
                                          • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00402ECA
                                          • SendMessageW.USER32(00000000,00000461,?,?), ref: 00402EF5
                                          • ??3@YAXPAX@Z.MSVCRT(?), ref: 00402EFA
                                          • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00402F02
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: Window$??3@MessageSend$CharTextUpper$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
                                          • String ID: RichEdit20W$STATIC$riched20${\rtf
                                          • API String ID: 1731037045-2281146334
                                          • Opcode ID: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
                                          • Instruction ID: c7c9ca1f65d7473fe19c29f8272bdbb18bb8b251efb89c9ee4785ec66c96c850
                                          • Opcode Fuzzy Hash: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
                                          • Instruction Fuzzy Hash: FE316072A40119BFDB01AFA5DD49DEF7BBCEF08745F104036F601B21D1DA789A008B68
                                          Function 00401CC8 Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowDC.USER32(00000000), ref: 00401CD4
                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
                                          • MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
                                          • GetObjectW.GDI32(?,00000018,?), ref: 00401D28
                                          • MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
                                          • MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
                                          • CreateCompatibleDC.GDI32(?), ref: 00401D4B
                                          • CreateCompatibleDC.GDI32(?), ref: 00401D52
                                          • SelectObject.GDI32(00000000,?), ref: 00401D60
                                          • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
                                          • SelectObject.GDI32(00000000,00000000), ref: 00401D76
                                          • SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
                                          • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
                                          • GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
                                          • SelectObject.GDI32(00000000,?), ref: 00401DB3
                                          • SelectObject.GDI32(00000000,?), ref: 00401DB9
                                          • DeleteDC.GDI32(00000000), ref: 00401DC2
                                          • DeleteDC.GDI32(00000000), ref: 00401DC5
                                          • ReleaseDC.USER32(00000000,?), ref: 00401DCC
                                          • ReleaseDC.USER32(00000000,?), ref: 00401DDB
                                          • CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401DE8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
                                          • String ID:
                                          • API String ID: 3462224810-0
                                          • Opcode ID: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
                                          • Instruction ID: 24730f8ff9b6a3f8d7f0600a39c6f646a54ca28d21b12e05547a6914d757f366
                                          • Opcode Fuzzy Hash: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
                                          • Instruction Fuzzy Hash: 00313976D00208BBDF215FA19C48EEFBFBDEB48752F108066F604B21A0C6758A50EB64
                                          Function 00401DF3 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetClassNameA.USER32(?,?,00000040), ref: 00401E05
                                          • lstrcmpiA.KERNEL32(?,STATIC), ref: 00401E1C
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00401E2F
                                          • GetMenu.USER32(?), ref: 00401E44
                                            • Part of subcall function 00401BDF: GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
                                            • Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
                                            • Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
                                            • Part of subcall function 00401BDF: SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
                                            • Part of subcall function 00401BDF: LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
                                            • Part of subcall function 00401BDF: LockResource.KERNEL32(00000000), ref: 00401C41
                                          • GlobalAlloc.KERNEL32(00000040,00000010), ref: 00401E76
                                          • memcpy.MSVCRT(00000000,00000000,00000010), ref: 00401E83
                                          • CoInitialize.OLE32(00000000), ref: 00401E8C
                                          • CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00401E98
                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,00414C14,?), ref: 00401EBD
                                          • GlobalFree.KERNEL32(00000000), ref: 00401ECD
                                            • Part of subcall function 00401CC8: GetWindowDC.USER32(00000000), ref: 00401CD4
                                            • Part of subcall function 00401CC8: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
                                            • Part of subcall function 00401CC8: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
                                            • Part of subcall function 00401CC8: GetObjectW.GDI32(?,00000018,?), ref: 00401D28
                                            • Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
                                            • Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
                                            • Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D4B
                                            • Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D52
                                            • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401D60
                                            • Part of subcall function 00401CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
                                            • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,00000000), ref: 00401D76
                                            • Part of subcall function 00401CC8: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
                                            • Part of subcall function 00401CC8: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
                                            • Part of subcall function 00401CC8: GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
                                            • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB3
                                            • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB9
                                            • Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC2
                                            • Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC5
                                            • Part of subcall function 00401CC8: ReleaseDC.USER32(00000000,?), ref: 00401DCC
                                          • GetObjectW.GDI32(00000000,00000018,?), ref: 00401EFF
                                          • SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 00401F13
                                          • SendMessageW.USER32(00000010,00000172,00000000,?), ref: 00401F25
                                          • GlobalFree.KERNEL32(00000000), ref: 00401F3A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
                                          • String ID: IMAGES$STATIC
                                          • API String ID: 4202116410-1168396491
                                          • Opcode ID: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
                                          • Instruction ID: 08c73d75f8249df6a552952f3d33af28cabbedea74541c6d0cfd8ce2793c0c4e
                                          • Opcode Fuzzy Hash: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
                                          • Instruction Fuzzy Hash: C7417C71A00218BFCB11DFA1DC49DEEBF7DEF08742B008076FA05A61A0DB758A41DB68
                                          Function 0040813D Relevance: 27.1, APIs: 18, Instructions: 147windowcomtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                            • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                                          • GetDlgItem.USER32(?,000004B8), ref: 0040816A
                                          • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408179
                                          • GetDlgItem.USER32(?,000004B5), ref: 004081C0
                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 004081C5
                                          • GetDlgItem.USER32(?,000004B5), ref: 004081D5
                                          • SetWindowLongW.USER32(00000000), ref: 004081D8
                                          • GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 004081FE
                                          • EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408210
                                          • GetDlgItem.USER32(?,000004B4), ref: 0040821A
                                          • SetFocus.USER32(00000000), ref: 0040821D
                                          • SetTimer.USER32(?,00000001,00000000,00000000), ref: 0040824C
                                          • CoCreateInstance.OLE32(00414C34,00000000,00000001,00414808,00000000), ref: 00408277
                                          • GetDlgItem.USER32(?,00000002), ref: 00408294
                                          • IsWindow.USER32(00000000), ref: 00408297
                                          • GetDlgItem.USER32(?,00000002), ref: 004082A7
                                          • EnableWindow.USER32(00000000), ref: 004082AA
                                          • GetDlgItem.USER32(?,000004B5), ref: 004082BE
                                          • ShowWindow.USER32(00000000), ref: 004082C1
                                            • Part of subcall function 00407134: GetDlgItem.USER32(?,000004B6), ref: 00407142
                                            • Part of subcall function 00407B33: GetDlgItem.USER32(?,000004B8), ref: 00407B8B
                                            • Part of subcall function 00407B33: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
                                            • Part of subcall function 00407B33: wsprintfW.USER32 ref: 00407BBB
                                            • Part of subcall function 00407B33: ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53
                                            • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                            • Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
                                            • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
                                            • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
                                            • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                            • Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
                                            • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                            • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                            • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
                                            • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: Item$Window$MessageSend$System$EnableHandleLoadLongMenuMetricsModuleShow$??3@CreateFocusIconImageInstanceTimerwsprintf
                                          • String ID:
                                          • API String ID: 1309318444-0
                                          • Opcode ID: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
                                          • Instruction ID: 3ce0214ef3d03b0ee840dd4ab9c121ae631e901bc0d6870238ad5b6e85178a64
                                          • Opcode Fuzzy Hash: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
                                          • Instruction Fuzzy Hash: 014174B0644748ABDA206F65DD49F5B7BADEB40B05F00847DF552A62E1CB79B800CA1C
                                          Function 00403093 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 244stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,hAA,00000000), ref: 004030F6
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,hAA,00000000), ref: 004030FE
                                          • strncmp.MSVCRT ref: 004031F1
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00403255
                                          • lstrcmpW.KERNEL32(?,SetEnvironment,00000000), ref: 00403273
                                          • ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ??3@$lstrcmpstrncmp
                                          • String ID: GUIFlags$MiscFlags$SetEnvironment$hAA${\rtf
                                          • API String ID: 2881732429-172299233
                                          • Opcode ID: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
                                          • Instruction ID: da55d09168dcf28f6e950782b6654b171f18f9ca5632fa18d2c46afc5d57570a
                                          • Opcode Fuzzy Hash: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
                                          • Instruction Fuzzy Hash: 23819D31900218ABDF11DFA1CD55BEE7B78AF14305F1040ABE8017B2E6DB78AB05DB59
                                          Function 00406A47 Relevance: 24.3, APIs: 16, Instructions: 270COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000004B3), ref: 00406A69
                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00406A6E
                                          • GetDlgItem.USER32(?,000004B4), ref: 00406AA5
                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00406AAA
                                          • GetSystemMetrics.USER32(00000010), ref: 00406B0B
                                          • GetSystemMetrics.USER32(00000011), ref: 00406B11
                                          • GetSystemMetrics.USER32(00000008), ref: 00406B18
                                          • GetSystemMetrics.USER32(00000007), ref: 00406B1F
                                          • GetParent.USER32(?), ref: 00406B43
                                          • GetClientRect.USER32(00000000,?), ref: 00406B55
                                          • ClientToScreen.USER32(?,?), ref: 00406B68
                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00406BCE
                                          • GetClientRect.USER32(?,?), ref: 00406C55
                                          • ClientToScreen.USER32(?,?), ref: 00406B71
                                            • Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B
                                          • GetSystemMetrics.USER32(00000008), ref: 00406CD6
                                          • GetSystemMetrics.USER32(00000007), ref: 00406CDD
                                            • Part of subcall function 00406A18: GetDlgItem.USER32(?,?), ref: 00406A36
                                            • Part of subcall function 00406A18: SetWindowPos.USER32(00000000), ref: 00406A3D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
                                          • String ID:
                                          • API String ID: 747815384-0
                                          • Opcode ID: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
                                          • Instruction ID: 701d8c843d4ec3579feae24e97f284edc15b0bac0439a5efdbaa5111af673c9b
                                          • Opcode Fuzzy Hash: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
                                          • Instruction Fuzzy Hash: 7B912D71A00209AFDB14DFB9CD85AEEB7F9EF48704F148529E642F6290D778E9008B64
                                          Function 00407D06 Relevance: 22.7, APIs: 15, Instructions: 231windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                          • LoadIconW.USER32(00000000), ref: 00407D33
                                          • GetSystemMetrics.USER32(00000032), ref: 00407D43
                                          • GetSystemMetrics.USER32(00000031), ref: 00407D48
                                          • GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                          • LoadImageW.USER32(00000000), ref: 00407D54
                                          • SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                          • SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                          • GetWindow.USER32(?,00000005), ref: 00407E76
                                          • GetWindow.USER32(?,00000005), ref: 00407E92
                                          • GetWindow.USER32(?,00000005), ref: 00407EAA
                                          • GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,0040803E), ref: 00407F0A
                                          • LoadIconW.USER32(00000000), ref: 00407F0D
                                          • GetDlgItem.USER32(?,000004B1), ref: 00407F28
                                          • SendMessageW.USER32(00000000), ref: 00407F2F
                                            • Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
                                            • Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B
                                            • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                            • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: Window$HandleItemLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
                                          • String ID:
                                          • API String ID: 1889686859-0
                                          • Opcode ID: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
                                          • Instruction ID: b6a50195b8a608de49edc5b96f3e83ee8a9b90890169e94b1220211b89b9884f
                                          • Opcode Fuzzy Hash: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
                                          • Instruction Fuzzy Hash: E861D47064C7096AE9257B61DC4AF3B3699AB40B05F10447FF642B92D2DBBCBC0056AF
                                          Function 00406F37 Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetParent.USER32(?), ref: 00406F45
                                          • GetWindowLongW.USER32(00000000), ref: 00406F4C
                                          • DefWindowProcW.USER32(?,?,?,?), ref: 00406F62
                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 00406F7F
                                          • GetSystemMetrics.USER32(00000031), ref: 00406F91
                                          • GetSystemMetrics.USER32(00000032), ref: 00406F98
                                          • GetWindowDC.USER32(?), ref: 00406FAA
                                          • GetWindowRect.USER32(?,?), ref: 00406FB7
                                          • DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 00406FEB
                                          • ReleaseDC.USER32(?,00000000), ref: 00406FF3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
                                          • String ID:
                                          • API String ID: 2586545124-0
                                          • Opcode ID: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
                                          • Instruction ID: b1ff7c23223d170b9333fa97acec74f2c9230ee3eabfe87d0be763292bfdf634
                                          • Opcode Fuzzy Hash: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
                                          • Instruction Fuzzy Hash: 8E210C7650021ABFCF01AFA8DD48DDF7F69FB08351F008565FA15E21A0C775EA209B64
                                          Function 0040677A Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000004B3), ref: 0040678E
                                          • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067A1
                                          • GetDlgItem.USER32(?,000004B4), ref: 004067AB
                                          • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067B3
                                          • SendMessageW.USER32(?,00000401,?,00000000), ref: 004067C3
                                          • GetDlgItem.USER32(?,?), ref: 004067CC
                                          • SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 004067D4
                                          • GetDlgItem.USER32(?,?), ref: 004067DD
                                          • SetFocus.USER32(00000000,?,000004B4,76760E50,00407E06,000004B4,000004B3,00000000,000004B4,00000000,000004B2,?,000004B7), ref: 004067E0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ItemMessageSend$Focus
                                          • String ID:
                                          • API String ID: 3946207451-0
                                          • Opcode ID: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
                                          • Instruction ID: e7a8c5b21de344c7c4c5496bf688f1d5cc3ba414acf11b32f4788b893cc62525
                                          • Opcode Fuzzy Hash: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
                                          • Instruction Fuzzy Hash: 6FF04F712403087BEA212B61DD86F5BBA6EEF81B45F018425F340650F0CBF7EC109A28
                                          Function 0040C3D8 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 480COMMON
                                          Download Yara Rule
                                          APIs
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,00000000), ref: 0040C603
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ??3@
                                          • String ID: IA$IA$IA$IA$IA$IA
                                          • API String ID: 613200358-3743982587
                                          • Opcode ID: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
                                          • Instruction ID: 4cebfcab61734def35128a955d6a3e34031d8899c11ca8f9bd2aeb72941b6852
                                          • Opcode Fuzzy Hash: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
                                          • Instruction Fuzzy Hash: D2221671900248DFCB24EF65C8D09EEBBB5FF48304F50852EE91AA7291DB38A945CF58
                                          Function 004083B6 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 196COMMON
                                          Download Yara Rule
                                          APIs
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,00417788,00000000,SetEnvironment), ref: 00408479
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ??3@
                                          • String ID: BeginPrompt$ErrorTitle$FinishMessage$HelpText$SetEnvironment$WarningTitle
                                          • API String ID: 613200358-994561823
                                          • Opcode ID: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
                                          • Instruction ID: 5566f9f9667118f06bc812855c9affabb63102f3a10b3971892d5eca1131561f
                                          • Opcode Fuzzy Hash: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
                                          • Instruction Fuzzy Hash: CA51D47080420AAACF24AB559E85AFB7774EB20348F54443FF881722E1EF7D5D82D64E
                                          Function 00406DB2 Relevance: 12.1, APIs: 8, Instructions: 69COMMON
                                          Download Yara Rule
                                          APIs
                                          • memcpy.MSVCRT(?,00417410,00000160), ref: 00406DD1
                                          • SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 00406DF0
                                          • GetDC.USER32(00000000), ref: 00406DFB
                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00406E07
                                          • MulDiv.KERNEL32(?,00000048,00000000), ref: 00406E16
                                          • ReleaseDC.USER32(00000000,?), ref: 00406E24
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00406E4C
                                          • DialogBoxIndirectParamW.USER32(00000000,?,?,Function_0000667A), ref: 00406E81
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
                                          • String ID:
                                          • API String ID: 2693764856-0
                                          • Opcode ID: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
                                          • Instruction ID: b2c1943609947f3a034a1f42a4fd453b3666a2b5c4d4ccfd9a1c2059c5c1cb6f
                                          • Opcode Fuzzy Hash: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
                                          • Instruction Fuzzy Hash: C32184B5500218BFDB215F61DC45EEB7B7CFB08746F0040B6F609A1190D7748E948B65
                                          Function 0040695E Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDC.USER32(?), ref: 0040696E
                                          • GetSystemMetrics.USER32(0000000B), ref: 0040698A
                                          • GetSystemMetrics.USER32(0000003D), ref: 00406993
                                          • GetSystemMetrics.USER32(0000003E), ref: 0040699B
                                          • SelectObject.GDI32(?,?), ref: 004069B8
                                          • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004069D3
                                          • SelectObject.GDI32(?,?), ref: 004069F9
                                          • ReleaseDC.USER32(?,?), ref: 00406A08
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: MetricsSystem$ObjectSelect$DrawReleaseText
                                          • String ID:
                                          • API String ID: 2466489532-0
                                          • Opcode ID: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
                                          • Instruction ID: 7c755332e1b278278a0584394201b19561512224090c74d51841a9ad660c27ee
                                          • Opcode Fuzzy Hash: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
                                          • Instruction Fuzzy Hash: 6B216871900209EFCB119F65DD84A8EBFF4EF08321F10C46AE559A72A0C7359A50DF40
                                          Function 0040408B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(hAA,00000020,?,?,00405838,?,?,?,00000000,?), ref: 004040A4
                                            • Part of subcall function 00401A85: CharUpperW.USER32(?,7675E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                            • Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00404156
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040415E
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 0040416D
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00404175
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ??3@$CharUpper$lstrlen
                                          • String ID: hAA
                                          • API String ID: 2587799592-1362906312
                                          • Opcode ID: b8720cb8756f8e9e8094298d34df6b31f2892d9def23642e2fc1977912460d31
                                          • Instruction ID: 7f7e13310b21401de90169bcc26cd057e2afddf23eedd5de54135d69024cf91c
                                          • Opcode Fuzzy Hash: b8720cb8756f8e9e8094298d34df6b31f2892d9def23642e2fc1977912460d31
                                          • Instruction Fuzzy Hash: D7212772D40215AACF20ABA4CC46AEB77B9DF90354F10407BEB41BB2E1E7789D848658
                                          Function 00404CBC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 92COMMON
                                          Download Yara Rule
                                          APIs
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000001,00000000,00000000,00000001,?,00000000), ref: 00404D3E
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DA0
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DB8
                                            • Part of subcall function 00403354: lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
                                            • Part of subcall function 00403354: GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
                                            • Part of subcall function 00403354: GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
                                            • Part of subcall function 00403354: ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ??3@$FileTime$AttributesSystemlstrlen
                                          • String ID: 03A$;!@Install@!UTF-8!$;!@InstallEnd@!
                                          • API String ID: 4038993085-2279431206
                                          • Opcode ID: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
                                          • Instruction ID: 637b7b13a9bcd1d52ea1019587bfa2fb4435f6835f564ae220b3123002230846
                                          • Opcode Fuzzy Hash: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
                                          • Instruction Fuzzy Hash: CE312D71D0021EEACF05EF92CD429EEBBB4BF44318F10042BE911762E1DB785649DB98
                                          Function 0040755F Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • EndDialog.USER32(?,00000000), ref: 00407579
                                          • KillTimer.USER32(?,00000001), ref: 0040758A
                                          • SetTimer.USER32(?,00000001,00000000,00000000), ref: 004075B4
                                          • SuspendThread.KERNEL32(0000026C), ref: 004075CD
                                          • ResumeThread.KERNEL32(0000026C), ref: 004075EA
                                          • EndDialog.USER32(?,00000000), ref: 0040760C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: DialogThreadTimer$KillResumeSuspend
                                          • String ID:
                                          • API String ID: 4151135813-0
                                          • Opcode ID: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
                                          • Instruction ID: ebb94c5c4675b2e6542c2b2cb7d5652cccd5624f9a00d71f737e39ca63bd9789
                                          • Opcode Fuzzy Hash: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
                                          • Instruction Fuzzy Hash: 9811BF70A08618BBD7212F15EE849E77BBDFB00756B00843AF523A05A0CB39BD00DA1D
                                          Function 00404E3F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60COMMON
                                          Download Yara Rule
                                          APIs
                                          • ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000025,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
                                            • Part of subcall function 00404343: ??3@YAXPAX@Z.MSVCRT(?,?,?,004177C4,004177C4,?,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 004043B6
                                          • ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000025,004177C4,004177C4,00000000,00000025,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
                                          • wsprintfA.USER32 ref: 00404EBC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ??3@$wsprintf
                                          • String ID: :Language:%u!$;!@Install@!UTF-8!$;!@InstallEnd@!
                                          • API String ID: 2704270482-1550708412
                                          • Opcode ID: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
                                          • Instruction ID: afe26c372a183c0ca4a1b7edc16cb7be903c3e4040aad79e05e22cec791dc9d0
                                          • Opcode Fuzzy Hash: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
                                          • Instruction Fuzzy Hash: D8115E71B00018BBCF00FB95CC42EFE77ADAB84705B10402EBA15E3182DB78AB028799
                                          Function 00403880 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                          Download Yara Rule
                                          APIs
                                          • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000,00000000), ref: 004038C6
                                          • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000), ref: 00403904
                                          • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405), ref: 0040392A
                                          • ??3@YAXPAX@Z.MSVCRT(00000000,00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788), ref: 00403932
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ??3@
                                          • String ID: %%T/$%%T\
                                          • API String ID: 613200358-2679640699
                                          • Opcode ID: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
                                          • Instruction ID: 53c9ca64f2466311d4136dbbff57d229d1af9e29f5fa76e56e45344ae10c91f3
                                          • Opcode Fuzzy Hash: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
                                          • Instruction Fuzzy Hash: 5011DD3190410EBACF05FFA1D857CEDBB79AE00708F50806AB511760E1EF79A785DB98
                                          Function 0040393B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                          Download Yara Rule
                                          APIs
                                          • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403981
                                          • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 004039BF
                                          • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405), ref: 004039E5
                                          • ??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784), ref: 004039ED
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ??3@
                                          • String ID: %%S/$%%S\
                                          • API String ID: 613200358-358529586
                                          • Opcode ID: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
                                          • Instruction ID: c240205f9e12946546b7747d8fd44f392230bc1153c6614d6b8016afa5fd7689
                                          • Opcode Fuzzy Hash: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
                                          • Instruction Fuzzy Hash: 1D11AD3190410EBACF05FFA1D856CEDBB79AE00708F51806AB511760E1EF78A789DB98
                                          Function 004039F6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                          Download Yara Rule
                                          APIs
                                          • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403A3C
                                          • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 00403A7A
                                          • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405), ref: 00403AA0
                                          • ??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784), ref: 00403AA8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ??3@
                                          • String ID: %%M/$%%M\
                                          • API String ID: 613200358-4143866494
                                          • Opcode ID: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
                                          • Instruction ID: 5f6947e2f47a7d655e02fb84317d9747a35bc7200d49f7273ebe403b31479b31
                                          • Opcode Fuzzy Hash: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
                                          • Instruction Fuzzy Hash: C911AD3190410EBACF05FFA1D956CEDBB79AE00708F51806AB511760E1EF78A789DB58
                                          Function 0040E456 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 42COMMON
                                          Download Yara Rule
                                          APIs
                                          • _CxxThrowException.MSVCRT(00000000,00414CFC), ref: 0040E4EE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ExceptionThrow
                                          • String ID: $JA$4JA$DJA$TJA$hJA$xJA
                                          • API String ID: 432778473-803145960
                                          • Opcode ID: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
                                          • Instruction ID: 5492ea6659e041f1bcf420c4685f7038b08242b420f8f2c51a6428b2159ddc92
                                          • Opcode Fuzzy Hash: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
                                          • Instruction Fuzzy Hash: 7211A5F0541B419BC7308F16E544587FBF8AF907587218A1FD0AA9BA51D3F8A1888B9C
                                          Function 0040C0DC Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 243COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040BA46: ??2@YAPAXI@Z.MSVCRT(0000000C,?,0040C20C,004149B0,00000001,?,?,00000000), ref: 0040BA4B
                                          • ??3@YAXPAX@Z.MSVCRT(00000000,004149B0,00000001,?,?,00000000), ref: 0040C20D
                                            • Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                            • Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                            • Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                                          • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,004149B0,00000001,?,?,00000000), ref: 0040C245
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ??2@$??3@$memmove
                                          • String ID: IA$IA$IA
                                          • API String ID: 4294387087-924693538
                                          • Opcode ID: 3ef1446a3f9eae3cfdc2853b922aca3bc2f9cc2cd28dfb990552d7283ffc15f1
                                          • Instruction ID: 38d37476858cbe2739f158cf8086d9562841ccd83740beefedbf55b6536d6dac
                                          • Opcode Fuzzy Hash: 3ef1446a3f9eae3cfdc2853b922aca3bc2f9cc2cd28dfb990552d7283ffc15f1
                                          • Instruction Fuzzy Hash: 20B1C1B1900209DFCB54EFAAC8819DEBBB5BF48304F50852EF919A7291DB38A945CF54
                                          Function 00407B33 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000004B8), ref: 00407B8B
                                          • SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
                                          • wsprintfW.USER32 ref: 00407BBB
                                          • ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ??3@ItemMessageSendwsprintf
                                          • String ID: %d%%
                                          • API String ID: 3767627759-1518462796
                                          • Opcode ID: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
                                          • Instruction ID: b955b8041d8a67620c3180d4911c799512bd6939d195f5b55c3092177650065a
                                          • Opcode Fuzzy Hash: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
                                          • Instruction Fuzzy Hash: 1D31D371904208BBDB11AFA0CC45EDA7BB9EF48708F10847AFA42B61E1D779B904CB59
                                          Function 0040E811 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON
                                          Download Yara Rule
                                          APIs
                                          • _CxxThrowException.MSVCRT(00100EC3,00414CFC), ref: 0040E83C
                                          • ??2@YAPAXI@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E864
                                          • memcpy.MSVCRT(00000000,?,?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?), ref: 0040E88D
                                          • ??3@YAXPAX@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E898
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ??2@??3@ExceptionThrowmemcpy
                                          • String ID: IA
                                          • API String ID: 3462485524-3293647318
                                          • Opcode ID: 6b78721643db57d5e00a8af36ebe01533f1ba9cf87e040577b2ff72779c9c95d
                                          • Instruction ID: e9362666a157510f6fc1816af10740f0f0ab3f4ff6eb75305f8b2a096945a613
                                          • Opcode Fuzzy Hash: 6b78721643db57d5e00a8af36ebe01533f1ba9cf87e040577b2ff72779c9c95d
                                          • Instruction Fuzzy Hash: 6811E5736003009BCB28AF57D880D6BFBE9AB84354714C83FEA59A7290D779E8954794
                                          Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: wsprintf$ExitProcesslstrcat
                                          • String ID: 0x%p
                                          • API String ID: 2530384128-1745605757
                                          • Opcode ID: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
                                          • Instruction ID: 6c9eba3c29ae2a0cc7ccd16f79f39b6d6218d418ab2b897ff95ca6c62132cda7
                                          • Opcode Fuzzy Hash: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
                                          • Instruction Fuzzy Hash: CF019E7580020CAFDB20AFA0DC45FDA777CBF44305F04486AF945A2081D738F6948FAA
                                          Function 00407A3A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000B), ref: 004071E0
                                            • Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000C), ref: 004071E9
                                          • GetSystemMetrics.USER32(00000007), ref: 00407A51
                                          • GetSystemMetrics.USER32(00000007), ref: 00407A62
                                          • ??3@YAXPAX@Z.MSVCRT(?,000004B8,?,?), ref: 00407B29
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: MetricsSystem$??3@
                                          • String ID: 100%%
                                          • API String ID: 2562992111-568723177
                                          • Opcode ID: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
                                          • Instruction ID: d2e8aa6d75c6757367bbc63d1236441fd7733528c0e5853e38aed7656a5d7d9b
                                          • Opcode Fuzzy Hash: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
                                          • Instruction Fuzzy Hash: 0D31D771A047059FCB24DFA9C9419AEB7F4EF40308B00012EE542A26E1DB78FE44CF99
                                          Function 00407998 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
                                          Download Yara Rule
                                          APIs
                                          • wsprintfW.USER32 ref: 00407A12
                                            • Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
                                            • Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B
                                          • GetDlgItem.USER32(?,000004B3), ref: 004079C6
                                            • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                            • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 004079E4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: TextWindow$ItemLength$??3@wsprintf
                                          • String ID: (%u%s)
                                          • API String ID: 3595513934-2496177969
                                          • Opcode ID: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
                                          • Instruction ID: 1b031bef2a273fddd3247fbc9e57f9590cc69a100d620b238320e5a3a24b3f72
                                          • Opcode Fuzzy Hash: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
                                          • Instruction Fuzzy Hash: 1401C8B15042147FDB107B65DC46EAF777CAF44708F10807FF516A21E2DB7CA9448A68
                                          Function 004021ED Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,0000003C,?,?,?,?,?,?,00406130,?,00000000,?,?,?), ref: 0040220A
                                          • GetProcAddress.KERNEL32(00000000), ref: 00402211
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: GetNativeSystemInfo$kernel32
                                          • API String ID: 2574300362-3846845290
                                          • Opcode ID: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
                                          • Instruction ID: b757a3d5c4c17e34abb063926c294d8abaed4bc4edbc3347b9308a3de004b423
                                          • Opcode Fuzzy Hash: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
                                          • Instruction Fuzzy Hash: 88F0B432E1521495CF20BBF48B0D6EF66E89A19349B1004BBD852F31D0E5FCCE8141EE
                                          Function 00402185 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,004061B1,?,?,?), ref: 00402198
                                          • GetProcAddress.KERNEL32(00000000), ref: 0040219F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: Wow64RevertWow64FsRedirection$kernel32
                                          • API String ID: 2574300362-3900151262
                                          • Opcode ID: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
                                          • Instruction ID: b94e249185ae4a70534d65e1a66e6cdcdba3a47a1e4784fabdbc91f5644b18b3
                                          • Opcode Fuzzy Hash: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
                                          • Instruction Fuzzy Hash: AFD0C934294201DBDB125FA0EE0E7EA3AB9FB04B0BF458035A920A00F0CBBC9644CA5C
                                          Function 004021B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040223A), ref: 004021CA
                                          • GetProcAddress.KERNEL32(00000000), ref: 004021D1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: Wow64DisableWow64FsRedirection$kernel32
                                          • API String ID: 2574300362-736604160
                                          • Opcode ID: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
                                          • Instruction ID: 817513c890d082da38b6284c2862a66e2f32a8da2897575df7e5c1eb8648f331
                                          • Opcode Fuzzy Hash: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
                                          • Instruction Fuzzy Hash: 0DD012342443009BDB515FA09E0D7DA3EB4B705B07F508076A520E11D1CBFCA244C7AC
                                          Function 00402A69 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                          Download Yara Rule
                                          APIs
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F
                                            • Part of subcall function 0040272E: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402ACD,?,?,00000000,00000000,00000000), ref: 00402760
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ??3@$ByteCharMultiWide
                                          • String ID:
                                          • API String ID: 1731127917-0
                                          • Opcode ID: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
                                          • Instruction ID: 3903ebf3ba6088976d83fc344d3b185d6a20d7f45533e28e7dbc13297377a7b4
                                          • Opcode Fuzzy Hash: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
                                          • Instruction Fuzzy Hash: 2831B3729041156ACB14FFA6DD81DEFB3BCEF00714B51403FF952B31E1EA38AA458658
                                          Function 00403F85 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406437,00000000,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FA8
                                          • GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FC5
                                          • wsprintfW.USER32 ref: 00403FFB
                                          • GetFileAttributesW.KERNEL32(?), ref: 00404016
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: PathTemp$AttributesFilewsprintf
                                          • String ID:
                                          • API String ID: 1746483863-0
                                          • Opcode ID: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
                                          • Instruction ID: 4b01c17e8612d334da970e7aef70975a1f373095b445c13461924cc76c43a46f
                                          • Opcode Fuzzy Hash: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
                                          • Instruction Fuzzy Hash: 1B113672100204BFCB01AF59CC85AADB7F8FF88755F50802EF905972E1DB78AA008B88
                                          Function 00401A85 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                          Download Yara Rule
                                          APIs
                                          • CharUpperW.USER32(?,7675E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                          • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                                          • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B03
                                          • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B13
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: CharUpper
                                          • String ID:
                                          • API String ID: 9403516-0
                                          • Opcode ID: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
                                          • Instruction ID: 0ba0c8867aa888139ba8faa8f8ff432121b60ad667f2455bf366b55ac651d143
                                          • Opcode Fuzzy Hash: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
                                          • Instruction Fuzzy Hash: 02112E34A11269ABCF108F99C8446BAB7E8FF44356B504467F881E3290D77CDE51EB64
                                          Function 00407FA5 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B
                                            • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                            • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                                          • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00407FED
                                          • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 0040800D
                                          • GetDlgItem.USER32(?,000004B7), ref: 00408020
                                          • SetWindowLongW.USER32(00000000,000000FC,Function_00006F37), ref: 0040802E
                                            • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                            • Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
                                            • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
                                            • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
                                            • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                            • Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
                                            • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                            • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                            • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
                                            • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92
                                            • Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
                                            • Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ItemWindow$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoLongShow
                                          • String ID:
                                          • API String ID: 2538916108-0
                                          • Opcode ID: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
                                          • Instruction ID: 9218ed989044434557cb474aaa53437228351995edfdd36a91d94446a14b3a18
                                          • Opcode Fuzzy Hash: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
                                          • Instruction Fuzzy Hash: 7D1186B1A402146BCB10BBB99D09F9EB7FDEB84B04F00446EB652E31C0D6B8DA008B54
                                          Function 004067ED Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                          Download Yara Rule
                                          APIs
                                          • SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 00406814
                                          • GetSystemMetrics.USER32(00000031), ref: 0040683A
                                          • CreateFontIndirectW.GDI32(?), ref: 00406849
                                          • DeleteObject.GDI32(00000000), ref: 00406878
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
                                          • String ID:
                                          • API String ID: 1900162674-0
                                          • Opcode ID: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
                                          • Instruction ID: e152b01862f646c7a4819b14062263d5307cf72e2961abd6127bac75ebed32e6
                                          • Opcode Fuzzy Hash: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
                                          • Instruction Fuzzy Hash: A9116376A00205AFDB10DF94DC88FEAB7B8EB08300F0180AAED06A7291DB74DE54CF54
                                          Function 0040748A Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040749F
                                          • SHBrowseForFolderW.SHELL32(?), ref: 004074B8
                                          • SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 004074D4
                                          • SHGetMalloc.SHELL32(00000000), ref: 004074FE
                                            • Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
                                            • Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: BrowseFocusFolderFromItemListMallocPathmemset
                                          • String ID:
                                          • API String ID: 1557639607-0
                                          • Opcode ID: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
                                          • Instruction ID: 30b51fec80d89fd3ac1614d0428bedaa433d1aa4d1a510c8e8bcd0531de43efe
                                          • Opcode Fuzzy Hash: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
                                          • Instruction Fuzzy Hash: 43112171A00114ABDB10EBA5DD48BDE77FCAB84715F1040A9E505E7280DB78EF05CB75
                                          Function 004027C7 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                          Download Yara Rule
                                          APIs
                                          • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 004027F8
                                          • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00402801
                                            • Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                            • Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                                          • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000,?,00000000,00000000,00000000), ref: 00402819
                                          • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00402839
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ??3@$EnvironmentExpandStrings$??2@
                                          • String ID:
                                          • API String ID: 612612615-0
                                          • Opcode ID: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
                                          • Instruction ID: 71972da321696c7643696fa2d61077c4bfdb6251f9c85b9dd911fab2e4c9aeed
                                          • Opcode Fuzzy Hash: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
                                          • Instruction Fuzzy Hash: EF017976D00118BADB04AB55DD41DDEB7BCEF48714B10417BF901B31D1EB746A4086A8
                                          Function 00403AB1 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                            • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00413550,00413558), ref: 00403AFD
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00413550,00413558), ref: 00403B05
                                          • SetWindowTextW.USER32(?,?), ref: 00403B12
                                          • ??3@YAXPAX@Z.MSVCRT(?), ref: 00403B1D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ??3@TextWindow$Length
                                          • String ID:
                                          • API String ID: 2308334395-0
                                          • Opcode ID: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
                                          • Instruction ID: 2cc122b1f520d7f8021a056a959bf32eecafdcf33a956e59961b1277582e5a57
                                          • Opcode Fuzzy Hash: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
                                          • Instruction Fuzzy Hash: 2EF0FF32D0410DBACF01FBA5DD46CDE7B79EF04705B10406BF501720A1EA79AB559B98
                                          Function 0040702A Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetObjectW.GDI32(?,0000005C,?), ref: 00407045
                                          • CreateFontIndirectW.GDI32(?), ref: 0040705B
                                          • GetDlgItem.USER32(?,000004B5), ref: 0040706F
                                          • SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 0040707B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: CreateFontIndirectItemMessageObjectSend
                                          • String ID:
                                          • API String ID: 2001801573-0
                                          • Opcode ID: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
                                          • Instruction ID: 5c236ef126686a3da9008926c30106754acf3bfa0ff8e01310dffb34f405da6a
                                          • Opcode Fuzzy Hash: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
                                          • Instruction Fuzzy Hash: 35F05475900704ABDB209BA4DC09F8B7BFCAB48B01F048139BD51E11D4D7B4E5018B19
                                          Function 00401BA3 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetParent.USER32(?), ref: 00401BA8
                                          • GetWindowRect.USER32(?,?), ref: 00401BC1
                                          • ScreenToClient.USER32(00000000,?), ref: 00401BCF
                                          • ScreenToClient.USER32(00000000,?), ref: 00401BD6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: ClientScreen$ParentRectWindow
                                          • String ID:
                                          • API String ID: 2099118873-0
                                          • Opcode ID: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
                                          • Instruction ID: 3a6f634f9500a9f0e676680e31990ed58166cb62974d534a535afb1fb6b8d00a
                                          • Opcode Fuzzy Hash: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
                                          • Instruction Fuzzy Hash: 09E04F722052116BCB10AFA5AC88C8BBF6DDFC5723700447AF941A2220D7709D109A61
                                          Function 00403C63 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: _wtol
                                          • String ID: GUIFlags$[G@
                                          • API String ID: 2131799477-2126219683
                                          • Opcode ID: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
                                          • Instruction ID: b6302b9691b8fcfec91ee3c39af82f4337802e9cb3a6f407b943601295de961a
                                          • Opcode Fuzzy Hash: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
                                          • Instruction Fuzzy Hash: 6DF03C3611C1635AFB342E0994187B6AA9CEB05793FE4443BE9C3F12D0C37C8E82825D
                                          Function 00402F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetEnvironmentVariableW.KERNEL32(?O@,?,00000001,004177A0,00000000,00417794,?,?,00404F3F,?,?,?,?,?), ref: 00402F26
                                          • GetEnvironmentVariableW.KERNEL32(?,00000000,?,00000001,00000002,?,?,00404F3F,?,?,?,?,?), ref: 00402F52
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.23193631663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.23193574470.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193667294.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193689913.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.23193713515.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_xsYbMYg5Dr.jbxd
                                          Similarity
                                          • API ID: EnvironmentVariable
                                          • String ID: ?O@
                                          • API String ID: 1431749950-3511380453
                                          • Opcode ID: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
                                          • Instruction ID: 315e17eccb05daff3adc91fa9074d23558c2207180d60d9b2b56ce26dbf77fcb
                                          • Opcode Fuzzy Hash: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
                                          • Instruction Fuzzy Hash: 24F06272200118BFDB00AFA9DC458AEB7EDEF88764B51402BF904D72A1D7B4AD008B98

                                          Executed Functions

                                          Function 0368D01D Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.24016976528.000000000368D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0368D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_368d000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 96b3ffcc195aa5c9d2d83591d4340fa0e10c5e05181f6068277cb57ae735263a
                                          • Instruction ID: 49672f70524b0cec3111133d6f401aab111f5e0d9eb9a4ff6c9fd3076973f7cc
                                          • Opcode Fuzzy Hash: 96b3ffcc195aa5c9d2d83591d4340fa0e10c5e05181f6068277cb57ae735263a
                                          • Instruction Fuzzy Hash: C301F7314043449AE720AF25CD84B6BFF9CDF59334F1C825AED451A282D3799441C6B1
                                          Function 0368D006 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.24016976528.000000000368D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0368D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_368d000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 65c1d7f5ef43e8ea8efc9ba799f54b586d2ea4fa64f223fa894608dcf16a1e4c
                                          • Instruction ID: 3817b95d0ae2a2dad7b1b1890fcb4b08bb928e7fe436ebe14040c1add84e9964
                                          • Opcode Fuzzy Hash: 65c1d7f5ef43e8ea8efc9ba799f54b586d2ea4fa64f223fa894608dcf16a1e4c
                                          • Instruction Fuzzy Hash: E601717244E3C05EE7128B258D94B56BFB8DF57224F1D81CBE8888F2D3C2699848C772

                                          Executed Functions

                                          Function 07E517D8 Relevance: 13.1, Strings: 10, Instructions: 585COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.24033926657.0000000007E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7e50000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Bl$ Bl$$rCl$$rCl$GCl$GCl$GCl$GCl$GCl$GCl
                                          • API String ID: 0-516572804
                                          • Opcode ID: f01ae36d6abe9a8409f8762d9cf9e056738c0e357b70084810981c6771fd821b
                                          • Instruction ID: 43b4208a0d1dbc9603453c19cafd3206b91fb013a8f2e39175ca7f0bd568369c
                                          • Opcode Fuzzy Hash: f01ae36d6abe9a8409f8762d9cf9e056738c0e357b70084810981c6771fd821b
                                          • Instruction Fuzzy Hash: 811268B5B0535D8FCB2597798410BBABFE2AFC6354F18907AD805CF241DA32C885C7A2
                                          Function 07E517BD Relevance: 2.6, Strings: 2, Instructions: 122COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.24033926657.0000000007E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7e50000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $rCl$GCl
                                          • API String ID: 0-2228192640
                                          • Opcode ID: 1992db802a40cfda7630878b11736bc7eceb694198de24975fd75eef1c01cd0a
                                          • Instruction ID: 6465a4dfe35d797a695cea645575e04a7746b4abe377e75653154414ae894aee
                                          • Opcode Fuzzy Hash: 1992db802a40cfda7630878b11736bc7eceb694198de24975fd75eef1c01cd0a
                                          • Instruction Fuzzy Hash: F44107F5E0221DDFCB218A298541BBA7BA3AB85354F09A065DC049F241D731CC80CBA7
                                          Function 037B29F0 Relevance: .2, Instructions: 223COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.24018677065.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_37b0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7f58fc9cb6337139b419dd640ffdc1cc847d02543ce64cef78224a3351cd0ff0
                                          • Instruction ID: 82c93f5521ae48959133c3d6428a4a22f9dfeaf2ef1d20a109832b471a8ef63b
                                          • Opcode Fuzzy Hash: 7f58fc9cb6337139b419dd640ffdc1cc847d02543ce64cef78224a3351cd0ff0
                                          • Instruction Fuzzy Hash: A9918C74A01649CFCB16CF58C494AEEFBB1FF49310B248699D815AB3A6C735EC51CBA0
                                          Function 037B2B00 Relevance: .1, Instructions: 111COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.24018677065.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_37b0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6f7dd668e454edd2a44719f9d0dd67812dce7899c765cd69f7043e248b96065f
                                          • Instruction ID: 46f0d47844075c48b35cddfae319f98a42b3b00a0fd4e4d8c7420b0f494f0e63
                                          • Opcode Fuzzy Hash: 6f7dd668e454edd2a44719f9d0dd67812dce7899c765cd69f7043e248b96065f
                                          • Instruction Fuzzy Hash: C5412A74A015098FCB06CF58C498AFAF7B1FF48310B158699D915AB365C736EC51CFA0
                                          Function 037B3C00 Relevance: .1, Instructions: 65COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.24018677065.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_37b0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 89534ffd8397582fb8ef26d610e8203d98e7ffaf0c3994a69d18c81450b0b944
                                          • Instruction ID: 16252812ca1ca98edaf90ab215f2b3d753bebe3f766e4357802bcac5c73e57c7
                                          • Opcode Fuzzy Hash: 89534ffd8397582fb8ef26d610e8203d98e7ffaf0c3994a69d18c81450b0b944
                                          • Instruction Fuzzy Hash: 7E213B79A042198FDB00CF99C881AAAFBF5FF89310B15819AD419EB352C735ED41CBA1
                                          Function 037B3BF2 Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.24018677065.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_37b0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5a79e0761f972f31ea55813e5295de5fdb379d99ca286aa62792aa3e6005a6d8
                                          • Instruction ID: 758baa6de155451615680055936b814649eee6a8c967006dc1437b9bfabe5181
                                          • Opcode Fuzzy Hash: 5a79e0761f972f31ea55813e5295de5fdb379d99ca286aa62792aa3e6005a6d8
                                          • Instruction Fuzzy Hash: 4021E778A042499FCB01DF98D4809AEFBF5FF89310B1581AAD919EB352C735ED41CBA1
                                          Function 0371D01D Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.24018010973.000000000371D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0371D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_371d000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: aa6d6eb1d75927df7ff6c7a7c5e960c25a1ead73d4764e3b98fbc4a7262beb40
                                          • Instruction ID: 82d015005fc5d69469c8802155522e21cdd12fa5c6d7d9639cb03e466634c591
                                          • Opcode Fuzzy Hash: aa6d6eb1d75927df7ff6c7a7c5e960c25a1ead73d4764e3b98fbc4a7262beb40
                                          • Instruction Fuzzy Hash: AD01A232904348AAE7308A6DC9C4B77FFACDF55734F1C805AED891A242D3799845CEB1
                                          Function 0371D007 Relevance: .0, Instructions: 44COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.24018010973.000000000371D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0371D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_371d000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6df9c1cfff0a061470a7bced2d36220a24e20a343e9ec0f480c1c15106f8e4ce
                                          • Instruction ID: 4dbbf285502386eb8b2ce196ec74a91d39abe759b58a425a0acc23a6c9c7b9f5
                                          • Opcode Fuzzy Hash: 6df9c1cfff0a061470a7bced2d36220a24e20a343e9ec0f480c1c15106f8e4ce
                                          • Instruction Fuzzy Hash: 0301527240D3C49ED7128B25CC94B62BFB8DF57224F1D80CBD9889F2A3C2695848CB72

                                          Non-executed Functions

                                          Function 07E5264C Relevance: 6.3, Strings: 5, Instructions: 65COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.24033926657.0000000007E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7e50000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $I8k$?El$?El$?El$GCl
                                          • API String ID: 0-3442697592
                                          • Opcode ID: a533dd326ce988e6cfd42370f49d74be44d0a4f8df599e042df90abd5a298540
                                          • Instruction ID: dbf53167e48729577c5471734a081b43416f08e1d235caf258eba8c4fcd3733c
                                          • Opcode Fuzzy Hash: a533dd326ce988e6cfd42370f49d74be44d0a4f8df599e042df90abd5a298540
                                          • Instruction Fuzzy Hash: 5E110AF6E0220ADFC710DB198401BA5BFF9BF85214F14916AD948CB261D772D890C7D1
                                          Function 037B74F8 Relevance: 5.3, Strings: 4, Instructions: 269COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.24018677065.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_37b0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 45$45$PP$`5
                                          • API String ID: 0-3684554811
                                          • Opcode ID: a89bbbac6c40ce9d740c8b5650b8d5a75786fb1309b5f9c07f3e118e85f36a6c
                                          • Instruction ID: fa1bfa3b2366b992983aa674c222a58d6fa9a78a8f01455d7f98bdcb3ec2ffcc
                                          • Opcode Fuzzy Hash: a89bbbac6c40ce9d740c8b5650b8d5a75786fb1309b5f9c07f3e118e85f36a6c
                                          • Instruction Fuzzy Hash: B1B11A74E012499FDB09CFA8D484ADDBBF2AF88314F298199E815AB351C774ED46CF90
                                          Function 07E54468 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.24033926657.0000000007E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7e50000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: DOCl$DOCl$GCl$GCl
                                          • API String ID: 0-1875650769
                                          • Opcode ID: afea132dc5be904e8aed03baee82a5955cfed3ee7bef8ba4382c12cda5a832c9
                                          • Instruction ID: 192e2d09869fbe5557f2766d6558b99104d7d89b54d7bfe74baae0b24160a8ef
                                          • Opcode Fuzzy Hash: afea132dc5be904e8aed03baee82a5955cfed3ee7bef8ba4382c12cda5a832c9
                                          • Instruction Fuzzy Hash: BA712AF5B0529A8FCB21CB698401BAABBE1AFC7314F14917AC919CB2D1DA71C8C5C791
                                          Function 037B49F2 Relevance: 5.2, Strings: 4, Instructions: 155COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.24018677065.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_37b0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Ro^$Ro^$Ro^$Ro^
                                          • API String ID: 0-3763963418
                                          • Opcode ID: 4971b298a5259c096c64b8bccc1299d0b2971159b0b4527fe57ab7fb34c1d016
                                          • Instruction ID: 490a5905e0cc4a3bf574c110a37f78e3b4461535a34bccaaea766c41a20a39dc
                                          • Opcode Fuzzy Hash: 4971b298a5259c096c64b8bccc1299d0b2971159b0b4527fe57ab7fb34c1d016
                                          • Instruction Fuzzy Hash: 2151985250F3E26FD703877998A918A3F74AD632A470A41D7C8C9DF0A7C9285C4E93A7